The number of active ransomware groups has been ‘increasing year-over-year and quarter-over-quarter,’ GuidePoint Security’s Jason Baker tells CRN.
Ransomware victim volume declined markedly in the second quarter of 2025 though the field of active threat groups continued to expand — suggesting the decrease in attacks may be short-lived, according to GuidePoint Security research.
The report released Thursday by Herndon, Va.-based GuidePoint Security shows that the number of observed victims — those claimed by cybercriminal group blogs and leak sites — fell 22.9 percent during the second quarter, compared to the first quarter of 2025.
That represents the largest quarter-over-quarter drop in attacks ever tracked by the GuidePoint Research and Intelligence Team (GRIT) — well above the 10 to 15 percent drop typically seen during the second quarter and start of the summer months.
[Related: SafePay Is A ‘Highly Specialized’ Hacker Group With An Unusual Approach: Experts]
Over time, though, the number of active ransomware groups tends to be the main driver of victim volume, GuidePoint noted in its report. And in that regard, the news is not as positive: The number of active ransomware groups has been “increasing year-over-year and quarter-over-quarter,” said Jason Baker, threat intelligence consultant at GuidePoint, No. 37 on CRN’s Solution Provider 500 for 2025.
During the second quarter of the year, the total number of active threat groups surged to 71, according to the GRIT report. That represented a 58-percent increase from the 45 active groups known during the same period a year earlier, and up from 69 during the first quarter.
While law enforcement efforts have undoubtedly introduced friction and increased costs for cybercrime actors, “it’s not the same as taking an entire player off the battlefield,” Baker said in an interview with CRN. “We’ve assessed that in some of these cases, we’re likely seeing splintering and new groups forming from that disruption — which would explain the uptick in new, distinct, named ransomware groups.”
One group that formed relatively recently — and has made its presence felt in recent weeks and months — is SafePay, which emerged in September 2024 and was initially claiming between three and 10 victims per month, according to Baker.
However, that has recently shot up to between 30 and 40 victims per month, with a total of 111 attacks claimed by SafePay during the second quarter. The attacks spanned 27 different industries, with 60 percent of the attacks targeting U.S. organizations, according to GuidePoint research.
The origins of the group are still unclear at this point, with no definitive evidence linking SafePay to once-prolific threat actors such as LockBit or Alphv/Blackcat.
Still, “anytime we see a group that’s been around for six months or less—and all of a sudden they’re netting 20, 30, 40 victims a month—that’s a big red flag for us that these are not new guys,” Baker said.
A BleepingComputer report indicated that SafePay was responsible for the ransomware attack against IT distribution giant Ingram Micro disclosed during the July 4 weekend, though the attack has not been claimed by the group itself.
Ingram Micro said Wednesday that it can once again process and ship orders received electronically across all of its business regions, ending a nearly week-long outage. The outage — which subsequently was acknowledged by Ingram Micro as the result of a ransomware attack — reportedly began July 3, according to BleepingComputer.
“Ingram Micro is pleased to report that we are now operational across all countries and regions where we transact business,” the distributor said in a statement posted online Wednesday.
