Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Qilin leads the pack in terms of victim count, while 17 groups go quiet in the second quarter of 2025.
Cyber security firm Rapid7 has released its quarterly look at the ransomware landscape, and the company is describing the second quarter of 2025 as “tumultuous times”.
“Rapid7’s internal and publicly-available data analysis reveals a dynamic environment where major players come and go, newer groups work their way up the heavy-hitters ladder, and threat actors jostle for top dog status,” Rapid7 said.
“Plus, there’s law enforcement action thrown in there for good measure.”
Top operators
There’s been some turmoil among ransomware actors during this last quarter. While there were 76 active groups in the first quarter of the year, 17 of those – including groups like BianLian, 8base, and BlackBasta – went quiet in quarter two.
This led to ‘just’ 65 groups active in the period, an almost 15 per cent drop over the quarter preceding. That said, the total active groups in the first six months of the year is still a staggering 96 unique operations, compared to 68 active during the first six months of 2024 – a 41.18 per cent increase.
Qilin leads the rankings with 209 victims, followed by SafePay and Akira (both with 130 victims), and the Play ransomware operation, which listed 125 victims on its leak site. Lynx rounds out the top five, but is way behind with 66 victims.
One of the operations that appears to have shut down of its own accord is the once prolific RansomHub. It went quiet in April, and its affiliates have moved to other ransomware-as-a-service operations.
“Given that RansomHub affiliates are known for exploiting vulnerabilities to gain initial access, followed by double extortion, this could mean a significant ripple of ransomware distributors moving elsewhere,” Rapid7 said.
Speaking of Qilin, the operation has now added a new feature to its affiliate panel – a ‘call a lawyer’ feature. This so-called ‘lawyer’ is meant to connect ransomware victims with someone who can assist them with negotiations, and if you trust a lawyer provided to you by criminals, Cyber Daily has a bridge to sell you. Still, RaaS operators like Qilin succeed or fail based on the features their ransomware boasts – maybe it’ll bring some punters in from a rival?
The big trends
As already noted, the RaaS landscape is going through a bit of a time, leading to affiliates drifting between ransomware operators of choice. Qilin already had its affiliate panel revealed by a rival operator, RansumHub is gone, and more and more RaaS operators are getting ready to spool up operations.
“Infighting sits uneasily next to cooperation in Q2, with some groups trying to facilitate bigger and better infrastructure, leak sites, and features offered to potential affiliates,” Rapid7 said.
“DragonForce is a prime example, using its ransomware alongside other threat actors taking care of the initial access side of things.”
DragonForce claims to be working with RansomHub, for instance, but so far, that’s all they appear to be – just claims. It’s entirely likely that a hostile takeover of sorts has taken place, as DragonForce looks to win new affiliates by forming what the gang is calling a ‘ransomware cartel’.
Another continuing trend is the recycling of old data disguised as new leaks. FunkSec appears to be making this practice its main business model, and LockBit continues to follow suit, no doubt in an attempt to appear to be as active as it was before a series of law enforcement takedowns disrupted its operations.
What Rapid7 expects to see going forward is what it calls a “prolonged powerscale rebalancing” as rival RaaS operations compete for affiliates.
“Add to this the uncertain lay of the land with regard to supposed ransomware alliances, and we have a perfect storm of groups working together – yet remaining at odds – while businesses attempt to parse shifting threat actor patterns,” Rapid7 said.
“The sheer chaos of this environment means that it’s never been more important for organisations to make use of threat intelligence and explore what makes these groups tick.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
