Ransomware Report April 2025
An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape
Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.
Welcome to the April 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 432 ransomware incidents this month.
Geographic Distribution
The United States remained the most targeted country with 204 attacks. Other countries with notable victim counts included Canada (25), Germany (21), Italy (17), and the United Kingdom (17).
Threat Actor Activity
Qilin led with 65 victims, followed by Akira (53) and Play (44). Lynx (28), NightSpire (21), Kill Security (20), and INC Ransom (20) also maintained high levels of activity.
After several months at the top, RansomHub dropped significantly with only 4 recorded victims. On their leak site, the group posted multiple “RIP” banners—leaving behind a big question mark about their future.
Industry Impact
The most affected sectors were Manufacturing (105), Professional, Scientific, and Technical Services (83), and Construction (28).
BRITE continues to monitor ransomware trends monthly to support organizations in understanding the evolving threat landscape.
RANSOMWARE THREAT ANALYSIS
Ransomware Perpetrators Unmasked!
In the complex world of cybercrime, identifying the culprits is key to understanding and mitigating the threat.
In April 2025, Qilin took the lead with 65 victims, followed by Akira (53) and Play (44)—together shaping much of the month’s activity.
Beyond the top three, groups like Lynx (28), NightSpire (21), Kill Security (20), and INC Ransom (20) also played significant roles, keeping pressure on multiple sectors worldwide.
Meanwhile, RansomHub, once a dominant force, collapsed to just 4 victims, even posting “RIP” banners on its leak site, raising uncertainty about its future.
These shifts show how quickly the ransomware ecosystem can change, with new leaders emerging as others fade. For organizations, closely tracking these groups is essential to anticipate evolving threats and adapt defenses accordingly.
Geographic Hotspots of Ransomware
Global Reach: Tracing Ransomware’s Impact Across Nations
The United States remained the most targeted country with 204 attacks. Other countries with notable victim counts included Canada (25), Germany (21), Italy (17), and the United Kingdom (17).
Yet, motivations differ. Some groups pursue pure financial gain, while others avoid certain regions for nationalistic or political reasons. This mix of economic incentives and ideological choices shapes the global ransomware map, making it both complex and unpredictable.
Industry Breakdown
The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.
The most affected sectors were Manufacturing (105), Professional, Scientific, and Technical Services (83), and Construction (28).
By understanding which industries are most frequently targeted, organizations can better anticipate where attackers see the greatest opportunities—and allocate resources to strengthen defenses where they are needed most.
Geographical Preferences of Ransomware Groups
The geographical focus of ransomware groups reveals strategic patterns and preferences.
In April 2025, the United States led with 194 incidents, driven mainly by Play (36), Qilin (25), and Akira (23). Canada (24) followed, with activity from Play, Qilin, and Medusa, while Germany (20) and Italy (15) also recorded notable cases.
Other countries including the UK, Spain, Brazil, and India faced smaller but steady targeting, while incidents spread across Asia-Pacific regions like Australia, Taiwan, and Singapore as well.
These trends show ransomware’s truly global footprint, with groups tailoring their focus to maximize impact while keeping pressure on North America and Europe as primary targets.
Geographical Preferences of Ransomware Groups
Ransomware Strikes: Industry-wide
Ransomware threats are industry-agnostic, but some sectors attract more attention than others.
In April 2025, Manufacturing (34 incidents) was again the most targeted, led by Akira (17), Qilin (16), and Play (14). Professional, Scientific, and Technical Services (21) followed, with notable pressure from Kill Security (10) and DragonForce (8). Healthcare (19) also remained a key target, with INC Ransom (6) and Qilin (7) driving much of the activity.
Other sectors, including Finance (10), Wholesale (9), and Construction (6), also faced steady attacks. Even smaller industries such as Education, Real Estate, and Public Administration recorded incidents, underscoring ransomware’s broad reach.
These patterns confirm that while ransomware can strike anywhere, groups continue to favor industries with high-value data and operational impact.
Ransomware Strikes: Industry-wide
Spotlight on Ransomware Indicators
Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.