New Report from GuidePoint Research and Intelligence Team (GRIT) Reveals 45% YoY Rise in Active Ransomware Groups
RESTON, Va.–(BUSINESS WIRE)–#RaaS—GuidePoint Security, a cybersecurity solutions leader enabling organizations to make smarter decisions and minimize risk, announced today the release of its quarterly Ransomware & Cyber Threat Report from the GuidePoint Research and Intelligence Team (GRIT).
Covering the second quarter of 2025, the new GRIT Q2 2025 Ransomware & Cyber Threat Report offers exclusive in-depth analysis of the evolving Ransomware as a Service (RaaS) ecosystem, threat actor behaviors and emerging cybercrime trends—including a 45% year-over-year increase in the number of active ransomware groups.
“While law enforcement’s disruption of dominant groups like LockBit, AlphV and BreachForums has dealt significant blows to cybercriminal networks, the sharp year-over-year rise in active ransomware groups makes it clear that a significant threat remains,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security. “Unfortunately, the quarterly slowdown in publicly reported ransomware incidents appears to stem from more temporary headwinds, such as seasonality, fragmentation and strategic regrouping within the RaaS ecosystem. As groups like Qilin, Akira and Play continue to gain ground, defenders must remain vigilant and prepare for what’s next.”
The Q2 2025 Ransomware & Cyber Threat Report also investigates Iranian cyber threat activity, the growing momentum of the RaaS group DragonForce and law enforcement’s impact on Lumma Stealer, a prolific information-stealing malware favored by cyber criminals.
Key findings include:
- A 45% year-over-year increase in active ransomware groups, climbing from 45 in Q2 2024 to 71 in Q2 2025.
- Ransomware victim numbers remain elevated year-over-year (+43%), but a 23% decline in Q2 2025 hints at changing attacker patterns beyond seasonal norms.
- An 85% increase in activity from Qilin, the most active threat group of this quarter.
- 52% of observed ransomware victims in Q2 2025 were based in The United States, followed by Singapore (23%) and Canada (5%).
- The manufacturing, technology and legal industries were most heavily impacted by ransomware. Notably, the healthcare sector dropped out of the top five most targeted industries for the first time since Q2 2022.
“We’re seeing a reshuffling within the ransomware ecosystem,” Timothy added. “Disruption of major RaaS players hasn’t reduced overall threat capacity so much as redistributed it. Affiliates are regrouping under existing or emerging banners, and many are standing up their own operations using recycled tools. As we head into the second half of the year, security teams should expect familiar tactics under new names.”
The Ransomware & Cyber Threat Report is based on data obtained from publicly available resources, including threat groups themselves, as well as threat analyst insights into the ransomware threat landscape.
For more information:
- Download the GRIT Q2 2025 Ransomware & Cyber Threat Report
- Register for GRIT’s upcoming webinar
- Read our blog for more Q2 threat insights
About GuidePoint Security
GuidePoint Security provides trusted cybersecurity expertise, solutions, and services that help organizations make better decisions that minimize risk. Our experts act as your trusted advisor to understand your business and challenges, helping you through an evaluation of your cybersecurity posture and ecosystem to expose risks, optimize resources and implement best-fit solutions. GuidePoint’s unmatched expertise has enabled 40% of Fortune 500 companies and more than half of the U.S. government cabinet-level agencies to improve their security posture and reduce risk. Learn more at www.guidepointsecurity.com.
Contacts
Nicole Lavella
[email protected]
703-403-7066
