Decreasing Trend of Ransomware Attacks in 2025
In the aftermath of Q2 2025, the ransomware landscape has undergone a significant transformation. According to Checkpoint Research, the number of ransomware attacks has seen a modest decline, marking the lowest number in over a year. However, this decrease does not equate to a reduction in danger.
The disappearance of major ransomware groups has fragmented the ecosystem, leading to the rise of numerous smaller, more agile groups. Established players like RansomHub have ceased operations, causing affiliates to migrate to other Ransomware-as-a-Service (RaaS) platforms such as DragonForce and LockBit. Simultaneously, new groups including KaWa4096, Warlock, and Nova have emerged.
One of the most notable changes is the shift towards data extortion without encryption. Attackers are now prioritizing sectors rich in sensitive or critical operational data, such as Consumer Goods & Services, Professional Services, Manufacturing, Information Technology, and Healthcare. They are tailoring attacks more personally by impersonating IT staff and focusing on privileged access targets rather than broad spam campaigns.
The use of generative AI (GenAI) tools has started impacting tactics notably. Threat actors are leveraging AI tools like ChatGPT to automate the creation of attack code, streamline operational tasks, and enhance the sophistication and effectiveness of their campaigns. This enables attackers to scale customized, socially engineered attacks and speed up attack development, making them more agile and specialized than before.
Key affected sectors remain those with high-value or sensitive data and operational importance. The Healthcare sector, for instance, remains a popular target, with INC Ransomware accounting for nearly 17% of such attacks in Q2. Notably, ransomware groups like 8Base, RansomHub, and BianLian also shut down or disappeared in Q2.
The most active and resilient ransomware gang, LockBit, began to unravel in Q2. Its internal data was hacked and leaked in May, effectively ending the group. Other groups, like DragonForce or Safepay, are staying quiet and watching the situation before making a move.
International task forces have been coordinating takedowns, tracking infrastructure, unmasking key members, and filing indictments. Some of these new groups operate for just a few weeks and then vanish. Law enforcement actions in Q2 demonstrated the ability to take down even the largest ransomware gangs, triggering a reset in the ransomware landscape.
The shift in momentum does not signal the end of ransomware but rather a change in its dynamics. Public victim listings on dark web leak sites dropped to 1,607 in Q2, down from 2,289 the quarter before. The ransomware world has splintered with smaller, more agile groups taking over, employing nuanced extortion tactics rather than just encryption.
Sources: [1] Check Point Research: [link] [2] Cybersecurity Dive: [link] [3] Dark Reading: [link] [4] Help Net Security: [link] [5] The Hacker News: [link]
Read also:
- 17 Tech Gadgets and Add-Ons Permanently Taking Up Space in My Mental Realm
- 2022 Feature on our site: Leading U.S. Computer and Electronic Equipment Manufacturers (Presented in a Slideshow)
- Amazon customer duped over Nvidia RTX 5070 Ti purchase: shipped item replaced with suspicious white powder; PC hardware fan deceived, discovers salt instead of GPU core days after receiving defective RTX 5090.
- Leading Mobile Application Development Firms in the Year 2025
