The ransomware landscape continues to evolve rapidly in 2025, with cybercriminal groups showing no signs of slowing down.
This week’s threat update highlights the top eight most active ransomware groups, with RansomHub maintaining its lead at 235 confirmed attacks, closely followed by CLOP with 232. These two continue to dominate the scene with relentless operations.
Akira remains a formidable force with 172 attacks, while Qilin has emerged as a group to watch, surging to 148 attacks in recent weeks. This spike in Qilin’s activity signals a potential rise to the top, as their aggressive tactics and expanding victim list push them closer to the leading pack.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
Groups like Lynx (108 attacks) and Play (102 attacks) remain consistent in their campaigns, often targeting critical infrastructure and enterprise networks.
Meanwhile, INC has shown an upward trend, now standing at 80 attacks, indicating growing capabilities and reach. In contrast, SafePay, with 79 attacks, has seen a slight dip in its operations.
This shifting threat landscape underscores the urgent need for organizations to strengthen their cyber defenses and enhance ransomware preparedness.
As groups like Qilin accelerate their operations, the risk to public and private sectors increases. Continuous monitoring, threat intelligence sharing, and proactive incident response strategies are more essential than ever.
With the ransomware ecosystem becoming increasingly complex, staying informed and agile is key to minimizing impact and ensuring digital resilience in the face of rising cyber threats.