Ransomware assault volumes up practically 3 times on 2024
The variety of ransomware assaults that had been noticed and tracked in the course of the first six months of 2025 was up by 179% – virtually 3 times – on the identical interval in 2024, based on statistics printed by risk intelligence platform supplier Flashpoint.
The previous 12 months has seen vital turnover amongst cyber legal risk actors with previously-feared names similar to LockBit – famously taken down by cyber cops – and ALPHV/BlackCat now not the forces they as soon as had been.
The previous 12 months has additionally seen a pivot amongst some ransomware actors to extortion with out encryption. In such assaults, a sufferer’s methods are attacked within the common means – usually by means of social engineering or an unpatched software program vulnerability – and their knowledge stolen, however not ever encrypted.
This form of assault is turning into a major risk as a result of it drastically lowers the boundaries to entry from a technical perspective, each for the core ransomware operators who save on effort and time, and their less-adept associates. This development began to emerge throughout 2024 and exhibits no indicators of dying out.
“A number of teams seem to desire a pure extortion play. Ransomware teams will historically encrypt information earlier than exfiltrating them, charging for each the decryption key and to forestall knowledge from being leaked,” stated the FlashPoint group.
“[However] extortion teams like World Leaks, beforehand generally known as Hunter’s Worldwide, ransoms with out encryption. Moreover, RansomHub has been noticed often using this tactic, in addition to rising teams like Weyhro,” they stated.
In the meantime, generative synthetic intelligence (GenAI) can also be beginning for use by some – albeit not many gangs, once more as a method of relieving ransomware gangs of among the extra burdensome duties they face, similar to growing phishing templates.
On the time of writing, few high-profile operators are utilizing massive language fashions (LLMs) of their tooling, however Funksec, which emerged on the finish of 2024 and should have had a hand within the improvement of the WormGPT mannequin, could also be one to observe.
“It’s attainable that extra teams will combine the usage of LLMs or chatbots inside their operations,,” stated the FlashPoint group.
Different operational and technical adjustments noticed by the FlashPoint group embody a rising variety of assaults by which ransomware gangs recycle earlier ransomware victims from different teams, with knowledge typically showing on different boards lengthy after the occasion itself.
Most lively gangs
Probably the most lively ransomware actors noticed in the course of the first six months of 2025 had been Akira, which carried out 537 assaults, Clop/Cl0p, with 402, Qilin, with 345, Safepay Ransomware, with 233, and RansomHub, with 231.
Nevertheless, there are a number of different teams which might be value watching. For UK-based organisations DragonForce will now be a well-recognized title due to its use in opposition to the likes of Marks & Spencer and Co-op Group in high-profile cyber assaults.
When it comes to ransomware victimology, organisations in the US proceed to be probably the most often focused, accounting for two,160 assaults tracked by FlashPoint, outpacing second-placed Canada – with 249 assaults – by a runaway margin. FlashPoint tracked 154 assaults in Germany and 148 within the UK, adopted by Brazil, Spain, France, India and Australia.
The manufacturing and know-how sectors seem to supply probably the most profitable payouts for ransomware gangs, accounting for 22% and 18% of all assaults, adopted by retail at 13%, healthcare at 9%, and enterprise companies and consulting at 8%.
