Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report June 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the June 2025 ransomware update. The Black Kite Research & Intelligence Team (BRITE) tracked 450 ransomware incidents this month, showing the continued intensity of the ransomware threat.

Geographic Distribution

The United States led with 229 incidents, followed by Canada (22) and the United Kingdom (18). Germany, Australia, and Italy also saw steady activity, underscoring ransomware’s global footprint.

Threat Actor Activity

Qilin dominated June with 84 victims, while Akira (34)Play (29)NightSpire (28), and SafePay (27) followed as leading groups. INC Ransom and DragonForce each surpassed 25 victims, highlighting the crowded and competitive threat landscape.

Industry Impact

Manufacturing (85) was again the hardest-hit sector, followed by Professional Services (69) and Health Care (43). Construction, Wholesale Trade, and Information also remained frequent targets, showing that attackers continue to focus on data-rich and operationally critical industries.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
7
At least one record found in stealer logs
142
Use of out-of-date services/products with possible vulnerabilities of high exploitability
176
At least one credential leaked in the last 90 days
176
Open RDP or SMB ports publicly visible
184
At least one possible phishing domain
229
MX and DNS misconfiguration that may allow spoofing and phishing attacks
323

01Threat Actor Distribution

  • Qilin accounted for 84 victims, representing 18.7% of total activity.
  • Akira followed with 34 disclosures.
  • Play and NightSpire remained consistently active.

02Geographic Distribution

  • United States of America represented 55.2% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and United Kingdom of Great Britain also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Health Care and Others continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Global
Lynx
World Leaks
DragonForce
INC Ransom
SafePay
NightSpire
Play
Akira
Qilin
United States of America
59
5
7
11
20
13
21
1
23
21
48
Canada
6
2
1
2
1
4
2
4
UK
6
2
1
2
1
1
1
4
Australia
6
3
1
1
1
Germany
3
1
4
2
2
Italy
1
1
3
5
Brazil
2
1
2
1
2
1
France
3
1
1
1
2
Spain
1
3
4
Thailand
3
2
1
India
3
1
1
Turkey
1
1
2
1
Others
46
4
5
5
1
6
2
19
5
13
  • United States of America activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Global
Lynx
World Leaks
DragonForce
INC Ransom
SafePay
NightSpire
Play
Akira
Qilin
Manufacturing
20
4
6
3
4
1
4
7
9
4
23
Professional, Scientific, and Technical Services
18
1
6
7
7
1
4
4
4
8
9
Health Care and Social Assistance
14
4
2
9
5
3
6
Other Services (except Public Administration)
21
3
2
3
1
3
3
6
Construction
15
1
1
3
1
2
1
5
3
5
Wholesale Trade
5
2
1
5
1
2
4
2
6
Information
8
2
2
2
2
1
1
1
3
Finance and Insurance
3
1
1
1
1
1
5
6
Educational Services
7
1
1
3
2
1
3
Public Administration
7
1
5
2
1
2
Retail Trade
6
1
1
2
1
2
2
Administrative and Support and Waste Management and Remediation Services
3
2
1
1
1
1
2
4
Transportation and Warehousing
5
1
1
1
3
Arts, Entertainment, and Recreation
3
1
1
1
2
2
Accommodation and Food Services
1
1
1
2
1
Real Estate Rental and Leasing
2
1
2
Mining
1
1
1
Agriculture, Forestry, Fishing and Hunting
2
Management of Companies and Enterprises
1
1
  • Manufacturing activity was heavily concentrated in Qilin.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 450 ransomware disclosures were observed in June 2025.
  • Qilin led activity with 84 victims.
  • United States of America accounted for 55.2% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.