Loading...
Welcome to the May 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 418 ransomware incidents this month.
The United States accounted for the highest number of attacks with 209 victims. Germany (31) and Canada (27) followed, along with notable activity in Spain (15), the United Kingdom (11), and Italy (11).
SafePay was the most active group with 72 disclosed victims, followed by Qilin (63), Play (50), and Akira (34).
INC Ransom (17) and Lynx (15) continued to show consistent activity, while Stormous, Medusa, and Rhysida each recorded 11 to 10 victims.
RansomHub, which had been among the top threat actors in previous months, disappeared entirely from the May data—marking a significant shift after their cryptic “RIP” messages and leaving their future uncertain.
The most targeted sectors were Manufacturing (93), Professional, Scientific, and Technical Services (76), and Construction (41).
BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape.
In May 2025, SafePay led the pack with 72 victims, followed closely by Qilin (63), Play (50), and Akira (34). Together, these groups accounted for the majority of reported incidents.
Beyond the top tier, actors like INC Ransom (17), Lynx (15), Stormous (11), Medusa (11), and Rhysida (10) also played active roles—demonstrating the ecosystem’s diversity and volatility.
Meanwhile, RansomHub, once a dominant player, vanished entirely from the data after its cryptic “RIP” messages, leaving uncertainty about its fate.
These shifts show how quickly leadership in the ransomware landscape can change, reinforcing the need for continuous monitoring and adaptive defenses.
In May 2025, the United States remained the epicenter of ransomware activity with 209 incidents, accounting for half of the global total. Germany (31) and Canada (27) followed, while Spain (15), the United Kingdom (11), and Italy (11) also recorded notable cases.
These patterns show that North America and Europe continue to be the prime hunting grounds for ransomware groups, reflecting both the financial rewards and the digital maturity of these economies.
Still, motivations vary. Some groups chase profits, while others avoid certain regions for political or nationalistic reasons. This blend of motives makes ransomware targeting unpredictable, reinforcing the need for global vigilance and cooperation.
Not all industries are targeted equally. In May 2025, Manufacturing was the hardest-hit sector with 93 incidents, followed by Professional, Scientific, and Technical Services (76) and Construction (41).
Other impacted industries included Wholesale Trade, Healthcare, and Retail, showing that ransomware groups continue to pressure both critical and consumer-facing sectors.
While some industries absorb the heaviest blows, no sector is immune. These patterns confirm that attackers look for valuable data and operational leverage wherever they can find it, making cross-industry vigilance essential.
In May 2025, the United States was once again the primary target with 209 incidents, driven largely by Qilin (39), Play (35), SafePay (31), and Akira (18).
Germany (31) followed, with SafePay (18) leading most of the activity. Canada (27) saw steady pressure from Play (7), Qilin (5), and Rhysida (2). Spain (15), Italy (11), and the UK (11) also recorded notable attacks, showing ransomware’s continued concentration in North America and Europe.
Smaller but consistent cases were reported across Brazil, Japan, Australia, France, Singapore, and Malaysia, confirming ransomware’s wide global footprint.
These patterns highlight both the dominance of major groups like SafePay, Qilin, and Play, and the persistent spread of attacks across multiple regions.
In May 2025, Manufacturing (93 incidents) was the most targeted sector, driven by Play (18), Qilin (14), SafePay (13), and Akira (9). Professional, Scientific, and Technical Services (76) followed, with pressure from SafePay (16), Qilin (12), and Akira (11). Construction (41) also faced heavy activity, largely from SafePay (9) and Play (7).
Other sectors such as Healthcare (19), Wholesale Trade (17), and Education (15) recorded steady attacks, while industries like Finance, Information, and Retail also remained on the radar of groups including SafePay, Qilin, and INC Ransom.
These patterns confirm ransomware’s wide reach but also its clear focus on industries with high-value data and operational impact.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.
Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.