Surge in Ransomware Attacks in 2025: Insights from Cyble
Ransomware attacks are on the rise, with reported incidents increasing by 50% in 2025. A recent report from Cyble sheds light on the dynamics behind this alarming trend, revealing a transitional phase for various ransomware groups amidst an influx of critical vulnerabilities.
The Numbers Speak for Themselves
As of October 21, 2025, there have been 5,010 reported ransomware attacks linked to these groups on dark web leak sites. This is a significant jump from the 3,335 attacks recorded during the same timeframe in 2024. Cyble’s analysis illustrates a shifting landscape in the realm of cybercrime, where leadership among ransomware groups is evolving rapidly.
Cyble states, “From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025.” This indicates a fierce competition among these groups, with affiliates quickly jumping onto new opportunities, fueled by the availability of vulnerabilities in multiple systems.
Qilin: The Dominant Player
In September, Qilin emerged as the leader among ransomware groups for the fifth time in six months, claiming 99 victims in total. The sustained increase in attacks for five consecutive months highlights Qilin’s resilience as RansomHub fades into obscurity. The month saw 474 attacks overall, representing a slight increase from August, although still below the record high observed in February.
The United States continues to be the primary target, encompassing nearly 55% of the attacks in September, with 259 victims. While traditional targets like Germany, France, and Canada remain on the radar, South Korea also emerged as a significant area of concern, partly due to a specific campaign by Qilin.
Rising Threats in South Korea
South Korea experienced a total of 32 ransomware incidents in September, mainly attributed to Qilin’s “KoreanLeak” campaign, which particularly targeted asset management firms. Cyble highlighted a concerning trend where one company reported impacts stemming from a ransomware attack on its IT management provider, suggesting a broader risk of supply chain vulnerabilities affecting multiple entities simultaneously.
This targeted approach has made the Bank, Financial Services, and Insurance (BFSI) sector the third most affected in September, trailing behind Construction and Manufacturing, and surpassing Professional Services, IT, and Healthcare.
The Emergence of New Players
Adding complexity to the ransomware landscape is the emergence of The Gentlemen, a new group that has claimed 46 victims thus far. Their operation is characterized by the utilization of custom tools designed to bypass security measures and an extensive geographic reach of their targets. This adaptation hints at an organized effort that could pose a long-term threat in the cyber realm.
Arizona-based Akira claimed second place among ransomware groups in September, but the gap between them and Qilin is significant, illustrating Qilin’s dominance.
Recommendations for Cyber Defenders
Cyble’s report does not merely focus on the statistics; it also provides valuable recommendations for businesses looking to fortify their defenses against ransomware threats. As cybercriminals continue to adapt and evolve, staying ahead—through proactive strategies, regular updates on vulnerability patches, and security awareness training—becomes paramount for organizations across industries.
As ransomware attacks surge in both frequency and sophistication, the need for a collective response from security experts, businesses, and regulatory bodies has never been more critical. Establishing robust cybersecurity frameworks will play an essential role in mitigating the risks presented by these emerging threats.
