Welcome to the July 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 473 ransomware incidents this month.
The United States remained the primary target with 223 incidents, nearly half of the global total. Canada (21) and the United Kingdom (20) followed, while Germany (19) and Italy (18) also recorded steady activity. Spain (12), France (11), and Brazil (11) added further cases, alongside smaller clusters in Turkey, Thailand, Australia, Sweden, Singapore, and Japan.
Qilin led July with 61 disclosed victims, followed closely by INC Ransom (56), SafePay (43), and Akira (39). These four accounted for a large share of the month’s activity.
Other active players included World Leaks (24), Play (23), and DragonForce (21). Mid-tier names like Payouts King, Lynx, and Beast (16 each) added further weight, while smaller groups such as Everest, Dire Wolf, BlackByte, and Arcus Media also maintained visibility. At the margins, legacy names like Clop appeared only once, underscoring their diminished presence.
The most targeted sectors in July were Manufacturing (94 incidents) and Professional, Scientific, and Technical Services (93), together making up a significant portion of total cases. Wholesale Trade (30), Health Care (27), and Construction (25) followed, while Retail (23) and Information (19) remained under steady pressure.
Even smaller industries such as Finance, Public Administration, Real Estate, and Education were not spared, confirming ransomware’s reach across the entire economy.
BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape and help prepare defenses against the evolving tactics of cybercriminal groups.
Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.