Table of Contents
The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q2’s research here.
Video Transcript
Introduction
Ransomware activity in Q2 of 2025 showed a significant decline compared to the previous quarter. We observed a total of 1488 successful ransomware attacks between April 1st and June 30th, compared to the 2461 we observed in Q1. This represents a 40% decline in activity. Despite the reduction, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 87 minutes during Q2.
We observed a total of 75 ransomware groups operating within Q2, up from 74 in Q1. There appears to have been a focus on sectors with sensitivity to operational disruption this quarter – healthcare, manufacturing being two of the top three industries hit – along with education, government and energy all showing growth as well, to a smaller degree.
Qilin is the threat actor with the most successful ransomware attacks this quarter – with 176 total, followed by Akira with 139 and Play with 124. Qilin was most active within the healthcare industry and technology sectors.
While Cl0p was extremely active last quarter, they have not been as active recently – this may be due to them still working through the backlog of victims from exploting Cleo Harmony back in February.
Lockbit Updates
In recent months, two major ransomware groups were quietly hacked, and both attacks featured the same message: “Don’t do crime, xoxo from Prague.” No one has come forward to take responsibility.
In April, the Everest groups leak site was defaced, and then in May Lockbits affiliate panel was also updated with the odd message. The lockbit breach also leaked internal data and crypto wallet addresses.
Theories are circulating that it may have been a rival gang or law enforcement, however no one has officially taken credit for either attacks, which are very likely by the same individual (or group!).
HealthCare
Between April 1 and June 30, 2025, the healthcare sector experienced 95 ransomware attacks, making it the third most targeted industry during this period, following Manufacturing and Tech at 157 and 136 respectively.
Across the broader ransomware landscape, a healthcare organization is now hit with a successful attack roughly every 22 hours. Groups like Qilin and others continue to exploit healthcare’s operational urgency pressuring victims to pay quickly to avoid disruptions to patient care or data exposure.
The impact of each incident tends to be disproportionately high compared to other industries; leading to care delays, system outages, and regulatory complications.
Qilin:
Qilin have been the most prolific group this quarter, primarily targeting high-impact and operationally critical industries.
Manufacturing led all sectors, followed by Technology and Healthcare, reflecting Qilin’s focus on data-sensitive and disruption-prone environments. Transportation/Logistics and Education were also notable targets.
A full breakdown of their operational target industries can be seen in the full report.
Qilin have demonstrated consistent growth throughout the first half of 2025, with attack volumes rising steadily each month. Starting with a relatively low number of incidents in January, activity nearly doubled by February and remained stable through March and April. A sharp increase followed in May, and June marked the group’s most active month to date, with over 75 recorded attacks.
The vulnerabilities we have observed the group using are as follows:
- CVE-2023-4966 aka CitrixBleed
- CVE-2023-27532 in Veeam Backup Credential Access
- CVE-2025-31161, an authentication bypass in CrushFTP
- CVE-2025-31324 in SAP NetWeaver (which interestingly was exploited at least 3 weeks before public disclosure – showing that the group had early access to a 0day).
- CVE-2025-32756 which allows unauthenticated RCE in several Fortinet products.
The full list of exploited vulnerabilities is also available in the report, along with a breakdown of their currently active infrastructure.
Q2 Conclusion
The second quarter of 2025 marked a complex and transitional period in the ransomware landscape. While overall attack volume declined significantly, threat activity remained widespread, with critical sectors such as healthcare, government, and education continuing to face sustained pressure. Despite the slowdown in raw
numbers, the frequency of attacks and the strategic focus of top ransomware groups indicate that the threat remains both adaptive and persistent.
Qilin emerged as the most active ransomware group this quarter, steadily increasing its operations and overtaking previously dominant group such as Cl0p. Their consistent targeting of high-impact industries, exploitation of newly disclosed vulnerabilities, and technical adaptability demonstrate a clear evolution in capability and reach. At the same time, the temporary absence of Cl0p from top rankings despite its history of impactful, exploit-driven campaigns highlights the cyclical and opportunistic nature of ransomware group activity.
Sectors like healthcare continue to experience frequent and damaging incidents, underscoring the need for targeted resilience strategies. Meanwhile, the recent breaches of ransomware infrastructure such as the defacements of Everest and LockBit hint that threat actors themselves are not immune to disruption, though the sources of these countermeasures remain unknown.
In summary, Q2 2025 presented fewer attacks overall, but increased complexity in attacker behavior, tooling, and targeting. Organizations must remain proactive, adaptable, and intelligence-driven in their defensive strategies as ransomware continues to evolve.
