Ransomware Landscape: Rapid7’s Insights for Q2 2025
Cybersecurity firm Rapid7 has recently shared its quarterly analysis focusing on the ever-evolving ransomware landscape for the second quarter of 2025. The report characterizes this period as reflective of “tumultuous times,” highlighting significant shifts and trends within the ecosystem of ransomware operations.
Shifting Dynamics Among Ransomware Groups
Rapid7’s analysis draws from both internal data and publicly available information, revealing a shifting environment where prominent ransomware players emerge and disappear. The firm noted that as threat actors strategize for dominance, there’s also an element of competition among them for status in the hacking community.
Declining Active Groups
This past quarter has witnessed notable upheaval among ransomware actors. In the first quarter of 2025, there were 76 active ransomware groups. However, the second quarter saw 11 of these groups, including BianLian, 8base, and BlackBasta, become inactive. This reduction brought the total number of active groups down to 65, reflecting an almost 15% decline from the previous quarter. Nevertheless, across the first half of the year, there have been a total of 96 distinct operations, marking a significant increase of over 41% compared to the same period in 2024, when there were only 68 active groups.
Top Ransomware Operators
In terms of impact, Qilin has emerged as the leader with 209 reported victims. Following closely are SafePay and Akira, each with 130 victims, and the Play ransomware operation reporting 125. The group Lynx rounds out the top five but trails considerably with only 66 victims recorded.
A notable drop-off includes RansomHub, once a major player in the landscape, which became inactive in April. Its affiliates are reportedly migrating to other ransomware-as-a-service (RaaS) platforms. Rapid7 suggests that this could lead to a significant shift in ransomware operations as RansomHub affiliates were known for exploiting vulnerabilities as part of their tactics, which could impact the market dynamics.
Innovations and Marketing Strategies
Qilin has recently introduced a distinctive feature within its affiliate panel—a “call a lawyer” option. This service aims to connect victims with legal assistance for negotiation purposes. While the notion may raise eyebrows given its source, the move reflects the competitive nature of RaaS operators who continually seek new features to attract affiliates.
Emerging Trends in Ransomware
As previously noted, the RaaS landscape is currently experiencing a transitional phase, leading to changes in affiliate preferences among ransomware operators. The dynamic between infighting and cooperation has characterized the second quarter. Rapid7 points out that some groups are vying for improved infrastructure, better leak sites, and enhanced features for potential affiliates.
For example, DragonForce has been known to collaborate with various threat actors, claiming partnerships to share ransomware and handle initial access tactics. These alliances may appear beneficial, but the cybersecurity community remains skeptical of the legitimacy of such partnerships, with concerns about potential hostile takeovers.
Another trend underway is the recycling of older data, masqueraded as new breaches. FunkSec appears to focus on this strategy, while LockBit also follows suit, likely as an attempt to maintain an active presence following law enforcement interventions.
Anticipated Changes Ahead
Looking forward, Rapid7 warns of a prolonged “powerscale rebalancing” in which rival RaaS operations endlessly compete for affiliates. This internal competition, paired with uncertain alliances, creates a complex environment where groups may collaborate while simultaneously vying for dominance.
Rapid7 emphasizes that in this chaotic setting, organizations face an increasingly critical need to utilize threat intelligence. Understanding the motivations and behaviors of these ransomware groups is essential for effective risk management and protection strategies.
Given the rapid evolution of the ransomware landscape, businesses must remain vigilant, adapting their cybersecurity measures to navigate the shifting dynamics effectively. As reported, the turbulence continues, underlining the importance of staying informed and prepared for upcoming challenges.
