The number of active ransomware groups has increased by 45% year-over-year to 71 in Q2 2025, despite a 23% decline in ransomware victim numbers. Qilin was the most active threat group, with an 85% increase in activity. The manufacturing, technology, and legal industries were the most heavily impacted, with the US, Singapore, and Canada being the top three countries affected.
The second quarter of 2025 saw a significant increase in the number of active ransomware groups, according to the latest report from GuidePoint Security. The report, titled “Q2 2025 Ransomware & Cyber Threat Report,” highlights a 45% year-over-year rise in active groups, climbing from 45 in Q2 2024 to 71 in Q2 2025 [1].
Despite this surge, the number of ransomware victims declined by 23% compared to the previous quarter. This indicates a shift in attacker strategies rather than a reduction in overall threat capacity. Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security, noted, “The quarterly slowdown in publicly reported ransomware incidents appears to stem from more temporary headwinds, such as seasonality, fragmentation, and strategic regrouping within the RaaS ecosystem” [1].
Qilin, the most active threat group of the quarter, experienced an 85% increase in activity. This group leveraged automation to identify and breach large numbers of unpatched systems at scale. Notably, 80% of Qilin’s Q2 victims were based in the US, showing a dramatic geographic expansion [1].
The manufacturing, technology, and legal industries were the most heavily impacted, with the US, Singapore, and Canada being the top three countries affected. The healthcare sector, once a top target, dropped out of the top five most targeted industries for the first time since Q2 2022 [1].
Newer ransomware-as-a-service (RaaS) groups like Qilin, Akira, and DragonForce are rapidly scaling attacks using automation and mass vulnerability exploitation. These groups are replacing legacy operators like Cl0p and LockBit, which have lost momentum. For instance, Akira’s victim count surged by 348% year-on-year, while DragonForce increased its activity by 119% in Q2 [2].
Vulnerabilities continue to drive ransomware at scale. Qilin exploited Fortinet vulnerabilities CVE-2024-55591 and CVE-2024-21762, while Akira targeted SonicWall and Cisco VPN vulnerabilities. Unpatched systems remain the single largest enabler of ransomware, with over 150,000 vulnerable Fortinet devices still exposed online one month after a patch was released [2].
The US remained the top ransomware target globally, accounting for 67% of all named victims in Q2. German organizations climbed to second place, likely due to the activity of SafePay, which increased its activity by 42% [2].
To defend against these evolving tactics, the report recommends a proactive, layered defense strategy. This includes asset discovery and patch management, strict credential controls, reducing remote monitoring and management (RMM) exposure, monitoring SSH activity, and deploying AI-powered anomaly detection [2].
In conclusion, the Q2 2025 ransomware landscape shows a significant increase in active groups despite a decline in victim numbers. The shift in tactics highlights the need for organizations to remain vigilant and adapt their defensive strategies to counter these evolving threats.
References:
[1] https://www.businesswire.com/news/home/20250710237056/en/Ransomware-Groups-Multiply-as-Attack-Surface-Rapidly-Expands-GuidePoint-Security-Finds
[2] https://www.digit.fyi/q2-ransomware-report/
