Ransomware Report March 2025
An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape
Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.
Welcome to the March 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 594 ransomware incidents this month, reflecting a steady continuation of the high-volume threat environment observed in early 2025.
Geographic Distribution
The United States remained the top target with 290 incidents—more than half of the global total. Canada (42) and Germany (36) followed as the next most affected countries. The United Kingdom, Brazil, Spain, France, and Italy all reported double-digit incidents, underscoring the global reach of ransomware operations.
Threat Actor Activity
RansomHub led with 84 victims, maintaining its top spot in the ransomware ecosystem. Akira (68) and Qilin (46) followed closely behind, highlighting the continued dominance of aggressive and capable ransomware groups. Other notable actors included SafePay (42), Play (31), Lynx (28), INC Ransom (28), and Frag (21).
The month also saw consistent activity from Kill Security, Medusa, DragonForce, Arcus Media, and Sarcoma Group, while LockBit 3.0, once a top contender, recorded only 7 victims.
Industry Impact
Based on February’s data, Manufacturing, Professional Services, and Wholesale Trade remained among the most impacted industries.
As ransomware groups shift and diversify, continuous monitoring and data-driven insights remain essential. BRITE will continue tracking developments to help organizations better understand and respond to these evolving threats.
RANSOMWARE THREAT ANALYSIS
Ransomware Perpetrators Unmasked!
In the complex world of cybercrime, identifying the culprits is key to understanding and mitigating the threat.
In March 2025, RansomHub held its top spot with 84 victims, followed closely by Akira with 68 and Qilin with 46. This highlights the continued dominance of aggressive and capable ransomware groups.
But the story doesn’t end with the top three. Groups like SafePay, Play, Lynx, INC Ransom, and Frag all contributed significantly to the month’s surge, reminding us that the ransomware ecosystem is more crowded—and more dangerous—than ever.
By analyzing the tactics of these dominant and emerging players, organizations can anticipate evolving threats and strengthen their defenses against what is shaping up to be the most challenging year yet in the fight against ransomware.
Geographic Hotspots of Ransomware
Global Reach: Tracing Ransomware’s Impact Across Nations
In March 2025, 594 ransomware incidents were recorded. The United States once again stood out as the epicenter with 290 cases, an unprecedented concentration that highlights its ongoing vulnerability.
Canada followed with 42, Germany with 36, and the United Kingdom, Brazil, Spain, France, and Italy all reported double-digit incidents, underscoring the global reach of ransomware operations. Wealthy and digitally advanced nations continue to attract ransomware groups due to their rich data environments and higher potential payouts.
Yet, motivations differ. Some groups pursue pure financial gain, while others avoid certain regions for nationalistic or political reasons. This mix of economic incentives and ideological choices shapes the global ransomware map, making it both complex and unpredictable.
Industry Breakdown
The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.
Not all industries are targeted equally. Based on February’s data, Manufacturing was hit the hardest, followed by Professional, Scientific, and Technical Services and Wholesale Trade.
While these top industries bear the brunt of attacks due to the high value of their data and often complex digital environments, no sector is immune. This underscores the wide reach of ransomware and makes it essential to understand where attackers see the greatest opportunities to allocate resources and strengthen defenses where they are needed most.
Geographical Preferences of Ransomware Groups
The geographical focus of ransomware groups reveals strategic patterns and preferences.
In March 2025, the United States recorded 290 incidents, making it the most targeted country by a wide margin. Canada (42) and Germany (36) followed, while the UK, Brazil, Spain, France, and Italy each saw double-digit attacks.
In the U.S., RansomHub (46), Akira (30), and Qilin (26) were the most active, while Canada was hit mainly by RansomHub (10), Play, and SafePay. Germany faced a strong wave from SafePay (13) and several others.
These regional patterns confirm ransomware’s global spread, with groups adapting their focus to maximize impact across different markets.
Geographical Preferences of Ransomware Groups
Ransomware Strikes: Industry-wide
Ransomware threats are industry-agnostic, but some sectors attract more attention than others.
In March 2025, Manufacturing was again the hardest-hit industry with 50 incidents, led by Akira (22) and RansomHub (21). Professional, Scientific, and Technical Services followed with 37 cases, driven by Qilin (11), RansomHub (13), and SafePay (7). Wholesale Trade also faced heavy pressure with 11 incidents, where Clop, RansomHub, and Akira each contributed significantly.
Other affected industries included Healthcare (21), Information (12), and Education (13), showing that data-rich sectors remain prime targets. Even smaller verticals such as Construction, Public Administration, and Agriculture recorded incidents, underlining ransomware’s broad reach.
These patterns confirm that while ransomware is a universal threat, groups continue to concentrate on industries with valuable data and operational weaknesses. Recognizing these trends helps organizations anticipate risks and prepare stronger defenses.
Ransomware Strikes: Industry-wide
Spotlight on Ransomware Indicators
Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.