Qilin was the top ransomware group for the third time in four months – but INC and other rivals aren’t standing still.
Qilin was again the most active ransomware group in July, the third time in four months since the decline of RansomHub, as the group has claimed more victims on its data leak site (DLS) than rivals.
With 73 claimed victims (chart below), Qilin accounted for 17% of July’s 423 victims. INC Ransom was second with 59, driven by attacks on critical infrastructure and a surge in victim disclosures.
The U.S. was by far the most attacked country once again, its 223 victims, eight times greater than second-place Canada (chart below).
July’s totals marked the third consecutive monthly increase in ransomware victims, following a three-month downtrend that began after February saw a record 854 attacks (chart below). 2025’s lowest point (402 attacks in May) remains well above the low points of 2023 (161 in January 2023) and 2024 (243 in January 2024), suggesting that the long-term uptrend remains intact despite claimed victims being half of February’s record, which was driven by a high number of CL0P and RansomHub victims.
Cyble researchers noted 25 possible critical infrastructure ransomware incidents in July, targeting sectors such as Government and law Enforcement, Energy and utilities, and Telecommunications. An additional 20 incidents were noted as involving possible supply chain impact because of application software provided to other sectors.
July also saw nearly 40 new ransomware variants and several new threat groups.
Ransomware Attacks by Industry and Global Region
Professional Service and Construction were overwhelmingly the top two sectors targeted by ransomware groups, accounting for more than one in four attacks, followed by Manufacturing, Healthcare, and IT (image below).
Europe was the second most attacked region after North America, with Italy, the UK, Germany, France, and Spain accounting for the highest number of victims (chart below).
In the APAC region, Thailand, Japan, and Singapore each had six ransomware victims, followed by India and the Philippines (chart below).
In EMEA, Turkey and Saudi Arabia suffered the most attacks (chart below), while Australia remains the dominant target in the ANZ region with five attacks.
Weaponized Vulnerabilities
Seven vulnerabilities stood out for their possible exploitation in ransomware campaigns:
- CVE-2023-48788 (A SQL injection vulnerability in Fortinet FortiClientEMS version 7.2.0 through 7.2.2 and FortiClientEMS 7.0.1 through 7.0.10)
- CVE‑2019‑18935 (A Deserialization of Untrusted Data vulnerability in Progress Telerik UI for ASP.NET AJAX through 2019.3.1023)
- CVE‑2025‑5777 (A Citrix NetScaler ADC and Gateway Out-of-Bounds Read vulnerability
Major Ransomware Incidents in July 2025
Ransomware groups once again were able to compromise many high-value targets in July, and several attacks had supply chain and national defense implications. Here are some of the more noteworthy incidents claimed by ransomware groups in July, with victim names redacted.
The SafePay ransomware group claimed responsibility for a cyberattack on a major U.S.-based global technology and supply chain services provider. The group alleged the theft of 3.5TB of data, and the resulting operational disruption impacted key systems, including distribution, licensing, transaction systems, and API infrastructure.
The Akira ransomware group claimed responsibility for breaching a U.S.-based defense contractor that provides mission-critical support and engineering services to federal agencies. The group stated that the stolen data includes corporate information, around 200 scans of passports and driver’s licenses, documents containing personal information, NDAs, and various contracts and agreements.
INC Ransom group claimed responsibility for cyberattacks targeting a U.S.-based company that develops building automation systems for critical infrastructure and commercial environments, a U.S.-based provider of advanced power transmission and distribution solutions, a Canadian firm specializing in underwater infrastructure inspections and maintenance for industries such as hydro, nuclear, oil & gas, utilities, and public infrastructure, and a Canadian-based managed service provider (MSP) offering IT and cybersecurity services.
The Warlock ransomware group leaked data allegedly stolen from an India-based manufacturing company. A preliminary review of the posted file tree suggests the exfiltrated data includes HR records, financial files, backup folders, and internal directories such as design software archives and employee data repositories.
