The Rise of Qilin: Dominating the Ransomware Landscape
In the ever-evolving world of cybersecurity, Qilin has emerged as a leading player in the ransomware arena, particularly in the aftermath of the decline of RansomHub earlier this year. According to a recent post from Cyble, Qilin has outperformed its rivals for the third time within four months since RansomHub’s suspected compromise by the competing group, DragonForce.
Victim Statistics for July
July proved to be a significant month for ransomware activity, with Qilin reporting an alarming 73 victims. This figure represents 17% of the total 423 reported attacks that month. Following closely behind was the INC Ransom group, which targeted 59 entities, fueled by high-profile attacks on critical infrastructure and an uptick in victim disclosures. Rounding out the top five ransomware groups for July were SafePay, Akira, and Play.
Overall Ransomware Victim Trends
According to Cyble’s analysis, July marked the third consecutive month of increased ransomware incidents following a steady decline over the previous three months. While these numbers are still dramatically lower than the record levels seen in February, the longer-term trend indicates a concerning rise in these attacks. The data reflects that even during 2025’s slowest month—May, with a mere 402 attacks—the numbers still surpassed the lows of both 2023 and 2024.
The U.S. Under Siege
The United States continues to bear the brunt of ransomware attacks, accounting for 223 of the total victims in July, which is a staggering eightfold increase compared to the second most targeted nation, Canada. This trend raises substantial concerns about the current cybersecurity landscape in the U.S. and highlights the need for stronger protective measures across all sectors.
Targeting Critical Infrastructure and Supply Chains
In July, it was reported that 25 incidents targeted critical infrastructure, along with an additional 20 incidents aimed at software supply chains. These numbers underline the seriousness of ransomware threats, as they can disrupt essential services and potentially endanger national security. Cyble identified eight significant incidents within this timeframe, offering detailed analysis on the attacks, rising ransomware groups, and emerging variants.
Sectors Most Affected
The report identified the top five sectors that experienced ransomware attacks in July: Professional Services, Construction, Manufacturing, Healthcare, and IT. These industries accounted for nearly half of all attacks. Such targeting of diverse sectors demonstrates that ransomware operators are not just focusing on high-profile companies but are willing to strike across various industries.
Exploited Vulnerabilities
Among the vulnerabilities exploited by ransomware groups, several significant ones were noted, including the CVE‑2025‑5777 vulnerability affecting Citrix NetScaler ADC and Gateway, along with four critical Microsoft SharePoint vulnerabilities. These loopholes have opened doors for attackers, allowing them to execute their operations effectively.
Development in this area remains rapid, with nearly 40 new ransomware variants emerging in July, alongside a host of new threat groups entering the ring. Noteworthy new ransomware groups mentioned include the BEAST Ransomware Group, D4RK4RMY, and others such as Payouts King and AiLock.
Emerging Ransomware Variants
The landscape of ransomware variants is continually shifting, with recent entrants like DeadLock, Crux, and a powerful Linux variant from the Gunra group making headlines. The evolution of these threats is alarming, as the attackers possess the resources and determination to innovate their methodologies continuously.
As Cyble pointed out, the ransomware landscape is expected to evolve alongside advancements in security technology. Organizations need to remain vigilant, adapting their strategies to counteract these persistent and evolving threats effectively.
