The number of active ransomware groups has jumped 45 percent in the past year, according to a new report from GuidePoint Security’s GRIT team.
Covering Q2 2025, the report outlines how cybercriminals are regrouping, rebranding and using recycled tools to launch fresh attacks across industries.
“While law enforcement’s disruption of dominant groups like LockBit, AlphV and BreachForums has dealt significant blows to cybercriminal networks, the sharp year-over-year rise in active ransomware groups makes it clear that a significant threat remains,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security.
The GRIT team found that 71 ransomware groups were active in Q2 2025, up from 45 in the same quarter last year. That rise has not only increased the overall risk landscape, it has also changed how ransomware operates. Former affiliates are no longer just joining new gangs, many are now starting their own.
“Unfortunately, the quarterly slowdown in publicly reported ransomware incidents appears to stem from more temporary headwinds, such as seasonality, fragmentation and strategic regrouping within the RaaS ecosystem,” said Timothy. “As groups like Qilin, Akira and Play continue to gain ground, defenders must remain vigilant and prepare for what’s next.”
Qilin was the most active group in Q2 2025, with an 85 percent rise in observed activity. The group, like others in the Ransomware-as-a-Service space, depends on a network of affiliates who can distribute malware on its behalf. This structure makes it easier for attackers to bounce back quickly after law enforcement takedowns.
SEE ALSO: Companies take an average of four months to report a ransomware attack
Victim data in the report shows that 52 percent of affected organizations were based in the United States. Singapore came next at 23 percent, followed by Canada at 5 percent.
Manufacturing, technology and legal services were the most targeted sectors. For the first time since Q2 2022, the healthcare industry did not appear in the top five.
“We’re seeing a reshuffling within the ransomware ecosystem,” Timothy added. “Disruption of major RaaS players hasn’t reduced overall threat capacity so much as redistributed it. Affiliates are regrouping under existing or emerging banners, and many are standing up their own operations using recycled tools. As we head into the second half of the year, security teams should expect familiar tactics under new names.”
The report also tracks the rising activity of DragonForce, a RaaS group gaining attention for its pace of development, and includes coverage of Iranian cyber threat activity. It highlights continued law enforcement pressure on Lumma Stealer, an information-stealing malware used by many cybercriminals to gather credentials and sensitive data before ransomware deployment.
The data comes from publicly available sources, including ransomware leak sites and threat group channels. GRIT analysts supplement this with insights from ongoing threat monitoring.
Ransomware victims increasing
Ransomware victim numbers remain high overall, with a 43% increase year-over-year. Although there was a 23 percent dip in Q2 2025 compared to the previous quarter, GuidePoint believes this reflects shifting strategies rather than real progress.
The report emphasizes that these patterns are unlikely to hold steady. As attackers regroup and launch new campaigns, security teams should not assume that quieter periods mean lower risk. New groups are emerging, and old malware is being reused in unexpected ways.
You can download the full GRIT Q2 2025 Ransomware & Cyber Threat Report now.
What do you think about the rise in ransomware groups? Let us know in the comments.
Image credit: arrow123/depositphotos.com
