Ransomware Report July 2025
An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape
Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.
Welcome to the July 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 473 ransomware incidents this month.
Geographic Distribution
The United States remained the primary target with 223 incidents, nearly half of the global total. Canada (21) and the United Kingdom (20) followed, while Germany (19) and Italy (18) also recorded steady activity. Spain (12), France (11), and Brazil (11) added further cases, alongside smaller clusters in Turkey, Thailand, Australia, Sweden, Singapore, and Japan.
Threat Actor Activity
Qilin led July with 61 disclosed victims, followed closely by INC Ransom (56), SafePay (43), and Akira (39). These four accounted for a large share of the month’s activity.
Other active players included World Leaks (24), Play (23), and DragonForce (21). Mid-tier names like Payouts King, Lynx, and Beast (16 each) added further weight, while smaller groups such as Everest, Dire Wolf, BlackByte, and Arcus Media also maintained visibility. At the margins, legacy names like Clop appeared only once, underscoring their diminished presence.
Industry Impact
The most targeted sectors in July were Manufacturing (94 incidents) and Professional, Scientific, and Technical Services (93), together making up a significant portion of total cases. Wholesale Trade (30), Health Care (27), and Construction (25) followed, while Retail (23) and Information (19) remained under steady pressure.
Even smaller industries such as Finance, Public Administration, Real Estate, and Education were not spared, confirming ransomware’s reach across the entire economy.
BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape and help prepare defenses against the evolving tactics of cybercriminal groups.
RANSOMWARE THREAT ANALYSIS
Ransomware Perpetrators Unmasked!
In the complex world of cybercrime, identifying the culprits is key to understanding and mitigating the threat.
In July 2025, Qilin led the pack with 61 victims, followed closely by INC Ransom (56), SafePay (43), and Akira (39). Together, these four groups accounted for the majority of reported incidents.
Beyond the top tier, actors like World Leaks (24), Play (23), DragonForce (21), and emerging names such as Payouts King, Lynx, and Beast (16 each) played active roles—demonstrating the ecosystem’s diversity and volatility.
Smaller but consistent activity was observed from groups including Everest, Dire Wolf, BlackByte, Arcus Media, and NightSpire, while legacy names like Clop appeared only once, signaling their diminished presence.
These shifts highlight how quickly leadership in the ransomware landscape can change, reinforcing the need for continuous monitoring and adaptive defenses.
Geographic Hotspots of Ransomware
Global Reach: Tracing Ransomware’s Impact Across Nations
In July 2025, the United States remained the epicenter of ransomware activity with 223 incidents, accounting for nearly half of the global total. Canada (21) and the United Kingdom (20) followed, while Germany (19) and Italy (18) also recorded notable activity.
Other European countries such as Spain (12) and France (11), along with Brazil (11) in South America, added to the spread. Beyond these, Turkey, Thailand, Australia, Sweden, Singapore, and Japan all faced smaller but consistent waves of attacks.
These patterns confirm that North America and Europe remain prime hunting grounds for ransomware groups, reflecting both the financial rewards and the digital maturity of their economies. Yet motives vary—while some actors chase profit, others avoid or select regions for political or nationalistic reasons. This blend keeps targeting unpredictable and reinforces the need for global vigilance and cooperation.
Industry Breakdown
The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.
Not all industries are targeted equally. In July 2025, Manufacturing (94 incidents) and Professional, Scientific, and Technical Services (93) were by far the hardest-hit sectors, together accounting for the bulk of reported cases.
Other impacted industries included Wholesale Trade (30), Health Care (27), and Construction (25), while Retail (23) and Information (19) also remained frequent targets. Smaller but consistent activity was recorded across sectors such as Public Administration, Finance, and Education, showing that ransomware pressure extends well beyond traditional high-value industries.
These patterns confirm that while certain industries absorb the heaviest blows, no sector is immune. Attackers continue to pursue valuable data and operational leverage wherever they can, making cross-industry vigilance essential.
Geographical Preferences of Ransomware Groups
The geographical focus of ransomware groups reveals strategic patterns and preferences.
In July 2025, the United States was once again the primary target with 223 incidents, driven largely by INC Ransom (30), SafePay (24), Qilin (29), and Akira (21). Groups like Play (20) and DragonForce (16) also maintained strong activity in the U.S.
Canada (21) saw steady pressure, with contributions from INC Ransom, Qilin, and Play, while the United Kingdom (20) recorded activity across multiple groups including Akira, SafePay, and World Leaks. Germany (19) and Italy (18) followed, where SafePay and Qilin featured prominently.
Elsewhere, Spain, France, and Brazil all reported double-digit or near double-digit incidents, while Turkey, Thailand, Australia, Japan, Sweden, and Singapore saw smaller but consistent targeting.
These patterns highlight both the dominance of major groups such as Qilin, INC Ransom, SafePay, and Akira, and the persistent spread of ransomware attacks across multiple regions, confirming its global reach.
Geographical Preferences of Ransomware Groups
Ransomware Strikes: Industry-wide
Ransomware threats are industry-agnostic, but some sectors attract more attention than others.
In July 2025, Professional, Scientific, and Technical Services (93 incidents) and Manufacturing (94) were the most targeted industries, showing attackers’ continued focus on sectors with valuable data and operational leverage. Wholesale Trade (30), Health Care (27), and Construction (25) also faced significant pressure.
Other impacted areas included Retail (23), Information (19), and Public Administration (18), while Finance, Education, and Real Estate recorded steady activity. Even smaller sectors such as Agriculture, Utilities, and Mining were not spared, underscoring ransomware’s broad reach.
These patterns highlight that while some industries take the heaviest blows, no sector is immune. Ransomware groups continue to pursue opportunities wherever critical data and disruption potential exist.
Ransomware Strikes: Industry-wide
Spotlight on Ransomware Indicator
Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.