Top 10 Ransomware Groups of 2025

If 2025 proved one thing, it’s that ransomware isn't slowing down. It’s hitting the gas. Global victim counts climbed to 8,159 last year, a spike of over 2,000 cases compared to 2024. It’s a clear signal that cybercriminals are getting sharper, faster, and more aggressive.

So, who is behind these attacks? The landscape is shifting. While established groups like LockBit remain persistent and adaptive, they are no longer the sole dominant force. Qilin has rapidly expanded its operations this year, becoming one of the most active and significant threat actors in the space.

In this report, we analyze the top 10 ransomware groups dominating the 2025 threat landscape and demonstrate how Picus simulates their specific tactics to validate your security controls.

The State of the Ransomware Landscape in 2025

Following a period of steady increase, 2025 marked a significant inflection point. The data indicate an ecosystem that is expanding and evolving rapidly. Rather than incremental growth, a distinct acceleration is observed in cyber extortion activity.

As shown in the chart below, incident volumes have reached new highs. The global victim count for 2025 totaled 8,159, representing an increase of over 2,000 confirmed incidents compared to 2024.

Global Ransomware Incidents by Year (Source: NTT Data Group [1])

This upward trend suggests that while defensive measures are improving, they face challenges in matching the volume of attacks driven by modern Ransomware-as-a-Service (RaaS) platforms. Lower barriers to entry and more aggressive tactics have contributed to this spike.

Analysis of group activity shows a shift in the hierarchy. While Ransomhub and LockBit were previously dominant with 728 and 669 exposures, respectively, the 2025 data reflects a restructuring. Qilin has moved to the top position with 946 exposures, while Akira has also grown significantly, reaching second place with 717 exposures.

Top 10 Ransomware Groups by Exposure Count (2024 vs. 2025) (Source: NTT Data Group [1])

What Are the Top 10 Ransomware Groups of 2025?

1. Qilin

Qilin, also known as "Agenda", is a Ransomware-as-a-Service (RaaS) group that has aggressively expanded its operations to become one of the most prolific threats of 2025. Initially developed in Go, the group has transitioned to a robust Rust-based variant that is harder to analyze and detect. Qilin employs a double-extortion model, stealing sensitive data before encrypting systems to maximize leverage over victims.

Operators frequently gain initial access by exploiting vulnerabilities in public-facing applications such as Fortinet VPNs and Veeam Backup & Replication (CVE-2023-27532). Once inside, they move laterally using tools like PsExec and terminate critical processes (e.g., SQL, Veeam, Sophos) to ensure successful encryption. Qilin also deletes backups and Volume Shadow Copies before encrypting data with AES-256 CTR or ChaCha20 algorithms.

The group gained notoriety for a massive attack on Synnovis, a pathology services provider, which disrupted operations at major NHS hospitals in London and came with a $50 million ransom demand.

Picus Threat Library includes the following threats for the Qilin Ransomware Attacks:

2. Akira

Akira has evolved from a newcomer into a dominant RaaS operation, extorting an estimated $244 million from victims across North America, Europe, and Australia by late 2025.

The group targets both Windows and Linux environments, including VMware ESXi virtual machines, using a double-extortion tactic. Akira often gains access by exploiting vulnerabilities in Cisco VPNs (e.g., CVE-2020-3259, CVE-2023-20269) and SonicWall devices. They are known for using "living-off-the-land" binaries (LOLBins) and tools like AnyDesk to maintain persistence. The group has heavily targeted the healthcare and transportation sectors, often disabling Windows Shadow Copies via PowerShell to inhibit system recovery.

Picus Threat Library includes the following threats for the Akira Ransomware Attacks:

3. Cl0p

Cl0p (or Clop) is a sophisticated ransomware variant linked to the financially motivated TA505 threat group. In 2025, Cl0p continued its trend of aggressive zero-day exploitation, shifting significantly toward pure data theft and extortion without always deploying encryption payloads.

Cl0p is infamous for exploiting file transfer software vulnerabilities, such as MOVEit Transfer (CVE-2023-34362) and GoAnywhere MFT, to compromise networks. The malware attempts to disable security software and terminate database processes to avoid file-locking issues during encryption.

Recent campaigns have focused on large-scale data harvesting from enterprise file transfer systems, affecting hundreds of organizations globally.

Picus Threat Library includes the following threats for the Cl0p Ransomware Attacks:

4. Play

Play (also known as PlayCrypt) is a closed ransomware group known for its "greed" and refusal to set an initial ransom demand, instead forcing victims to email them for negotiation. The group targets a wide range of industries, including telecommunications and critical infrastructure.

Play ransomware operators use legitimate tools like Cobalt Strike and AdFind for lateral movement and discovery. They are also known for creating scheduled tasks for persistence. The ransomware utilizes an intermittent encryption scheme with a generic RSA-AES hybrid cryptosystem to encrypt files in chunks for speed and maximum impact.

The group has impacted over 300 entities worldwide, using double extortion to threaten the release of exfiltrated data if payment is not made.

Picus Threat Library includes the following threats for the Play Ransomware Attacks:

5. INC Ransom

INC Ransom is a multi-extortion threat group that emerged in July 2023 and targets the healthcare, education, and industrial sectors. They act as a "service provider," offering to "save" the victim's reputation in exchange for payment.

