Ransomware Report June 2025
An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape
Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.
Welcome to the June 2025 ransomware update. The Black Kite Research & Intelligence Team (BRITE) tracked 450 ransomware incidents this month, showing the continued intensity of the ransomware threat.
Geographic Distribution
The United States led with 229 incidents, followed by Canada (22) and the United Kingdom (18). Germany, Australia, and Italy also saw steady activity, underscoring ransomware’s global footprint.
Threat Actor Activity
Qilin dominated June with 84 victims, while Akira (34), Play (29), NightSpire (28), and SafePay (27) followed as leading groups. INC Ransom and DragonForce each surpassed 25 victims, highlighting the crowded and competitive threat landscape.
Industry Impact
Manufacturing (85) was again the hardest-hit sector, followed by Professional Services (69) and Health Care (43). Construction, Wholesale Trade, and Information also remained frequent targets, showing that attackers continue to focus on data-rich and operationally critical industries.
RANSOMWARE THREAT ANALYSIS
Ransomware Perpetrators Unmasked!
In the complex world of cybercrime, identifying the culprits is key to understanding and mitigating the threat.
In June 2025, Qilin led the pack with 84 victims, followed by Akira (34), Play (29), NightSpire (28), and SafePay (27). Together, these groups accounted for a large share of global incidents.
Beyond the top tier, actors like INC Ransom (26), DragonForce (25), World Leaks (21), and Lynx (20) also remained active, highlighting the ecosystem’s depth. Mid-level groups such as Sarcoma Group and Global each added 16 cases, while dozens of smaller players contributed sporadically, from InterLock (13) to single-hit names like Clop and Black Suit.
The data shows a crowded and volatile landscape where new groups rise quickly and old names fade into the background—underscoring the importance of continuous monitoring and adaptive defenses.
Geographic Hotspots of Ransomware
Global Reach: Tracing Ransomware’s Impact Across Nations
In June 2025, the United States remained the clear epicenter of ransomware activity with 229 incidents, more than half of the global total. Canada (22) and the United Kingdom (18) followed, while Germany (12), Australia (12), and Italy (10) also recorded steady volumes. Countries such as Brazil, Spain, France, Thailand, Turkey, and India each reported smaller but notable clusters of cases.
These patterns confirm that North America and Europe continue to be prime targets for ransomware groups, reflecting both their financial appeal and digital maturity. Yet motivations differ: while many groups pursue profits, others avoid or target specific nations for political or nationalistic reasons. This mix of drivers keeps ransomware targeting unpredictable and reinforces the need for global vigilance and cooperation.
Industry Breakdown
The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.
Not all industries are targeted equally. In June 2025, Manufacturing was the hardest-hit sector with 85 incidents, followed by Professional, Scientific, and Technical Services (69) and Health Care (43).
Other impacted industries included Construction (37), Wholesale Trade (28), and Information (22), showing that ransomware groups continue to pressure both critical and data-rich sectors. Even areas like Retail, Education, and Public Administration saw consistent activity, while smaller verticals such as Agriculture and Mining were not spared.
These patterns confirm that while some industries absorb the heaviest blows, no sector is immune. Attackers exploit valuable data and operational leverage wherever they find it, making cross-industry vigilance essential.
Geographical Preferences of Ransomware Groups
The geographical focus of ransomware groups reveals strategic patterns and preferences.
In June 2025, the United States was once again the primary target with 229 incidents, driven largely by Qilin (48), Play (23), Akira (21), and SafePay (21). DragonForce (20) and INC Ransom (13) also maintained notable activity.
Canada (22) followed, with attacks spread across Qilin, Play, and Akira. The United Kingdom (18) and Germany (12) also saw steady pressure, where SafePay and Qilin were among the most active groups. Italy (10) and Spain (8) reported smaller clusters, highlighting ransomware’s persistence across Europe.
Outside these regions, countries like Australia, Brazil, France, Thailand, Turkey, and India all faced activity, confirming ransomware’s global reach beyond traditional Western targets.
These patterns underline both the dominance of leading actors—particularly Qilin, Play, Akira, and SafePay—and the steady diversification of attacks across multiple geographies.
Geographical Preferences of Ransomware Groups
Ransomware Strikes: Industry-wide
Ransomware threats are industry-agnostic, but some sectors attract more attention than others.
In June 2025, Manufacturing (85 incidents) was once again the most targeted sector, driven heavily by Qilin (23), Play (9), and NightSpire (7). Professional, Scientific, and Technical Services (69) followed, with consistent activity from Qilin (9), Akira (8), and DragonForce (7). Healthcare (43) also remained under pressure, led by INC Ransom (9), Qilin (6), and SafePay (5).
Other industries such as Construction (37), Wholesale Trade (28), and Finance and Insurance (19) recorded steady targeting, while sectors including Education, Public Administration, and Retail saw continued activity across multiple groups. Even smaller verticals like Mining, Real Estate, and Agriculture registered incidents, showing that no sector is immune.
These patterns highlight ransomware’s wide reach but also its concentration on industries with valuable data and critical operations—sectors that attackers see as prime leverage points.
Ransomware Strikes: Industry-wide
Spotlight on Ransomware Indicators
Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.