The DevMan ransomware group claimed full domain administrator access to a government agency in Thailand. The threat actor deployed a Group Policy Object (GPO) from the domain controller to spread the ransomware payload throughout the environment, and also claimed to compromise a backup domain controller running Windows Server 2008. DevMan rebranded itself as DevMan 2.0, launched a new data leak site (DLS), and named two Japanese technology companies as victims.
New Ransomware Groups and Variants
July was an active month for new ransomware groups, variants, and other developments.
BEAST Ransomware Group, which emerged as a Ransomware-as-a-Service (RaaS) group in February, has now launched a Tor-based data leak site claiming 16 victims across the United States, Europe, Asia, and Latin America. The posts contain different email IDs for victims to contact them, suggesting negotiations are handled by affiliates responsible for encrypting the victim’s network.
Emerging ransomware group D4RK4RMY launched a dark web leak site and claimed attacks on several organizations. The group also introduced a new RaaS model combining base salary with 50% ransom commissions, operating via a closed, invite-only structure with tiered membership levels. The group is also seeking collaborations with Initial Access Brokers.
Payouts King, a newly emerged threat group with a Tor-based data leak site, has listed 13 victims. Payouts King claims it doesn’t operate a RaaS model and doesn’t accept any affiliates.
Sinobi, a newly emerged threat group with a data leak site (DLS) on Tor, claimed a U.S.-based financial services company among its victims. The layout of Sinobi’s DLS closely resembles that of the Lynx ransomware group, with similar shame post language and similar writing style, suggesting a connection between the two. Lynx itself is believed to have emerged from INC Ransom.
AiLock ransomware, first observed in March 2025, operates under a Ransomware-as-a-Service (RaaS) model and appends the “.AiLock” extension to encrypted files. It employs a multithreaded encryption mechanism using I/O Completion Ports (IOCP), dividing tasks between path traversal and encryption threads to maximize performance. It uses a hybrid encryption scheme—ChaCha20 for file content and NTRUEncrypt for securing encryption metadata. AiLock also includes evasion tactics such as API obfuscation, dynamic loading, and selective encryption based on file size.
KaWaLocker ransomware, also known as KaWa4096, was identified in June and exploits a hybrid encryption model combining ChaCha20 and Curve25519, appending a random 9‑character suffix to each filename, and drops a ransom note titled “!!Restore‑My‑file‑Kavva.txt” in compromised directories. Victims receive both file encryption and threats of data exposure unless ransom is paid. KaWaLocker also applies anti‑analysis tactics, including checks for debug or virtualized environments and deletion of Volume Shadow Copies via vssadmin or wmic, preventing system recovery through built-in backups.
A newly observed ransomware variant named DeadLock was detected in recent campaigns and classified under the encryption-only extortion model. Victims receive ransom notes but no data theft disclosures or leak threats, suggesting DeadLock solely encrypts systems and demands payment for decryption access.
A new ransomware variant called Crux has been observed in multiple incidents, characterized by file encryption with the .crux extension and ransom notes labeled crux_readme_[random].txt. The ransomware runs via svchost.exe, disables Windows recovery with bcdedit.exe, and proceeds to encrypt system files, suggesting an attempt to evade detection through living-off-the-land binaries. The threat appears linked to the BlackByte RaaS ecosystem, although formal attribution remains unconfirmed.
The Gunra ransomware group has extended its toolkit with a newly observed Linux variant, marking its evolution into cross-platform operations. This version supports up to 100 parallel encryption threads, configurable via runtime parameters—far exceeding typical limits in competing ransomware tools—and enables partial file encryption, allowing attackers to fine-tune how much of each file is encrypted. Armed with a hybrid ChaCha20 + RSA encryption mechanism, it optionally stores RSA-encrypted keys in separate keystore files instead of embedding them into encrypted payloads. Notably, the Linux build does not drop any ransom note, instead focusing solely on stealth and speed of encryption.
Conclusion
Ransomware groups can be counted on to continually evolve, and security teams must prepare for these evolving threats. With the finances and motivation to support ongoing research and development, they can be counted on to evolve.
Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan.
Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.
