Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report January 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the January 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 546 ransomware incidents this month, marking a sharp increase compared to the roughly 300 cases recorded in January 2024.

North America remained the primary target with 274 incidents in the United States and 32 in Canada, while the United Kingdom and France also saw notable activity. Manufacturing was the most impacted sector, followed by technical services, breaking the typical slowdown trend often seen at the start of the year.

Clop led with 115 victims, driven largely by their exploitation of the CLEO vulnerability, while RansomHub and Lynx each recorded 42 victims, and Akira followed with 38. Meanwhile, FunkSec expanded its operations beyond ransomware, signaling broader ambitions, and a new site claiming ties to Babuk stirred speculation but lacked credibility.

The surge in incidents, combined with declining ransom payments and emerging regulatory responses, underscores how volatile and complex the ransomware ecosystem has become as 2025 begins.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
3
At least one record found in stealer logs
189
Open RDP or SMB ports publicly visible
244
Use of out-of-date services/products with possible vulnerabilities of high exploitability
246
At least one possible phishing domain
263
At least one credential leaked in the last 90 days
278
MX and DNS misconfiguration that may allow spoofing and phishing attacks
382

01Threat Actor Distribution

  • Clop accounted for 115 victims, representing 21.1% of total activity.
  • RansomHub followed with 42 disclosures.
  • Lynx and Akira remained consistently active.

02Geographic Distribution

  • USA represented 50.2% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and UK also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Other and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
DragonForce
Funksec
SafePay
Medusa
Qilin
8Base
INC Ransom
Akira
Lynx
RansomHub
Clop
USA
66
7
10
8
12
9
18
21
26
18
79
Canada
9
3
2
2
1
2
1
12
UK
9
1
1
7
1
1
3
France
5
1
7
1
1
1
1
1
1
India
8
3
1
2
1
1
Germany
9
2
1
1
1
Australia
3
1
1
2
2
3
Italy
6
1
1
1
1
1
Brazil
4
2
1
2
Spain
3
2
1
1
Netherlands
2
4
Argentina
2
1
1
Belgium
2
1
1
Colombia
1
1
1
1
Egypt
2
2
Japan
2
1
1
Mexico
1
1
2
Others
33
4
7
6
1
3
3
4
9
6
12
12
  • USA activity was heavily concentrated in Clop.
  • Others showed broader spread geographically.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
DragonForce
Funksec
SafePay
Medusa
Qilin
8Base
INC Ransom
Akira
Lynx
RansomHub
Clop
Professional, Scientific, and Technical Services
24
4
2
4
1
6
3
2
5
12
3
14
Manufacturing
34
2
4
6
4
8
3
12
10
12
34
Health Care and Social Assistance
16
3
1
4
1
12
3
Wholesale Trade
7
1
1
3
1
2
2
1
9
Construction
4
3
1
2
1
4
5
6
1
Retail Trade
11
1
2
2
4
3
4
Administrative and Support and Waste Management and Remediation Services
5
1
1
1
2
3
Educational Services
10
3
1
2
4
4
1
1
Information
8
1
1
1
1
4
17
Transportation and Warehousing
6
1
1
1
1
1
18
Finance and Insurance
9
1
2
1
1
2
1
Other Services (except Public Administration)
14
1
2
3
3
1
2
3
4
1
3
10
Public Administration
8
5
1
1
1
Accommodation and Food Services
2
1
1
1
1
Management of Companies and Enterprises
1
Mining
2
1
1
Real Estate Rental and Leasing
2
1
2
1
1
1
1
2
Arts, Entertainment, and Recreation
2
1
Utilities
1
4
Agriculture, Forestry, Fishing and Hunting
1
  • Manufacturing activity was heavily concentrated in Others.
  • Professional, Scientific, and Technical Services showed broader spread across sectors.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 546 ransomware disclosures were observed in January 2025.
  • Clop led activity with 115 victims.
  • USA accounted for 50.2% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.