Key FindingsDisappearance of significant RaaS groupsSeveral prominent RaaS groups, including RansomHub, Babuk-Bjorka, FunkSec, BianLIan, 8Base, Cactus, Hunters International, and Lockbit, stopped publishing new victims. Though the reasons for their disappearances vary, the net effect is a fragmented ransomware ecosystem no longer dominated by one or two major players.Decline in publicly posted victimsQ2 2025 saw a drop of 6% in the number of victims listed on ransomware Data Leak Sites, compared to the monthly average during the last 12 months. This decline is likely driven by continued global law enforcement efforts, a drop in victims’ willingness to pay, and strategic shifts by ransomware operators to reduce risk exposure.Qilin – the new leader introduces innovative extortion methodsQilin ransomware group was the most dominant group in Q2 and offered tools and services to increase pressure on victims, such as preparing regulatory complaints, contacting customers or employees, and flooding corporate communication channels.Ongoing shift from encryption to data-theft-based extortionWe noted a concerted move away from encryption-focused attacks toward data exfiltration and public exposure as the primary extortion method. This shift reflects both operational pragmatism and evolving victim response patterns.Ransomware in Q2 2025: Decline in Activity, Shifts in StrategySeveral significant developments occurred in the ransomware ecosystem in the second quarter of 2025. For the first time, there was a slight decline in the number of victims listed on Data Leak Sites (DLS). As noted in our 2025 Annual Report, sustained global law enforcement operations have severely disrupted major ransomware-as-a-service (RaaS) groups. These actions include takedowns, indictments, and the exposure not only of RaaS operators but also individual affiliates, which lead actors to try to reduce their visibility and legal risk.Intensive enforcement operations led to the dismantling of several key groups including LockBit, whose final blow was delivered in May 2025 by the hacking and leakage of its internal data. The 8Base group also ceased activity following similar pressure. Additionally, operations targeting initial access malware infrastructure—a critical enabler for ransomware— led to lower numbers of attacks.On the policy front, more countries are increasing their restrictions on ransom payments. Combined with unreliable decryption outcomes in some cases, and more widespread adoption of resilient backup strategies, these developments pushed the global ransomware payment rate to a historic low—estimated at just 25–27%.With rising operational risk and shrinking profits, many actors are either abandoning ransomware entirely or deliberately reducing their exposure. Public statements from groups like DragonForce and Hunters International indicate they are being more selective about their victim pool or moving away altogether from encryption-based extortion. Other threat actors have just quietly disappeared from the ransomware scene.Groups that appear to have exited the ecosystem during Q2 2025 include RansomHub, Babuk-Bjorka, FunkSec, BianLian, 8Base, Cactus, and Hunters International. These exits also coincide with a noticeable drop in “fake” or low-quality attack claims—often used to inflate reputations or extort without actual intrusions—previously reported for groups like FunkSec and Babuk-Bjorka.Figure 1 – Total Number of Reported Ransomware Victims in DLS, per month.During the review period, we monitored over 75 active DLS platforms, which collectively listed 1,607 new victims. This marks a significant decrease from the 2,289 victims reported in Q1 2025, although still higher than the 1,270 recorded in Q2 2024. Notably, May and June of this year were the first months since September 2024 to record fewer than 500 listed victims.Despite this downturn, ransomware activity has not stopped altogether. With major RaaS services shutting down, many affiliates are operating independently or seeking new partnerships. The result is a growing number of smaller, often short-lived, ransomware entities. At the same time, established players are actively competing to recruit these “orphaned” affiliates, as seen in the clash between Qilin and DragonForce following RansomHub’s collapse (detailed below).As part of this reshuffling, several groups, including Play, Medusa, Akira, INC Ransom, Qilin, Lynx, Safepay, and DragonForce, appear to be consolidating their positions in a contracting but still active ecosystem.Figure 2 – Ransomware Groups by Publicly Claimed Victims – Q2 2025.Geographic Distribution Remains ConsistentThe geographic distribution of ransomware victims in Q2 2025 continues to reflect longstanding patterns in the ransomware ecosystem. As seen in previous quarters, the United States accounted for approximately half of all reported victims, reinforcing its position as the primary target for financially motivated threat actors. Most of the publicly listed victims continue to originate from Western, developed nations where organizations are perceived as having greater financial resources and a higher likelihood of paying ransom.Figure 3 – Ransomware Victims by Country, Q2 2025.A closer look at the victim data by country reveals that some ransomware groups exhibit distinct geographic preferences. The Safepay ransomware group continues to be