Ransomware surged in H1 2025. Meet CL0P, Akira, and Qilin — the top threat actors behind over 1,000 global attacks reshaping the cybercrime landscape.
Introduction
If the first half of 2025 taught us anything, it’s that ransomware isn’t just back — it’s bigger, smarter, and far more coordinated. And at the heart of this surge, three names rose to the top. Together, they accounted for over a third of all reported ransomware attacks globally – more than 1,000 incidents. No sector was safe. No region is untouched.
These threat actors are no longer operating in the dark shadows — they’re orchestrating global disruptions with surgical precision.
According to findings from Cyble’s Global Threat Landscape: H1 2025 report, ransomware attacks spiked by 54% in the first six months compared to last year, reaching 3,201 confirmed incidents. While dozens of threat actors were active, most large-scale campaigns came from these three names — and they weren’t working alone.
Let’s deep dive into the top ransomware threat actors of H1 2025 – CL0P, Akira, and Qilin. Know all about what they attack, whom they attack and how they attack, because you could be their next target.
CL0P: The King of Zero-Days
With a track record that stretches back to 2019, CL0P has perfected the art of high-impact extortion. But this year, they didn’t just lead — they dominated, especially in February, where they were behind 37% of all ransomware attacks globally.
CL0P doesn’t operate like a typical ransomware-as-a-service (RaaS) group. It runs a centralized operation, managing the full attack lifecycle — from exploiting vulnerabilities to publishing stolen data on their leak site, CL0P^_- LEAKS.
Their preferred method of entry? Zero-day exploits, especially in file transfer software. From MOVEit to GoAnywhere MFT, CL0P has repeatedly used undisclosed vulnerabilities to gain access, exfiltrate sensitive data, and then deploy ransomware — a classic double extortion playbook.
North America, especially the United States and Canada, bore the brunt.
Finance, healthcare, education, and government sectors were frequent targets. CL0P’s selective and technically advanced approach continues to make it one of the most feared names in ransomware.
Akira: Manufacturing Mayhem in Motion
Akira’s footprint in H1 2025 spread widely across North America and Europe, but its most intense operations zeroed in on Germany, the beating heart of European manufacturing.
Akira knows where it hurts. From professional services and construction to automotive and manufacturing, the group targeted industries that underpin national economies — and timed their strikes for maximum disruption.
While their ransom demands aren’t always public, the strategic targeting suggests Akira isn’t just focused on cash — they’re going after systemic disruption. Their resurgence in Europe, in particular, signals a calculated pivot, and businesses in the DACH region would be wise to take notice.
Qilin: Ransomware-as-a-Service, Weaponized
Operating under the RaaS model, Qilin is rapidly becoming a franchise of cybercrime.
What sets Qilin apart is scale. The group enables affiliates to launch highly customizable attacks, allowing them to cast a wide net across sectors — including healthcare, manufacturing, construction, and public services. In April 2025 alone, Qilin claimed 72 victims.
Qilin’s infrastructure allows for global reach. From Singapore and India to the U.S. and Europe, their operations reflect an aggressive expansion strategy. In APAC alone, Qilin led the region with 32 reported attacks.
The Emerging Threat: A New Breed of Ransomware Actors
While the Big Three took center stage, the sidelines are getting crowded.
H1 2025 also saw the debut of several new ransomware groups — leaner, experimental, and often operating without traditional lockers. These include:
- Dire Wolf – launched a dark web leak site targeting victims across Asia and Italy.
- Silent Team – hit aerospace and engineering firms, allegedly exfiltrating over 2.8 TB of highly sensitive files.
- DATACARRY and Gunra – active in Europe, the Americas, and parts of Asia, often testing extortion-only models without encryption.
- “J” – a shadowy actor with a leak site listing victims across five continents, hinting at a globally coordinated emergence.
These new entrants reflect a dangerous evolution – that of data theft without ransomware deployment. By skipping encryption altogether, they avoid detection and still pressure victims into paying, knowing that reputational damage is often a more powerful weapon than system lockdowns.
The Bigger Picture
Ransomware is no longer an isolated incident—it’s an ecosystem. The barriers to entry are lower. The playbooks are evolving. And the actors, both old and new, are growing more confident and complex.
For security teams and executive leadership, it’s no longer enough to monitor the dark web or patch known exploits alone. Proactive, intelligence-led defense is the only way forward.
Cyble’s Global Threat Landscape H1 2025 Report offers an in-depth breakdown of these ransomware groups, their tactics, and the industries they’re targeting. From the geographies at risk to the vulnerabilities exploited, the report is a strategic roadmap for defenders looking to stay ahead of the curve.
Want to know who’s next on their list?
Discover exclusive insights, detailed analysis, and actionable inputs in the full report.
Download the Global Threat Landscape: H1 2025 Report Now!
And if you are worried about defending yourself from these threat actors – and those on the sidelines – book a free demo with Cyble today!
Stay sharp, stay secure!
