The top ten ransomware groups now account for only 50% of attacks, which is down from 69% previously.

The number of active ransomware groups has doubled over the last three years.

The number of active ransomware groups has exceeded 60 for the first time.

Nation-state actors are second most concerning threat actors.

When it comes to the most concerning threat actors, external sources dominate with hacktivists holding the top spot.

There are now 96 active ransomware groups.

52 entirely new ransomware groups emerged in the last year.

Most Prolific Ransomware Gangs (based on attack claims) in April 2025: Qilin: 67 claims. This is an increase from 45 claims in March, Akira: 62 claims, Play: 50 claims, Lynx: 32 claims, NightSpire: 22 claims. RansomHub listed no new victims in April.

Credentials for victims of the Play, Akira, and Rhysida ransomware groups were found on cybercrime marketplaces between 5 and 95 days prior to the reported attack.

8% of threat groups were motivated by espionage.

55% of threat groups active in 2024 were financially motivated, showing a steady increase.

Safepay was the third most active threat group in March, with 42 attacks.

Babuk2 was the most active threat group, responsible for 14% of all attacks in March. Babuk2 drove ransomware activity with 84 attacks in March. This represents a 37% increase for Babuk2 from January (61 attacks).

Akira and RansomHub shared second place of most active threat group in March, with 62 attacks each.

February 2025 saw a total of 962 victims claimed by ransomware groups.

Out of the 962 victims claimed in February 2025, 335 were claimed by the Clop (Cl0p) group.

The number of victims claimed by Clop (Cl0p) saw a 300% jump from the previous month.