Black Kite is a finalist in the 2026 SC Awards for continued innovation and leadership in third-party cyber risk intelligence.Learn more

Ransomware Report May 2025

An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape

Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.

Welcome to the May 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 418 ransomware incidents this month.

Geographic Distribution

The United States accounted for the highest number of attacks with 209 victimsGermany (31) and Canada (27) followed, along with notable activity in Spain (15), the United Kingdom (11), and Italy (11).

Threat Actor Activity

SafePay was the most active group with 72 disclosed victims, followed by Qilin (63)Play (50), and Akira (34).

INC Ransom (17) and Lynx (15) continued to show consistent activity, while StormousMedusa, and Rhysida each recorded 11 to 10 victims.

RansomHub, which had been among the top threat actors in previous months, disappeared entirely from the May data—marking a significant shift after their cryptic “RIP” messages and leaving their future uncertain.

Industry Impact

The most targeted sectors were Manufacturing (93)Professional, Scientific, and Technical Services (76), and Construction (41).

BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape.

At least one IP address that was part of a botnet, malware propagation, or spam propagation
4
At least one record found in stealer logs
128
Use of out-of-date services/products with possible vulnerabilities of high exploitability
158
At least one credential leaked in the last 90 days
166
Open RDP or SMB ports publicly visible
187
At least one possible phishing domain
202
MX and DNS misconfiguration that may allow spoofing and phishing attacks
303

01Threat Actor Distribution

  • SafePay accounted for 72 victims, representing 17.2% of total activity.
  • Qilin followed with 63 disclosures.
  • Play and Akira remained consistently active.

02Geographic Distribution

  • United States of America represented 50% of all tracked victims.
  • Others was among the next most impacted countries.
  • Germany and Canada also saw notable activity.

03Industry Distribution

  • Manufacturing remained the most targeted sector.
  • Professional, Scientific, and Technical Services followed as a heavily impacted sector.
  • Construction and Health Care continued to be operationally critical targets.

04Threat Actor × Country Matrix

The matrix below shows how leading ransomware groups distributed their activity geographically.

Others
J group
Rhysida
Medusa
Stormous
Lynx
INC Ransom
Akira
Play
Qilin
SafePay
USA
54
1
3
11
1
11
5
18
35
39
31
Germany
4
1
1
3
2
1
1
18
Canada
7
2
2
1
7
5
3
Spain
9
2
3
1
Italy
7
1
2
1
UK
4
1
1
1
1
3
Brazil
4
2
3
Japan
2
1
1
2
1
Australia
1
1
1
2
1
France
1
4
Czech Republic
1
1
1
1
Malaysia
2
1
1
Singapore
1
2
1
Switzerland
1
1
1
1
Others
28
5
1
6
1
4
6
4
5
11
  • USA activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

05Threat Actor × Industry Matrix

This view highlights sector specialization across leading ransomware groups.

Others
J group
Rhysida
Medusa
Stormous
Lynx
INC Ransom
Akira
Play
Qilin
SafePay
Professional, Scientific, and Technical Services
17
3
1
2
4
2
11
8
12
16
Manufacturing
29
1
2
1
4
2
9
18
14
13
Construction
12
3
1
4
7
5
9
Other Services (except Public Administration)
7
1
1
2
1
2
7
Wholesale Trade
6
1
1
3
5
5
Health Care and Social Assistance
5
2
1
5
5
5
Educational Services
5
1
1
1
1
5
4
Transportation and Warehousing
4
1
1
3
4
2
4
Administrative and Support and Waste Management and Remediation Services
2
1
1
1
2
Information
6
1
1
3
1
2
Finance and Insurance
9
1
1
2
2
2
Mining
2
1
Management of Companies and Enterprises
1
1
1
Public Administration
5
1
1
1
4
1
Agriculture, Forestry, Fishing and Hunting
1
1
1
Utilities
2
1
1
Arts, Entertainment, and Recreation
1
1
1
1
Retail Trade
5
1
2
1
1
Real Estate Rental and Leasing
5
1
2
2
1
Accommodation and Food Services
2
1
10
1
1
2
  • Manufacturing activity was heavily concentrated in Others.
  • Some actors demonstrated narrow targeting patterns.

06Six Month Trend Context

07Key Takeaways

  • 418 ransomware disclosures were observed in May 2025.
  • SafePay led activity with 72 victims.
  • United States of America accounted for 50% of disclosures.
  • Manufacturing remained the most targeted industry.

08Data Methodology and Sources

  • Victim counts are based on publicly disclosed ransomware leak site postings tracked during the reporting period.
  • Each victim is attributed to a single threat actor based on disclosure source.
  • Industry classification is assigned using standardized sector mapping.
  • Country attribution is based on headquarters location where identifiable.

Accelerate Risk Decisions, Cut the Noise.

Join leading teams using Black Kite to slash assessment timelines, eliminate manual reviews, and onboard vendors with confidence.