Table of Contents
Linthicum Heights, MD – July 17th, 2025 – CyberMaxx, the leading managed detection and response (MDR) provider, released its Quarterly Ransomware Research Report today. The report reveals that Q2 2025 witnessed a significant drop in ransomware activity compared to Q1.
According to CyberMaxx research, 1,488 attacks were recorded in Q2 (April-June), representing a 40% decrease from the 2,461 attacks in Q1 (January-March). Despite this drop, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 41 minutes during the second quarter.
There were 75 active ransomware groups in Q2, a slight increase from 74 in Q1. However, the number of attacks per group has dropped from 33.2 to 19.8. This could reflect shifts in law enforcement pressure, infrastructure disruptions, or changes in attacker strategy.
With 176 attacks, Qilin has overtaken Cl0p as the most active ransomware group. It is followed by Akira (139 attacks), Play (124 attacks), Safepay (101 attacks), and Dragonforce (73 attacks).
Cl0p has now dropped from the list of most active ransomware groups, following intense activity in early 2025 and a sharp decline since March. This highlights the cyclical and opportunistic nature of ransomware group activity.
Qilin has been steadily growing throughout the first half of 2025, indicating an expansion of operational capacity and increased aggressiveness in target selection. Qilin’s sustained growth demonstrates how some ransomware groups expand their reach even as overall attacks decline, highlighting the group’s rise as a dominant threat actor.
Manufacturing (157 attacks, approximately one every 13.6 hours), technology (136 attacks, approximately one every 16 hours), and healthcare (95 attacks, approximately one every 22.5 hours) were the most targeted industries in Q2.
Although healthcare experiences fewer attacks than some other sectors, each incident can cause significant harm, including care delays, outages, and regulatory issues. Persistent attacks on healthcare highlight its vulnerability stemming from the urgency of its operations, the sensitivity of its data, and the prevalence of outdated systems. Attackers often exploit this vulnerability with double extortion, forcing organizations to pay quickly to avoid disruptions.
While Q2 2025 saw a decrease in overall attacks, it also revealed more complex tactics, tools, and targeting methods employed by attackers. As ransomware continues to evolve, organizations must remain proactive, adaptable, and informed to defend effectively.
CyberMaxx’s cyber research team regularly investigates threats independently. These efforts aim to build shared knowledge across the cybersecurity community.
Access the full Ransomware Research Report here: https://www.cybermaxx.com/q2-2025-ransomware-research-report/
About CyberMaxx
CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company
providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing. For more information, visit: https://www.cybermaxx.com/
CyberMaxx Media Contact
John Pinkham
jpinkham@cybermaxx.com
