Full Report
Despite major changes in the leading ransomware groups, ransomware attacks have surged 50% in 2025, as cybercriminals have proven adept at finding new opportunities and exploiting vulnerabilities. Ransomware attacks were up 50% in 2025 through October 21, according to Cyble data, rising to 5,010 from 3,335 in the same period of 2024. Cyble’s data is based on ransomware group claims on their dark web data leak sites. From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks. Dramatic changes in the ransomware landscape were among the revelations in Cyble’s just-published September 2025 threat landscape report. The report also documents record data breaches, a surge in supply chain attacks, and the most active threat groups and malware families. Qilin Led All Ransomware Groups in September 2025 Ransomware attacks rose for the fifth consecutive month in September, and Qilin led all ransomware groups in claimed victims for the fifth time in six months. Overall, ransomware groups claimed 474 victims in September. That’s up slightly from August and well below February’s record, yet still among the highest monthly ransomware attack totals on record (chart below). The U.S. remains the biggest target for ransomware groups, with its 259 claimed victims accounting for nearly 55% of attacks in September (chart below). Germany, France, Canada, Spain, Italy, and the UK remain significant targets, but an unexpected change in September was the emergence of South Korea as a major target, in second place behind the U.S. with 32 attacks. That’s largely due to one campaign by Qilin. All but three of the 32 South Korean attacks came from Qilin’s “KoreanLeak” campaign, which targeted asset management companies in the country. Published data samples for each entity included financial records and scanned personal documents, suggesting exposure of both corporate and individual data. One of the asset management firms said its systems were impacted through a ransomware attack on its IT management provider, indicating a possible supply chain compromise affecting multiple firms simultaneously. The campaign also made South Korea by far the most attacked country in the APAC region in September, well ahead of India, Thailand, and Taiwan (chart below). Qilin’s South Korean campaign made Banking, Financial Services and Insurance (BFSI) the third most attacked sector in September, behind Construction and Manufacturing and ahead of Professional Services, IT and Healthcare (chart below). Qilin led all ransomware groups once again, its 99 claimed victims, 40 ahead of second-place Akira (chart below). Also of note is the emergence of The Gentlemen, a new group that has claimed 46 victims to date. The group’s use of custom tools targeting specific security vendors and the geographic diversity of its targets (chart below) suggest that the group may have the resources to become an enduring threat. The ransomware incidents in September that attracted by far the most attention were crippling cyberattacks on a major UK automaker and European airports. Significant Ransomware Attacks in September 2025 Here are some of the key ransomware incidents documented by Cyble in September 2025. The threat group Scattered LAPSUS$ Hunters claimed responsibility for the crippling cyberattack on the UK automaker, posting multiple screenshots suggesting unauthorized access to the company’s infrastructure. The group has an established pattern of leveraging supply chain vulnerabilities and social engineering, though the specific attack path in this case remains unverified. Reports suggest that the disruption of operations at European and UK airports was due to a supply-chain ransomware attack affecting widely used check-in and boarding software. While the ransomware attacker remains unclear, the Everest ransomware group has since claimed exfiltration of more than 50GB of data. The Play ransomware group claimed responsibility for breaches at two notable U.S.-based IT providers that could trigger supply chain risks. The first was a cybersecurity and software assurance firm providing services such as vulnerability assessment and mitigation, supply chain and third-party trust, DevSecOps transformation, cyber resiliency for weapons systems and space architectures, and OT/ICS resilience for both government and private sector clients. The second victim was a company specializing in digital cloud, hybrid, and edge solutions that enable high-speed data access and management across distributed environments. The Akira ransomware group claimed an attack on an Australian company that provides OT & ICS services for various critical sectors. Akira claimed to have stolen 10GB of corporate data, including employee information (passports, driver’s licenses, medical records, and birth/death certificates), as well as confidentiality agreements, contracts, financial records, and project documentation. The ArcusMedia ransomware group claimed responsibility for a cyberattack on an Egypt-based company that provides ERP and enterprise software solutions, including accounting, HR, payroll, inventory, and customer management systems. The Warlock ransomware group claimed responsibility for attacks on a Taiwan-based company that provides automated test equipment and turnkey solutions for power electronics and semiconductor industries and a U.S.