In 2025, 5.9% of ransomware attacks were attributed to Qilin, 5.9% to Clop, 5.0% to Akira, 2.9% to Play, and 2.7% to SafePay.

Out of 103 active ransomware groups, five groups accounted for nearly 25% of global ransomware incidents.

Qilin was responsible for 248 incidents, Clop for 246 incidents, Akira for 209 incidents, Play for 120 incidents, and SafePay for 115 incidents in 2025.

In 2025, 77.7% of ransomware attacks were attributed to other actors outside the top five groups.

The top five ransomware groups — Qilin, Clop, Akira, Play, and SafePay — were responsible for 938 incidents, accounting for nearly 25% of all ransomware attacks in 2025.

In 2025, there were 103 distinct ransomware threat actors observed targeting critical infrastructure.

There was also a record high number of active threat groups, with 70 identified in Q1 2025. This is a 55.5% year-over-year rise.

Close to 50 ransomware groups were implicated in attacks in 2024, a 3X increase from 2021.

There was also a record high number of active threat groups, with 70 identified in Q1 2025. This is a 55.5% year-over-year rise.