New analysis from Reliaquest of ransomware activity in the second quarter of 2025 claims that legacy operators like Cl0p and LockBit are losing momentum and newer ransomware-as-a-service (RaaS) groups are rising to prominence.
Based on victim data published to ransomware data-leak sites between April and June 2025, the report identifies key trends shaping the cyber extortion ecosystem — including the 31% drop in named victims compared to Q1, the surge in mass exploitation of critical vulnerabilities, and the aggressive tactics of groups like Qilin, Akira, and DragonForce.
Compiled from incident data, threat actor tactics, and sector-specific victimology, the report highlights how modern ransomware groups are scaling operations through automation and vulnerability exploitation — and what defenders must do to keep pace.
In a clear changing of the guard, Qilin overtook Cl0p to become the most active ransomware-as-a-service (RaaS) group of Q2. Qilin’s victim count surged 80% compared to Q1, largely driven by its exploitation of Fortinet vulnerabilities CVE-2024-55591 and CVE-2024-21762. Analysts believe Qilin leveraged automation to identify and breach large numbers of unpatched systems at scale. Though initially focused on Spanish-speaking regions, 80% of Qilin’s Q2 victims were US-based, showing a dramatic geographic expansion.
Akira also surged ahead with a 348% year-on-year increase in named victims. In Q2 alone, Akira listed more organisations than it did across all of 2024. Its campaign relied on exploiting SonicWall and Cisco VPN vulnerabilities (CVE-2024-40766, CVE-2023-20269), aligning with a broader trend: successful ransomware groups continue to rely on weaponising public CVEs for mass exploitation.
Meanwhile, Cl0p, once dominant, named just a handful of victims in Q2 after a major spree in February driven by Cleo-related CVEs. The group’s strategy of lying dormant until a new vulnerability emerges remains unchanged, according to the report.
DragonForce, which first appeared in December 2023, increased its activity by 119% in Q2. Its “cartel” RaaS model allows affiliates to run campaigns under their own brand while using DragonForce’s backend support. It has also aggressively targeted competitors, defacing the data-leak sites of rivals like Blacklock and RansomHub.
Vulnerabilities Continue to Drive Ransomware at Scale
While the number of victims dropped, the methodology remained consistent: mass exploitation of critical vulnerabilities. In Q2, ransomware groups continued to weaponise known CVEs to compromise organisations rapidly, often using automated scripts. Examples include:
-
Qilin: CVE-2024-55591, CVE-2024-21762 (Fortinet)
-
Akira: CVE-2024-40766 (SonicWall), CVE-2023-20269 (Cisco ASA/FTD)
-
Cl0p: CVE-2024-50623 (Cleo), CVE-2023-34362 (MoveIt)
-
RansomHub: CVE-2024-57726/27/28 (SimpleHelp), CVE-2023-27997 (FortiOS), CVE-2023-46604 (Apache OpenWire)
Unpatched systems remain the single largest enabler of ransomware. One month after a patch for CVE-2024-21762 was released, researchers still found over 150,000 vulnerable Fortinet devices exposed online.
These vulnerabilities also shorten the time available to defenders. On average, ransomware actors now achieve lateral movement within 48 minutes of gaining access. And with 69% of organisations experiencing attacks through unknown or unmanaged assets, the attack surface continues to outpace defensive coverage.
The sectors hit hardest in Q2 2025 were manufacturing and professional, scientific, and technical services (PSTS). Construction regained third place after a temporary spike in retail-related incidents driven by Cl0p’s earlier campaign.
Geographic and Strategic Shifts: US Remains Top Target, Germany on the Rise
According to the report, the US remained the top ransomware target globally, accounting for 67% of all named victims on data-leak sites in Q2. German organisations climbed to second place – up from fourth last quarter – likely due to the activity of SafePay, which increased its activity by 42% and targeted both US and German entities using network misconfigurations and vulnerabilities in external services.
SafePay’s aggressive growth underscores how even mid-tier groups are now relying on scalable, vulnerability-driven tactics. In one extortion note to an Australian construction firm, the group explicitly cited network misconfigurations as its method of entry – further evidence that simple weaknesses continue to yield high-impact breaches.
Recommended reading
Other notable players include Lynx, which remains resilient despite a 41% drop in Q2 activity, and LockBit, which has failed to rebound following law enforcement disruption in early 2024. LockBit named just 24 organisations in Q2, a dramatic fall from its former dominance and just 11% of its Q2 2024 figures.
Defending Against Ransomware in 2025
The evolution of ransomware tactics demands a proactive, layered defense – it recommends the following as a means of defence:
-
Asset Discovery and Patch Management: Identify all assets—including unmanaged and shadow IT—and prioritise patching of external-facing systems and critical infrastructure.
-
Strict Credential Controls: Qilin and other groups often exploit valid credentials; enforce strong password policies, multi-factor authentication, and monitor for suspicious activity.
-
Reduce RMM Exposure: Disable remote monitoring and management tools like RDP and PsExec unless absolutely necessary.
-
Monitor SSH Activity: Especially to VMware ESXi environments—frequently targeted by Qilin.
-
Deploy AI-powered Anomaly Detection: Automated tools can detect and stop attacks that move too fast for human analysts alone.
Related