-based provider of cloud and managed IT services. The SafePay ransomware group claimed responsibility for a cyberattack against a U.S.-based artificial intelligence company that develops AI-driven platforms and software designed to optimize business operations. The group did not publish any samples to substantiate the claim. Akira claimed an attack on a U.S.-based chemical company, alleging the theft of more than 161 GB of data that included financial data, employee and customer information, confidential information, and NDAs. The company provides chemicals for water, air and soil treatments and serves several critical industries such as Municipalities, Semiconductor, Pharmaceutical, Mining, Energy & Utilities, and Manufacturing. Qilin claimed a cyberattack on a U.S.-based company that provides data storage and data management solutions for enterprises and government agencies. The threat group did not specify the volume of data allegedly stolen but stated that it included information required to log into client vaults, personal data of employees and customers, financial records, and blueprints of network infrastructure. To support its claims, Qilin published five samples, including a confidential agreement between the company’s Australian subsidiary and a client, financial statements and documents from 2021, employee salary proposals from 2023, and technical documentation marked as confidential. However, Cyble noted that the nature of the samples raised questions about the extent of the breach and whether Qilin may be exaggerating its claims. Conclusion With cyberattacks of all kinds at or near all-time highs – and becoming dramatically more damaging – security teams must respond with renewed vigilance. The good news is that basic cybersecurity best practices can offer protection against a wide range of cyber threats. Recommended cybersecurity best practices include: Prioritizing vulnerabilities based on risk Protecting web-facing assets Segmenting networks and critical assets Hardening endpoints and infrastructure Strong access controls, allowing no more access than is required, with frequent verification A strong source of user identity and authentication, including multi-factor authentication and biometrics, as well as machine authentication with device compliance and health checks Encryption of data at rest and in transit Ransomware-resistant backups that are immutable, air-gapped, and isolated as much as possible Honeypots that lure attackers to fake assets for early breach detection Proper configuration of APIs and cloud service connections Monitoring for unusual and anomalous activity with SIEM, Active Directory monitoring, endpoint security, and data loss prevention (DLP) tools Routinely assessing and confirming controls through audits, vulnerability scanning, and penetration tests Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. The post Newcomers Fuel Ransomware Explosion in 2025 as Old Groups Fade appeared first on Cyble.
Analysis Summary
# Incident Report: 2025 Global Ransomware Surge and Qilin Campaign Focus
## Executive Summary
Ransomware attacks globally surged by 50% through October 21, 2025, driven by leadership changes among established groups and the rise of new actors like Qilin and The Gentlemen. September 2025 saw ransomware activity peak for the fifth consecutive month, with Qilin leading attacks, notably executing a major campaign ("KoreanLeak") that made South Korea the second-most targeted nation. Several high-profile attacks targeted critical infrastructure, including a major UK automaker and European airports, often via supply chain compromise.
## Incident Details
- **Discovery Date:** Data collected leading up to Cyble's September 2025 threat landscape report publication.
- **Incident Date:** Primarily focused on trends through October 21, 2025, with specific events in September 2025.
- **Affected Organization:** Multiple global entities; major incidents include a UK automaker, European airports, several South Korean asset management firms, and two U.S.-based IT providers.
- **Sector:** Diverse, with BFSI, Construction, Manufacturing, IT, and critical infrastructure heavily impacted.
- **Geography:** Global, with the U.S. leading targets (55% of September attacks), followed unexpectedly by South Korea (32 attacks in September). Germany, France, Canada, Spain, Italy, and the UK also significant targets.
## Timeline of Events
### Initial Access
- **Date/Time:** Predominantly throughout September 2025 (for specific reported attacks).
- **Vector:** Exploitation of critical vulnerabilities (general trend for the surge); Supply chain compromise (specific incident affecting South Korean asset managers and European airports); Leveraged social engineering (alleged for the UK automaker attack).
