Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report April 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the April 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 432 ransomware incidents this month.

Geographic Distribution

The United States remained the most targeted country with 204 attacks. Other countries with notable victim counts included Canada (25)Germany (21)Italy (17), and the United Kingdom (17).

Threat Actor Activity

Qilin led with 65 victims, followed by Akira (53) and Play (44)Lynx (28)NightSpire (21)Kill Security (20), and INC Ransom (20) also maintained high levels of activity.

After several months at the top, RansomHub dropped significantly with only 4 recorded victims. On their leak site, the group posted multiple “RIP” banners—leaving behind a big question mark about their future.

Industry Impact

The most affected sectors were Manufacturing (105)Professional, Scientific, and Technical Services (83), and Construction (28).

BRITE continues to monitor ransomware trends monthly to support organizations in understanding the evolving threat landscape.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
1
At least one record found in stealer logs
119
Use of out-of-date services/products with possible vulnerabilities of high exploitability
172
At least one credential leaked in the last 90 days
197
Open RDP or SMB ports publicly visible
198
At least one possible phishing domain
221
MX and DNS misconfiguration that may allow spoofing and phishing attacks
298

01Threat Actor Distribution

  • Qilin accounted for 65 victims, representing 15.1% of total activity.
  • Akira followed with 53 disclosures.
  • Play and Lynx remained consistently active.

02Geographic Distribution

  • United States of America represented 47.2% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and Germany also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Construction and Wholesale Trade continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Medusa
Sarcoma Group
DragonForce
INC Ransom
Kill Security
NightSpire
Lynx
Play
Akira
Qilin
USA
48
10
4
15
12
6
4
21
36
23
25
Canada
6
2
1
1
1
6
2
6
Germany
12
1
2
1
1
4
Italy
5
2
1
1
2
1
3
2
UK
4
1
1
1
2
3
2
3
Australia
2
1
2
1
1
2
Switzerland
2
2
1
2
1
TW
2
1
2
3
Brazil
4
1
1
1
Singapore
2
1
2
2
Spain
2
1
1
3
India
2
1
2
Portugal
3
2
Others
40
1
2
2
2
4
12
1
1
11
16
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Medusa
Sarcoma Group
DragonForce
INC Ransom
Kill Security
NightSpire
Lynx
Play
Akira
Qilin
Manufacturing
34
2
2
1
3
3
5
8
14
17
16
Health Care and Social Assistance
5
1
6
1
2
7
Professional, Scientific, and Technical Services
21
2
1
8
1
10
5
9
9
10
7
Transportation and Warehousing
4
2
1
3
3
2
1
5
Educational Services
3
2
1
1
4
Wholesale Trade
9
3
2
3
2
2
4
Construction
6
2
1
2
1
1
2
4
5
4
Real Estate Rental and Leasing
3
2
2
3
Public Administration
4
2
1
2
1
3
3
Other Services (except Public Administration)
4
1
1
2
2
1
8
3
Retail Trade
1
2
1
1
2
2
Agriculture, Forestry, Fishing and Hunting
1
1
Management of Companies and Enterprises
4
1
1
Administrative and Support and Waste Management and Remediation Services
3
1
3
1
Accommodation and Food Services
1
1
3
2
1
Arts, Entertainment, and Recreation
8
1
1
1
1
1
Information
9
1
2
1
1
Finance and Insurance
10
1
1
1
1
1
1
2
2
1
Mining
1
1
Utilities
4
1
1
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 431 ransomware disclosures were observed in April 2025.
  • Qilin led activity with 65 victims.
  • United States of America accounted for 47.2% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.