Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report March 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the March 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 594 ransomware incidents this month, reflecting a steady continuation of the high-volume threat environment observed in early 2025.

Geographic Distribution

The United States remained the top target with 290 incidents—more than half of the global total. Canada (42) and Germany (36) followed as the next most affected countries. The United KingdomBrazilSpainFrance, and Italy all reported double-digit incidents, underscoring the global reach of ransomware operations.

Threat Actor Activity

RansomHub led with 84 victims, maintaining its top spot in the ransomware ecosystem. Akira (68) and Qilin (46) followed closely behind, highlighting the continued dominance of aggressive and capable ransomware groups. Other notable actors included SafePay (42)Play (31)Lynx (28)INC Ransom (28), and Frag (21).
The month also saw consistent activity from Kill SecurityMedusaDragonForceArcus Media, and Sarcoma Group, while LockBit 3.0, once a top contender, recorded only 7 victims.

Industry Impact

Based on February’s data, ManufacturingProfessional Services, and Wholesale Trade remained among the most impacted industries.

As ransomware groups shift and diversify, continuous monitoring and data-driven insights remain essential. BRITE will continue tracking developments to help organizations better understand and respond to these evolving threats.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
4
At least one record found in stealer logs
187
Use of out-of-date services/products with possible vulnerabilities of high exploitability
245
At least one credential leaked in the last 90 days
278
Open RDP or SMB ports publicly visible
283
At least one possible phishing domain
301
MX and DNS misconfiguration that may allow spoofing and phishing attacks
449

01Threat Actor Distribution

  • RansomHub accounted for 84 victims, representing 14.1% of total activity.
  • Akira followed with 68 disclosures.
  • Qilin and SafePay remained consistently active.

02Geographic Distribution

  • United States of America represented 48.8% of all tracked victims.
  • Others was among the next most impacted countries.
  • Canada and Germany also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Wholesale Trade and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
Medusa
Kill Security
Frag
INC Ransom
Lynx
Play
SafePay
Qilin
Akira
RansomHub
USA
90
12
7
18
12
15
21
13
26
30
46
Canada
12
1
1
2
1
5
4
3
3
10
Germany
5
6
1
2
13
3
3
3
UK
11
3
2
4
1
1
2
Brazil
11
1
1
2
1
France
7
1
2
3
2
Spain
5
1
2
6
1
Italy
9
1
1
3
Taiwan, Province of China
11
1
1
India
5
3
1
1
Australia
2
1
1
1
1
1
2
Japan
5
2
Argentina
3
1
1
Netherlands
1
1
1
1
1
Others
36
4
1
4
5
2
6
7
18
10
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
Medusa
Kill Security
Frag
INC Ransom
Lynx
Play
SafePay
Qilin
Akira
RansomHub
Manufacturing
50
2
3
6
3
8
9
7
11
22
21
Professional, Scientific, and Technical Services
37
1
6
5
2
1
3
7
11
9
13
Construction
6
2
2
2
3
5
4
1
5
8
Other Services (except Public Administration)
16
1
3
1
3
3
7
Wholesale Trade
11
1
3
4
6
4
4
5
7
Administrative and Support and Waste Management and Remediation Services
6
1
1
1
1
3
1
1
1
2
5
Retail Trade
8
2
1
1
2
1
2
4
5
Information
12
1
1
1
1
1
3
3
4
Health Care and Social Assistance
21
2
2
1
5
4
3
4
Transportation and Warehousing
7
2
1
2
1
2
4
3
Finance and Insurance
7
3
1
1
1
1
2
2
Educational Services
13
2
2
1
4
1
2
Mining
1
1
Arts, Entertainment, and Recreation
1
1
1
1
Public Administration
10
2
4
1
Utilities
1
1
Management of Companies and Enterprises
1
1
3
Agriculture, Forestry, Fishing and Hunting
2
2
1
2
Accommodation and Food Services
2
1
1
2
1
Real Estate Rental and Leasing
3
1
1
1
2
1
1
3
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 594 ransomware disclosures were observed in March 2025.
  • RansomHub led activity with 84 victims.
  • United States of America accounted for 48.8% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.