Table of Contents
The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q3’s research here.
Video Transcript
Ransomware:
2025s Q3 saw 1529 ransomware and data extortion attacks, up 2.7% from Q2’s 1488 attacks. This number is still a significant drop from Q1 where we observed 2461 attacks. This demonstrates that overall activity remains high despite the fluctuations and variability in recorded activity. We are also seeing continued growth in the number of active ransomware groups. This quarter up to 77 groups, up from 66 at the start of the year. Ransomware is still persistent, and this is largely due to the number of smaller affiliates operating under RaaS models.
This upward trend demonstrates how the ransomware ecosystem adapts rather than declines under pressure. Law enforcement disruptions, infrastructure seizures, and internal fractures within major syndicates have not reduced activity; instead, they have driven fragmentation, producing more independent and short-lived operations. Many new groups rely on ransomware-as-a-service platforms, allowing affiliates to launch more disrupting attacks at a higher volume than a singular group alone.
For executives, this pattern signals that ransomware remains a systemic threat, not a passing phase. The threat landscape is becoming broader, faster-moving, and more decentralized, demanding continuous visibility and rapid response across digital supply chains.
The top five groups this quarter are:
- Qilin with 230 attacks
- Akira with 155
- IncRansom at 125
- Play with 96 and DragonForce at 60
Combined, these top five groups represent almost 44% of all recorded incidents this quarter.
Looking from a geographical perspective; the US remained the primary target for ransomware and extortion operations with 49% of all attacks targeting organizations based in the US. For reference, the second most active country is Germany, with only 5% of the total attack volume.
Looking from an industry standpoint; Manufacturing was the most targeted industry with 184 attacks. Followed by the Tech sector at 14, Construction and Healthcare are joint third with 111 incidents each, followed by Legal and Finance both with 100 attacks each. This data shows that there is continued pressure on organizations in sectors with high data value and potential for operational disruption.
The Qilin group, who were the most prolific group this quarter were also the most active in 5 of the 6 top industries. Their broad victim profile reflects a strategy focused on
disruption across essential and data-rich sectors rather than specialization in one field. Qilin’s sustained presence across critical industries positions them as one of the most significant threats in the current ransomware landscape, underlining how the attack economy continues to expand despite ongoing global disruption efforts.
In the full report we include a breakdown of the groups that target each of the top industries that experienced ransomware and data extortion attacks this quarter. We also take a look at the NPM supply chain attack from September, ToolShell, and the alleged attack by ShinyHunters against SalesForce customers.