very active in Germany. Of the 76 victims reported in Germany during this quarter (compared to 74 in Q1), Safepay claimed to be responsible for nearly 40%.Figure 4 – German Victims by Actor, Q2 2025.Akira ransomware maintains a special focus on Italy, with 10% of its victims from Italian companies compared to 3% in the general ecosystem. Fourteen percent of Satanlock’s victims are from Brazil (9 out of a total of 36 Brazilian victims).Qilin: Gaining Ground After the Fall of RansomHubIn early April 2025, RansomHub, the dominant RaaS group that filled the vacuum left by LockBit’s decline in early 2024, abruptly ceased its operations. The precise circumstances behind its disappearance remain unclear, but the impact on the ransomware ecosystem was immediate. With RansomHub’s data leak site offline, its affiliates, who had been averaging around 75 listed victims per month over the previous half-year, were left seeking a new platform. Many of them appear to have shifted their operations to Qilin, which nearly doubled its activity in Q2 2025, jumping from an average of 35 victims per month to almost 70.Figure 5 – Number of Qilin’s monthly published victims.Qilin is among the most established RaaS groups, with a sustained track record of published victims dating back to 2022. It offers its affiliates a comprehensive toolkit via a dedicated administrative panel, including an encryptor, negotiation infrastructure, and support services. In the wake of RansomHub’s disappearance, Qilin actively capitalized on the opportunity, increasing its recruitment efforts on the Ramp forum and highlighting a range of enhanced features. These include new integrated DDoS capabilities and negotiation consultations, aimed at maximizing pressure on victims during the extortion phase.Figure 6 – Qilin promoting their new DDoS feature.As noted in our annual report, the broader ransomware landscape is markedly shifting away from encryption to data theft and exposure as the primary means of extortion. Encryption-based attacks carry greater operational complexity and a higher risk of detection, while payment rates for decryption keys have declined. In contrast, the threat to publish stolen data opens up new leverage points. Qilin recently introduced a new set of services designed to amplify the pressure on its victims. These include offering legal assistance to review the stolen data, assess potential regulatory violations in the victim’s jurisdiction, and prepare documentation for submission to relevant authorities such as tax agencies, law enforcement, or regulatory bodies like the FBI.In addition, Qilin promotes tools for spamming victims’ corporate email addresses and phone lines and advertises support from alleged “journalists” to create public leak blogs. While it is likely that many of these services rely on AI tools, they are part of the effort to increase the percentage of victims who feel compelled to pay the ransom.Figure 7 – Qilin promoting new extortion tools on the Ramp forum.DragonForce: Marketing Tactics and Strategic ExpansionDragonForce is another veteran actor in the RaaS ecosystem, with over 250 victims listed on its DLS since late 2023. Initially operating as a closed group, DragonForce began recruiting affiliates by mid-2024, gradually transitioning into a more open RaaS model. Like Qilin and other established players, DragonForce offers affiliates a comprehensive toolkit via a dedicated interface panel, including encryption tools, negotiation frameworks, and victim management capabilities.Figure 8 – DragonForce cartel initiation announcement on the Ramp forum.What sets DragonForce apart is its strategic focus on branding and marketing. In March 2025, the group announced the formation of a so-called “Ransomware Cartel”, a framework designed to offer affiliates greater autonomy and brand control. Through a “white label” model, affiliates can leverage DragonForce’s infrastructure while operating under their own custom names and branding.Figure 9 – DragonForce’s logo integrated into the Ramp forum logo.This focus on visibility was further underscored when Ramp, the cybercrime forum, updated its logo to incorporate the DragonForce emblem.Shortly after RansomHub’s unexpected disappearance in April 2025, DragonForce claimed that the former group had migrated its operations to the DragonForce platform and joined the Cartel initiative.Figure 10 – DragonForce announcement of RansomHub joining their cartelThey supported this assertion by publishing a screenshot allegedly showing RansomHub’s DLS configuration panel.Figure 11 – Alleged setup of RansomHub’s new DLS on DragonForce’s infrastructure.The number of victims reported in April and June show a noticeable increase, suggesting a possible influx of affiliates formerly aligned with RansomHub. However, it remains to be seen whether this growth represents a lasting shift or merely a short-term spike.In parallel with this expansion, DragonForce also responded to increasing law enforcement scrutiny by announcing more stringent affiliate screening processes. In April, they reaffirmed their “ethical” boundaries, explicitly prohibiting attacks on healthcare targets and stating that their objective is financial gain, not harm. As they put it, “We are not here to kill—we are here to make money.”DragonForce’s behavior reflects the trend of threat groups to move away from encryption-based