Cybersecurity Firms Report Record-Breaking Quarter for Ransomware Attacks
Several cybersecurity companies have released Q1, 2025 reports on the current state of ransomware, and while the figures vary across the different reports due to different methodologies for tracking ransomware activity, there is consensus that the year so far has been a record-breaker with a historic high in terms of new victims. There has also been a significant increase in active ransomware groups due to the fragmentation of the ransomware landscape, with many more smaller groups emerging as seasoned affiliates of previously dominant ransomware-as-a-service (RaaS) choose their own paths.
The BlackFog State of Ransomware 2025 report shows a record-breaking number of ransomware attacks disclosed by victims in Q1, 2025. BlackFog tracked 278 disclosed incidents in Q1, 2025, up 45% from Q1, 2024. BlackFog said March set a new record with 107 disclosed attacks, following on from new records set in January and February, which were up 22% and 36% respectively from Q1, 2024.
Major Increase in Disclosed Ransomware Attacks. Source: BlackFog
Healthcare Continues to be Top Target for Ransomware Groups
As has been the case in previous quarters, healthcare was one of the top three targeted industries, and in Q1, 2025, was joined by government and the services industry, with the latter replacing education, which dropped out of the top three attacked industries for the first time in five years. Healthcare was the worst-affected sector in terms of disclosed attacks, followed by the services sector and government, with education dropping to fourth spot. The top three targeted sectors accounted for 47% of all disclosed attacks in Q1, 2024.
The 278 disclosed attacks make up just 11.6% of all attacks in the quarter, with a further 2,124 attacks tracked by BlackFog that were undisclosed by the victims. The number of undisclosed attacks is up 113% from the same period in 2024, when there were 997 undisclosed attacks, indicating the majority of victims are not disclosing attacks. Healthcare is a highly regulated industry with requirements for reporting ransomware attacks involving unauthorized access to patient data, so it is not surprising that the industry only ranked in 6th spot for undisclosed attacks. The services sector topped the list, accounting for 22% of undisclosed attacks, followed by manufacturing, technology, retail, and construction.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
RansomHub was the most active ransomware group in 2024 and continued to exert its dominance in Q1, 2025. RansomHub was behind 24 (9%) disclosed attacks and 234 (11%) undisclosed attacks. RansomHub emerged in early 2024 and rapidly became the most prolific RaaS group, replacing two of the previously most active groups – LockBit and Alphv/Blackcat. LockBit has been the subject of law enforcement operations that have caused major disruption and limited its ability to operate, and the ALPHV/BlackCat group disbanded following the attack on Change Healthcare in February 2024. RansomHub took advantage, recruiting affiliates from both groups, allowing it to rapidly grow and become the most dominant player. In terms of undisclosed attacks; however, Clop took the top spot with 260 attacks (12%), virtually all of which involved the mass exploitation of a vulnerability in the Cleo managed file transfer solution.
RansomHub Still Dominant, But All Could Soon Change
RansomHub’s dominance could well be coming to an end. Several cybersecurity firms have reported internal problems at RansomHub between the operators and their affiliates. RansomHub billed itself as a more reliable alternative to LockBit and ALPHV, promising affiliates more professionalism and greater transparency, and the offer proved attractive, helping the group to grow rapidly. Apparent internal disputes culminated in some of the group’s client chat portals going offline on April 1, 2025, then on April 2, 2025, a rival group, DragonForce, claimed RansomHub decided to move to their infrastructure and is operating under a new option from The DragonForce Ransomware Cartel. “Don’t worry RansomHub will be up soon, they just decided to move to our infrastructure! We are Reliable partners,” claimed DragonForce.
While the statement from DragonForce could indicate the two groups have simply joined forces, the degree to which these groups are now working together is unclear. Researchers at Cyble say that prior to the April 2, 2025 announcement, DragonForce indicated it would be expanding its RaaS operation in what appears to be a franchise model, where affiliates can launch their own ransomware brands under the DragonForce Cartel. The researchers suggest RansomHub may have been acquired by DragonForce, potentially in a hostile takeover.