The group relies heavily on legitimate administrative tools (LOLBins) like WMIC, PsExec, and Netscan to move laterally and avoid detection. They frequently exploit Citrix NetScaler vulnerabilities (CVE-2023-3519) for initial access. INC Ransom is known for physically printing ransom notes on the victim's connected printers to induce panic.

Picus Threat Library includes the following threats for the INC Ransomware Attacks:

6. SafePay

SafePay is a centralized ransomware group that emerged in late 2024, distinguishing itself by operating as a closed group rather than a RaaS model. This structure allows them to maintain strict operational security and execute attacks with devastating speed, often completing the encryption phase within 24 hours of access.

SafePay typically gains access via compromised credentials on VPNs or RDP, or by exploiting misconfigured firewalls. They use a unique "kill switch" that terminates the malware if a Cyrillic keyboard layout is detected.

The group targets MSPs and industrial sectors, using a double extortion strategy that targets financial records and intellectual property.

Picus Threat Library includes the following threats for the SafePay Ransomware Attacks:

7. Lynx

Lynx is widely considered a rebranded and more advanced version of the INC Ransom group, surfacing in mid-2024. It operates as a RaaS and targets the retail, real estate, and financial sectors in the US and UK.

Lynx shares source code with INC Ransom but introduces multi-threaded encryption for speed, using AES and Elliptic Curve Cryptography. It uses advanced evasion techniques, such as terminating backup services and security processes, and employs a double extortion model.

Notable victims include the energy supplier Electrica and major legal firms, disrupting operations and compromising sensitive client data.

Picus Threat Library includes the following threats for the Lynx Ransomware Attacks:

8. RansomHub

RansomHub, formerly known as Cyclops and Knight, established itself as a major threat in 2024 and 2025, targeting critical infrastructure like water systems and healthcare. It recruits affiliates from other defunct groups like LockBit and ALPHV, expanding its reach significantly.

The group exploits critical vulnerabilities such as Zerologon (CVE-2020-1472) and uses tools like "EDRKillShifter" to disable endpoint defenses (BYOVD attacks). They exfiltrate data using Rclone before deploying encryption with robust algorithms like Curve 25519.

RansomHub operates a highly active data leak site and has been linked to attacks on critical sectors, causing massive disruptions.

Picus Threat Library includes the following threats for the RansomHub Ransomware Attacks:

9. DragonForce

DragonForce is a ransomware "cartel" that emerged in late 2023, offering a white-label RaaS model where affiliates can brand attacks as their own. The group is purely financially motivated and has recently focused on high-profile retail targets.

DragonForce affiliates often use social engineering and valid accounts for initial access. They deploy Cobalt Strike for command and control and use "Bring Your Own Vulnerable Driver" (BYOVD) techniques to neutralize AV/EDR solutions.

In 2025, DragonForce was linked to major breaches at UK retailers Marks & Spencer and Co-op, causing widespread operational outages.

Picus Threat Library includes the following threats for the DragonForce Ransomware Attacks:

10. Babuk2

The original Babuk ransomware, identified in early 2021, established itself as a formidable threat by targeting large enterprises through a Ransomware-as-a-Service (RaaS) model. Known for its cross-platform capabilities, it targeted both Windows and ESXi environments using a "double extortion" tactic where data was stolen prior to encryption.

To ensure maximum impact, the malware aggressively terminated services and processes related to backups and security software, and deleted Windows Shadow Copies to prevent recovery. It also utilized the Windows Restart Manager API to close open file handles, ensuring files could be overwritten, and employed robust cryptography like ChaCha8 or HC-128 combined with Elliptic-curve Diffie-Hellman (ECDH) for key exchange.

However, the "Babuk Locker 2.0" campaign observed in 2025 represents a deceptive operation rather than a genuine return of the original group. Technical analysis confirms that this new payload is actually a rebranded compilation of LockBit 3.0 ransomware, utilized by impostors likely associated with groups like "Skywave" and "Bjorka" to capitalize on the notorious brand name. Instead of novel attacks, these actors largely rely on "re-extortion" tactics, attempting to intimidate victims using recycled data from historical breaches or cross-claims from other active groups.

Picus allows organizations to validate their defenses against this dual threat by simulating both the original Babuk malware and the LockBit 3.0 payload used in the 2025 deception. Picus Threat Library includes the following threats for the Babuk/LockBit 3.0 Ransomware Attacks:

Key Takeaways

• The number of ransomware victim organizations globally reached 8,159 in 2025, an increase of more than 2,000 cases compared to the previous year.
• While the influence of groups like LockBit has waned, aggressive new players such as Qilin have taken the lead, with Qilin becoming the most active threat actor of the year using a robust Rust-based variant.
• Sophisticated groups like Cl0p are prioritizing pure data theft and extortion by exploiting zero-day vulnerabilities in file transfer software, often without deploying encryption payloads.
• New actors like SafePay are distinguishing themselves by operating as closed groups rather than using a Ransomware-as-a-Service model, allowing for stricter operational security and faster execution.
• Picus allows organizations to validate defenses against these top ransomware groups by simulating specific attack modules, including network infiltration and endpoint attacks, available in the Picus Threat Library.

References

[1] 株式会社インプレス, “攻撃の主流は「二重恐喝」、生成AIの悪用にも要注意――NTTデータグループ 新井氏が語るランサムウェア攻撃の最新動向,” クラウド Watch. Accessed: Feb. 10, 2026. [Online]. Available: https://cloud.watch.impress.co.jp/docs/special/2080850.html#01_l.jpg