Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report February 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the February 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 809 ransomware incidents this month, marking the highest monthly total ever recorded and surpassing the previous peak of around 590 victims.

The United States was once again the primary target with 513 incidents, followed by Canada with 51 and the United Kingdom with 23. Manufacturing was hit hardest with 193 victims, while Professional and Technical Services (118) and Wholesale (82) followed as top impacted sectors.

Clop dominated with 283 victims, fueled by its CLEO exploit, while RansomHub (98), Akira (50), and Play (48) rounded out the leading groups. Meanwhile, the takedown of 8Base, leaks exposing Black Basta’s internal chaos, and the continued rise of RaaS highlighted how dynamic and volatile the ransomware ecosystem remains.

February’s record numbers underscore the urgent need for resilience, proactive defenses, and stronger global cooperation as ransomware continues to escalate in scale and impact.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
9
At least one record found in stealer logs
254
Use of out-of-date services/products with possible vulnerabilities of high exploitability
322
Open RDP or SMB ports publicly visible
338
At least one credential leaked in the last 90 days
394
At least one possible phishing domain
403
MX and DNS misconfiguration that may allow spoofing and phishing attacks
570

01Threat Actor Distribution

  • Clop accounted for 283 victims, representing 35% of total activity.
  • RansomHub followed with 98 disclosures.
  • Akira and Play remained consistently active.

02Geographic Distribution

  • United States of America represented 63.4% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and United Kingdom of Great Britain also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Wholesale Trade and Others continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
BianLian
Kill Security
Medusa
Cactus
Lynx
Qilin
Play
Akira
RansomHub
Clop
USA
75
19
7
24
29
17
30
38
21
68
185
Canada
5
1
4
1
3
5
8
24
UK
9
1
3
1
1
2
2
4
Germany
4
1
1
1
1
5
1
5
Australia
3
1
1
1
1
1
2
1
Mexico
2
2
6
France
3
1
1
3
India
2
3
1
1
Italy
3
1
1
1
1
TW
2
2
1
1
1
Brazil
5
1
Japan
3
1
1
1
Spain
2
2
1
1
Sweden
4
1
1
Netherlands
1
2
2
Ireland
4
Others
30
7
3
7
1
2
13
12
45
  • USA activity was heavily concentrated in Clop.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
BianLian
Kill Security
Medusa
Cactus
Lynx
Qilin
Play
Akira
RansomHub
Clop
Manufacturing
16
1
1
3
15
10
10
11
14
23
89
Wholesale Trade
8
2
8
6
1
2
2
4
49
Other Services (except Public Administration)
15
1
1
5
3
3
3
3
7
1
39
Transportation and Warehousing
10
1
2
1
1
3
5
35
Professional, Scientific, and Technical Services
27
11
2
3
2
6
11
7
7
18
24
Retail Trade
8
2
2
2
1
1
1
15
Information
7
1
4
1
5
2
12
Agriculture, Forestry, Fishing and Hunting
1
1
2
2
4
Finance and Insurance
3
1
4
3
1
5
4
4
Real Estate Rental and Leasing
3
1
1
5
1
5
3
Utilities
1
1
1
2
Educational Services
11
3
2
1
1
8
2
Management of Companies and Enterprises
3
1
1
Accommodation and Food Services
1
1
1
2
1
Arts, Entertainment, and Recreation
3
2
1
2
2
2
1
Administrative and Support and Waste Management and Remediation Services
2
2
2
1
1
1
3
1
1
Health Care and Social Assistance
13
3
2
7
6
1
7
1
Mining
1
2
Public Administration
8
3
1
4
Construction
9
1
1
2
6
3
7
  • Manufacturing activity was heavily concentrated in Clop.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 808 ransomware disclosures were observed in February 2025.
  • Clop led activity with 283 victims.
  • United States of America accounted for 63.4% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.