Two healthcare-related incidents made the top five attacks based on BlackFog’s assessment of their significance, ranking #4 and #5 behind the attacks on AWS (Codefinger), PowerSchool (unknown), and Lee Enterprises (Qilin). In 4th spot was the RansomHub attack on Sault Ste. Marie Tribe of Chippewa in Michigan, which reportedly involved a $5 million ransom demand following the exfiltration of 119 GB of data. The Medusa ransomware attack on HCRG Care Group, a UK-based child and family health and social services provider, was ranked as the 5th most impactful attack, involving the theft of 2.3 TB of data and a $2 million ransom demand.
BlackFog reports that the average ransom demand in Q1, 2025, was $663,582, based on 93 known ransom demands, the majority of which came from the Medusa group, and says 95% of attacks in Q1, 2025, involved data exfiltration. BlackFog also drew attention to a proliferation of new ransomware groups, with 12 new ransomware groups tracked in Q1, the most active of which was Frag with 27 victims.
Cyble also released a Q1, 2025 ransomware report and similarly concluded that Q1, 2025, was a record-breaking quarter for attacks, although fewer attacks were tracked than BlackFog for January (590). Cyble reports a peak of attacks in February with a record-breaking 886 new victims, followed by a dip in March to 564 new victims.
Ransomware Attacks Tracked by Cyble in Q1, 2025. Source: Cyble
Cyble also notes that RansomHub was the most active group in the quarter, with Akira and Qilin taking second and third spot, and similarly notes the high number of attacks by Clop, which claimed at least 267 victims in February (per Cyble’s data) as a result of the mass exploitation of the Cleo vulnerability. Attacks then dropped to low numbers (6) in March as is typical as the group searches for the next vulnerability to mass exploit.
Dwindling Ransom Payments Lead to Increased Attack Volume
Cyble suggests the significant increase in attacks in Q1, 2025, could be due to the dwindling returns from attacks, as far fewer victims are paying ransoms. Cyble suggests that ransomware groups may be making up for decreasing ransom payments by increasing their attack volume. Cyble also draws attention to the emergence of new ransomware groups, having tracked three new groups emerging in February. New additions to the ransomware ecosystem include the Arkana Security, Secp0, Skira Team, Weyhro, and Frag groups.
The GuidePoint Research and Intelligence Team (GRIT) has also released a report – The GRIT 2025, Q1 Ransomware & CyberThreat Insights Report – which similarly ranks Q1, 2025 as the worst quarter to date in terms of victim count, with 2,063 new ransomware victims tracked. That represents a 30.8% increase from the previous quarter and a 102% increase from Q1, 2024. What is especially notable is the increase in active ransomware groups, which jumped by 16.7% from Q4, 2024, and 55.5% from Q1, 2024. GRIT has tracked 70 active ransomware groups in Q1, 2025, with attacks being conducted at a rate of 22.9 new victims per day.
“We’re tracking more active ransomware and extortion groups than ever before, with a noticeable rise in high-volume attacks from emerging players formed out of disrupted gangs, like LockBit and AlphV,” explained Grayson North, Principal Security Consultant, GRIT. “The pressing question now is whether this surge represents a residual short-term spike or the beginning of a dark year for ransomware victims.”
GRIT reports that the most attacked industries in Q1, 2025 were manufacturing, retail/wholesale, and technology, with healthcare ranking in 4th spot, with the most active groups targeting the healthcare sector being Qilin, IncRansom, and RansomHub. Overall, RansomHuib was the second most active group by some distance, with Clop taking the top spot with 348 tracked victims in just a few days in its latest mass exploitation attempt on a vulnerability in a file transfer solution.
GRIT notes that there was a 75% increase in actively exploited vulnerabilities in Q1, 2025, compared to the same period last year, and an increase in targeting of U.S. firms, which accounted for 59% of all attacks in the quarter, the highest percentage of U.S. attacks to date. BlackFog’s figures are similar, with the USA topping the list for both disclosed (145/52%) and undisclosed attacks (1,173/55%).
What these reports make abundantly clear is that there is no let-up for security teams, with more attacks conducted than ever before, although time will tell whether this pace will be maintained. Based on previous years, there is usually a drop in ransomware activity in Q2 and Q3, before attacks ramp up in Q4. GRIT predicts it will be a similar story in 2025.