extortion. However, despite a broader shift toward data-theft extortion, encryption-based ransomware still remains a serious threat, particularly in attacks designed to cripple operations and disrupt cash flow. This was evident in April–May 2025, when Scattered Spider deployed the DragonForce encryptor on major UK retailers including Marks & Spencer and Co-op, causing significant business impact.Figure 12 – DragonForce’s published victim numbers per month.Hunters International: A Shift Toward Low-Friction ExtortionHunters International has taken a distinctive path in the ransomware landscape, gradually moving away from traditional encryption-based attacks in favor of a lower-friction, data-only extortion model. This transition culminated in the launch of World Leaks, a new platform dedicated exclusively to publishing stolen data and conducting extortion without encrypting victims’ files.Initially, Hunters International experimented with more aggressive extortion techniques to pressure victims into paying. These included a “mailing list” feature designed to send bulk emails to a victim’s contacts, such as employees, clients, or partners, as well as outsourced OSINT services to increase the pressure on their victims. However, over time, the group shifted tactics, aligning their approach with a more discreet operational philosophy.This evolution appears to be driven by a recognition that public and governmental pressure, in particular, restrictions or bans on ransom payments, was contributing to a sharp decline in the success rate of encryption-based extortion. In response, Hunters International redefined its strategy: they no longer dropped ransom notes on every endpoint or renamed encrypted files. Instead, they quietly sent notifications directly to company leadership, limiting awareness of the attack to just a small circle within the victim organization.By late 2024, Hunters International publicly declared their intention to quit using encryption-based extortion, citing the growing risks associated with such operations. It took until May 2025 to deliver on their promise. At the same time, Hunters International offered their former victims free decryption of their encrypted files.Figure 13 – Hunters International closure notice from their DLS.Despite this, Hunters International is still actively extorting victims. Since May 2025, their new platform for data-based extortion, World Leaks, has listed more than 30 victims. The data leak site maintains the same design and structure as the original Hunters International DLS, signaling continuity despite the strategic pivot.Figure 14 – Screenshot from World Leaks new DLS.Artificial Intelligence in Ransomware OperationsRansomware groups are actively exploring how AI can be used to enhance their operations. In previous reports, we highlighted FunkSec’s use of AI in malware development, and Xanthorox’s creation of an AI-generated ransomware variant. Both examples illustrate early experimentation with automation and generative tools.In Q2 2025, evidence continues to emerge of AI integration into the ransomware ecosystem, particularly in victim negotiations. One notable example is the Global Group (also known as El Dorado or Blacklock), which listed 17 victims during the quarter. In promotional material aimed at recruiting affiliates, the group highlights the inclusion of “AI-powered negotiation support” as part of its RaaS offering. This suggests a growing interest in using AI to fine-tune psychological pressure, automate interactions, and potentially improve extortion outcomes.Figure 15 – Screenshot from Global Group ransomware recruitment video.Ransomware Attacks by Industry: Q2 2025 AnalysisThe distribution of ransomware victims across industries in Q2 2025 reflects a broad cross-sectional impact, with no single vertical standing out as specifically targeted.Figure 16 – Ransomware Victims by Industry, Q2 2025.Government and education entities remain lower on the list, most probably due to their reduced likelihood of paying ransoms compared to for-profit organizations. Additionally, most RaaS groups restrict attacks on certain countries and sectors, partly to avoid drawing law enforcement attention. While healthcare is often permitted as a target, conditions are typically imposed to avoid life-threatening disruptions.Despite these constraints, the healthcare and medical sector continues to attract significant attention. Health organizations contain large amounts of sensitive patient personal data, making them valuable targets for data theft operations. In Q2 2025, healthcare-related organizations accounted for nearly 8% of all publicly listed ransomware victims. INC Ransomware has emerged as a major actor in healthcare-related attacks. Nearly one-third of INC’s listed victims come from the healthcare and medical fields, making it responsible for almost 17% of all healthcare-related ransomware disclosures this quarter.Figure 17 – INC Ransomware Victims by Industry, Q2 2025.SummaryIn Q2 2025, there was a decline in the number of major RaaS groups, a drop in publicly listed victims, and evolving extortion tactics used by the various threat groups. While data-encryption is no longer the default method, ransomware continues to adapt and attempt to dominate a more fragmented and volatile ecosystem.The post The State of Ransomware – Q2 2025 appeared first on Check Point Research.