Byline: Ekrem Selcuk Celik, Cybersecurity Researcher at Black Kite

Welcome to the January 2025 ransomware update, where we highlight the latest trends, threat actors, and developments in the ransomware ecosystem to keep CISOs and third-party risk managers informed and prepared.

The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents in January 2025, marking a sharp increase compared to January 2024, which saw approximately 300 cases. This significant rise indicates that ransomware activity is escalating at an alarming pace. Among these incidents, 274 were recorded in the United States, 32 in Canada, 23 in the United Kingdom, and 18 in France.

Manufacturing was the most targeted sector, followed by technical services. Closing out December with 535 cases, ransomware groups have historically shown a tendency to slow down at the beginning of the year. However, this year is proving to be an exception.

Top Threat Actors in January 2025

The Clop ransomware group took the lead in January 2025 by a significant margin with 115 publicly disclosed victims. As usual, RansomHub remained among the top-ranking groups with 42 victims. One of the most notable groups this month was Lynx, which saw a major surge with 42 victims in January. They were followed by the Akira group, which recorded 38 victims.

Clop Is No Joke, But It’s Not What It Used to Be

Nearly all of the 115 Clop attacks were linked to the CLEO vulnerability, continuing the momentum from Clop’s December disclosures. Initially, only 50 victims were expected, but as the group continues to release names in alphabetical order, the final number could reach 500.

Among these 115 victims, the United States was the most affected, with 79 cases, followed by Canada with 12 and the Netherlands with 4.

In terms of industry impact among these attacks, the manufacturing sector suffered the highest number of attacks, with 34 victims. It was followed by the transportation sector with 18 victims, the information technology sector with 17, and the technical services sector with 14.

Two years ago, during the MoveIT disclosures, Clop was at the center of global media attention. Now, despite its high ransomware activity, the group seems to be struggling to capture the same level of interest. They kept postponing victim disclosures, which was unusual for them, and then starting sharing victims in a different way to seek attention. Whether this signals Clop’s waning influence or a shift in public perception remains to be seen, but one thing is certain: the group appears increasingly frustrated by the lack of attention.

Screenshot from the site where Clop now publishes stolen data.

FunkSec: From Ransomware to Full-Fledged Cybercrime Group

FunkSec continued its aggressive expansion in January, making headlines with its unconventional tactics:

  • Launched FunkBID, a data leak auction platform.
  • Announced a partnership with Fsociety for joint ransomware operations.
  • Gave media interviews, shedding light on their internal workings.
  • Released FunkSec V1.2, their own Ransomware-as-a-Service (RaaS) for $100.
  • Threatened a cybersecurity researcher who had written about them.
  • Established their own forum to further expand their operations.
Screenshot of the site where Funksec announced Funksec V1.2

Key takeaways from their recent interview:

  • They claim to be entirely self-taught with no external affiliations.
  • AI plays a role in their operations, but they state it accounts for only 20%.
  • They have developed their own GPT model for internal use.
  • Their primary goal is financial gain, but they explicitly state hostility toward Israel and the U.S.
  • The group consists of four members.
  • While hacking remains their focus, they employ specialized ransomware developers.
  • They use tools like Shodan Premium and Burp Pro, alongside advanced custom brute force tools.
  • Rust is their programming language of choice.

FunkSec’s erratic yet calculated moves make them one of the most unpredictable actors in the ransomware ecosystem. Their expansion beyond traditional ransomware operations suggests a broader ambition that could redefine the threat landscape.

Is Babuk Back? Or Just an Imposter?

A new leak site emerged in January claiming to be affiliated with Babuk, publishing 60 alleged victims. While this sparked speculation that the notorious ransomware group had returned, our analysis revealed that most of the disclosed victims had already been published by FunkSec, RansomHub, and LockBit.

Shortly after the site gained traction, access was restricted, leaving its authenticity in question. Whether this marks the actual return of Babuk or merely an opportunistic attempt to capitalize on the name remains unclear.

Screenshot of the new Babuk Ransomware Leaks Site.

New Groups Keep Emerging, but Originality Is Fading

Ransomware groups continue to surface at an increasing rate, and the rise of Ransomware-as-a-Service (RaaS) is undoubtedly fueling this trend. However, despite this growth, these groups seem to do little more than mimic each other. Many simply replicate existing leak sites, making it increasingly difficult to track them as they blur into one another.

In previous years, such copycat behavior was less common, but now it’s becoming the norm. This shift strongly suggests that experienced cybercriminals are being replaced by younger, less-skilled actors. As a result, while the number of ransomware groups grows, innovation within the ecosystem seems to be stagnating.

A new group appears to imitate the RansomHub group.

Attacks Are Increasing, but Ransom Payments Are Decreasing

While ransomware attacks surged in 2024, total ransom payments dropped by 35%, amounting to $813.55 million. Companies are increasingly adopting robust cybersecurity measures, improving backup strategies, and benefiting from law enforcement crackdowns on cybercriminals.

Notably, the international operation “Operation Cronos” disrupted LockBit’s infrastructure, demonstrating the growing impact of coordinated cybercrime enforcement. However, despite these advancements, ransomware groups are evolving their tactics, becoming more aggressive in their extortion methods.

In response, the UK government is considering stricter regulations, including:

  • Banning public institutions and critical infrastructure providers from making ransom payments.
  • Mandating all victims to report ransomware incidents to authorities.

Authorities believe these measures will curb ransomware groups’ financial streams and act as a deterrent. If enacted, these regulations could reshape how organizations respond to ransomware threats.

Key Takeaways

January 2025 set a record-breaking pace for ransomware incidents.

  • Clop led the charge but may be struggling to maintain its past level of influence.
  • FunkSec is rapidly expanding its operations beyond ransomware, building a cybercrime ecosystem.
  • The alleged return of Babuk remains uncertain, raising questions about its legitimacy.
  • While ransom payments are declining, attack volume is increasing, prompting tighter regulations.

For cybersecurity teams, 2025 is already shaping up to be one of the most challenging years yet. Black Kite’s Ransomware Susceptibility Index® (RSITM) offers a proactive approach by assessing the likelihood of a ransomware attack throughout the third-party ecosystem. By leveraging RSI, risk managers can identify high-risk vendors before an attack strikes, prioritize remediation efforts, and ultimately safeguard their organizations against the escalating threat.

Stay tuned for more monthly Ransomware Reviews on our blog and LinkedIn Newsletter.



Dig into our full 2025 Third Party Breach Report: The Silent Breach: How Third Parties Became the Biggest Cyber Threat in 2024 – accessible instantly, no download required.




Read Now