Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report July 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the July 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 473 ransomware incidents this month.

Geographic Distribution

The United States remained the primary target with 223 incidents, nearly half of the global total. Canada (21) and the United Kingdom (20) followed, while Germany (19) and Italy (18) also recorded steady activity. Spain (12)France (11), and Brazil (11) added further cases, alongside smaller clusters in Turkey, Thailand, Australia, Sweden, Singapore, and Japan.

Threat Actor Activity

Qilin led July with 61 disclosed victims, followed closely by INC Ransom (56)SafePay (43), and Akira (39). These four accounted for a large share of the month’s activity.

Other active players included World Leaks (24)Play (23), and DragonForce (21). Mid-tier names like Payouts King, Lynx, and Beast (16 each) added further weight, while smaller groups such as Everest, Dire Wolf, BlackByte, and Arcus Media also maintained visibility. At the margins, legacy names like Clop appeared only once, underscoring their diminished presence.

Industry Impact

The most targeted sectors in July were Manufacturing (94 incidents) and Professional, Scientific, and Technical Services (93), together making up a significant portion of total cases. Wholesale Trade (30)Health Care (27), and Construction (25) followed, while Retail (23) and Information (19) remained under steady pressure.

Even smaller industries such as Finance, Public Administration, Real Estate, and Education were not spared, confirming ransomware’s reach across the entire economy.

BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape and help prepare defenses against the evolving tactics of cybercriminal groups.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
3
At least one record found in stealer logs
150
Open RDP or SMB ports publicly visible
217
Use of out-of-date services/products with possible vulnerabilities of high exploitability
191
At least one possible phishing domain
249
At least one credential leaked in the last 90 days
188
MX and DNS misconfiguration that may allow spoofing and phishing attacks
324

01Threat Actor Distribution

  • Qilin accounted for 61 victims, representing 12.9% of total activity.
  • INC Ransom followed with 56 disclosures.
  • SafePay and Akira remained consistently active.

02Geographic Distribution

  • United States of America represented 47.1% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and United Kingdom of Great Britain also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Others and Wholesale Trade continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Beast
Lynx
Payouts King
DragonForce
Play
World Leaks
Akira
SafePay
INC Ransom
Qilin
USA
58
1
6
8
16
20
11
21
24
30
29
Canada
7
1
3
1
2
5
2
UK
7
1
2
3
4
1
2
Germany
3
2
3
4
1
2
3
1
Italy
4
2
2
1
3
1
1
4
Spain
5
1
1
1
1
3
France
4
1
1
1
1
3
Brazil
9
1
1
Turkey
6
1
2
Thailand
5
1
1
Australia
1
1
3
1
Japan
3
1
1
Sweden
1
2
1
1
Singapore
2
2
1
Belgium
1
1
1
2
Others
43
14
3
2
4
3
8
6
12
Grand Total
158
16
16
16
21
23
24
39
43
56
61
  • Grand Total activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Beast
Lynx
Payouts King
DragonForce
Play
World Leaks
Akira
SafePay
INC Ransom
Qilin
Professional, Scientific, and Technical Services
31
3
3
3
3
3
6
9
9
14
12
Manufacturing
26
5
6
5
5
9
12
7
3
16
Other Services (except Public Administration)
19
10
2
1
1
2
4
6
Wholesale Trade
11
1
3
2
2
8
3
Health Care and Social Assistance
9
1
2
1
4
7
3
1
Construction
5
3
3
2
3
4
5
Retail Trade
5
1
1
2
1
3
1
4
5
Information
9
1
2
2
1
1
3
Public Administration
7
1
1
1
1
5
3
Finance and Insurance
10
1
1
1
1
3
Educational Services
8
1
1
3
2
1
Real Estate Rental and Leasing
1
1
1
3
2
1
2
Administrative and Support and Waste Management and Remediation Services
5
1
1
1
2
1
1
Management of Companies and Enterprises
6
1
1
1
Transportation and Warehousing
1
1
1
1
1
2
1
Accommodation and Food Services
1
2
1
1
1
2
Agriculture, Forestry, Fishing and Hunting
1
2
1
1
Utilities
3
1
Arts, Entertainment, and Recreation
1
2
Mining
1
  • Professional, Scientific, and Technical Services activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 473 ransomware disclosures were observed in July 2025.
  • Qilin led activity with 61 victims.
  • United States of America accounted for 47.1% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.