Ransomware Report May 2025
An In-Depth Analysis of the Latest Ransomware Trends and Threat Landscape
Dive into the constantly shifting world of ransomware, as we uncover the latest tactics, dissect the most prolific actors, and offer insights to keep your organization one step ahead.
Welcome to the May 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 418 ransomware incidents this month.
Geographic Distribution
The United States accounted for the highest number of attacks with 209 victims. Germany (31) and Canada (27) followed, along with notable activity in Spain (15), the United Kingdom (11), and Italy (11).
Threat Actor Activity
SafePay was the most active group with 72 disclosed victims, followed by Qilin (63), Play (50), and Akira (34).
INC Ransom (17) and Lynx (15) continued to show consistent activity, while Stormous, Medusa, and Rhysida each recorded 11 to 10 victims.
RansomHub, which had been among the top threat actors in previous months, disappeared entirely from the May data—marking a significant shift after their cryptic “RIP” messages and leaving their future uncertain.
Industry Impact
The most targeted sectors were Manufacturing (93), Professional, Scientific, and Technical Services (76), and Construction (41).
BRITE continues to monitor ransomware activity each month to provide organizations with insight into the shifting threat landscape.
RANSOMWARE THREAT ANALYSIS
Ransomware Perpetrators Unmasked!
In the complex world of cybercrime, identifying the culprits is key to understanding and mitigating the threat.
In May 2025, SafePay led the pack with 72 victims, followed closely by Qilin (63), Play (50), and Akira (34). Together, these groups accounted for the majority of reported incidents.
Beyond the top tier, actors like INC Ransom (17), Lynx (15), Stormous (11), Medusa (11), and Rhysida (10) also played active roles—demonstrating the ecosystem’s diversity and volatility.
Meanwhile, RansomHub, once a dominant player, vanished entirely from the data after its cryptic “RIP” messages, leaving uncertainty about its fate.
These shifts show how quickly leadership in the ransomware landscape can change, reinforcing the need for continuous monitoring and adaptive defenses.
Geographic Hotspots of Ransomware
Global Reach: Tracing Ransomware’s Impact Across Nations
In May 2025, the United States remained the epicenter of ransomware activity with 209 incidents, accounting for half of the global total. Germany (31) and Canada (27) followed, while Spain (15), the United Kingdom (11), and Italy (11) also recorded notable cases.
These patterns show that North America and Europe continue to be the prime hunting grounds for ransomware groups, reflecting both the financial rewards and the digital maturity of these economies.
Still, motivations vary. Some groups chase profits, while others avoid certain regions for political or nationalistic reasons. This blend of motives makes ransomware targeting unpredictable, reinforcing the need for global vigilance and cooperation.
Industry Breakdown
The distribution of ransomware attacks across industries highlights the varying degrees of cyber risk exposure.
Not all industries are targeted equally. In May 2025, Manufacturing was the hardest-hit sector with 93 incidents, followed by Professional, Scientific, and Technical Services (76) and Construction (41).
Other impacted industries included Wholesale Trade, Healthcare, and Retail, showing that ransomware groups continue to pressure both critical and consumer-facing sectors.
While some industries absorb the heaviest blows, no sector is immune. These patterns confirm that attackers look for valuable data and operational leverage wherever they can find it, making cross-industry vigilance essential.
Geographical Preferences of Ransomware Groups
The geographical focus of ransomware groups reveals strategic patterns and preferences.
In May 2025, the United States was once again the primary target with 209 incidents, driven largely by Qilin (39), Play (35), SafePay (31), and Akira (18).
Germany (31) followed, with SafePay (18) leading most of the activity. Canada (27) saw steady pressure from Play (7), Qilin (5), and Rhysida (2). Spain (15), Italy (11), and the UK (11) also recorded notable attacks, showing ransomware’s continued concentration in North America and Europe.
Smaller but consistent cases were reported across Brazil, Japan, Australia, France, Singapore, and Malaysia, confirming ransomware’s wide global footprint.
These patterns highlight both the dominance of major groups like SafePay, Qilin, and Play, and the persistent spread of attacks across multiple regions.
Geographical Preferences of Ransomware Groups
Ransomware Strikes: Industry-wide
Ransomware threats are industry-agnostic, but some sectors attract more attention than others.
In May 2025, Manufacturing (93 incidents) was the most targeted sector, driven by Play (18), Qilin (14), SafePay (13), and Akira (9). Professional, Scientific, and Technical Services (76) followed, with pressure from SafePay (16), Qilin (12), and Akira (11). Construction (41) also faced heavy activity, largely from SafePay (9) and Play (7).
Other sectors such as Healthcare (19), Wholesale Trade (17), and Education (15) recorded steady attacks, while industries like Finance, Information, and Retail also remained on the radar of groups including SafePay, Qilin, and INC Ransom.
These patterns confirm ransomware’s wide reach but also its clear focus on industries with high-value data and operational impact.
Ransomware Strikes: Industry-wide
Spotlight on Ransomware Indicators
Ransomware indicators expose exploited vulnerabilities, shaping our understanding of ransomware group tactics.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.