- **Details:** The overall 50% increase stems from affiliates finding new opportunities and exploiting a steady supply of critical vulnerabilities across the threat landscape.
### Lateral Movement
- **Details:** Not explicitly detailed for the aggregate data, but the Qilin attack on South Korean asset management firms was facilitated via an IT management provider, indicating a supply chain pathway bypassing direct endpoint defenses.
### Data Exfiltration/Impact
- **Details:** Data exfiltration was claimed in numerous incidents (e.g., 10GB stolen from an Australian OT/ICS provider by Akira; 161GB stolen from a U.S. chemical company by Akira). Specific data types included financial records, employee PII (passports, licenses), contracts, blueprints, and sensitive technical documentation. Operational disruption occurred at European/UK airports and the UK automaker.
### Detection & Response
- **Details:** Detection is primarily based on ransomware groups claiming responsibility on dark web data leak sites (Cyble's data source). Specific response actions are not detailed but the necessity of renewed vigilance and basic security best practices is emphasized in the conclusion.
## Attack Methodology
| Phase | Method/Technique Summary | Noteworthy Groups |
| :--- | :--- | :--- |
| **Initial Access** | Exploitation of critical, unpatched vulnerabilities; Supply Chain compromise via third-party IT management providers. | General trend; Qilin (via supply chain compromise in SK). |
| **Lateral Movement** | Supply Chain compromise (e.g., compromising an IT provider to hit multiple downstream clients). | Qilin. |
| **Impact** | Data encryption (Ransomware); Data Exfiltration (Ransomware-as-a-Service model). | Qilin, Akira, Everest, Play, ArcusMedia, Warlock, SafePay. |
| **Notable Techniques** | Use of custom tools targeting specific security vendors (The Gentlemen). | The Gentlemen. |
## Impact Assessment
- **Financial:** Not quantified specifically, but the involvement of BFSI and critical infrastructure suggests massive potential financial impact due to operational downtime and recovery costs.
- **Data Breach:** Significant Personal Identifiable Information (PII), corporate financial records, employee data (including sensitive documents like passports/birth certificates), and sensitive infrastructure blueprints were claimed to be stolen.
- **Operational:** Significant disruption alleged at European and UK airports, and operational cessation at a major UK automaker.
- **Reputational:** High public attention drawn to attacks on automakers and airports.
## Indicators of Compromise
*Note: Specific IoCs (IPs, hashes) are not provided in the source text.*
- **Behavioral Indicators:** Five consecutive monthly increases in ransomware claims; Qilin's focus on a specific sector (asset management) in a new geography (South Korea).
- **Victimology Indicators:** Attacks targeting IT management providers foreshadowing downstream impact (supply chain).
## Response Actions
Specific response actions attributed to victims are not available in this summary. The report shifts focus to general best practices that should guide organizational response:
- **Prioritization:** Risk-based vulnerability prioritization.
- **Control Hardening:** Network segmentation, endpoint hardening, strong access controls (Zero Trust principles implied).
- **Identity Management:** Strong MFA and machine authentication.
- **Resilience:** Ransomware-resistant backups (immutable, isolated).
- **Detection:** SIEM monitoring, DLP, Active Directory monitoring.
## Lessons Learned
1. **Ransomware Agility:** Threat groups adapt rapidly to leadership changes; affiliation networks ensure continuity of attacks.
2. **Supply Chains are Critical Vectors:** Compromising a single IT management provider can result in widespread compromise across multiple, seemingly unrelated organizations (evidenced in South Korea and European airport incidents).
3. **Data Exfiltration is Standard:** Groups consistently claim encryption *and* significant data theft, pressuring victims toward payment regardless of encryption status.
## Recommendations
1. **Vulnerability Management:** Continuously scan and prioritize patching for web-facing assets and infrastructure, addressing the "steady supply of critical vulnerabilities."
2. **Supply Chain Risk Reduction:** Implement stringent security requirements and mandatory audits for third-party IT management providers and service vendors.
3. **Defense in Depth:** Focus on network segmentation to contain the impact of successful initial access, coupled with immutable/isolated backups to ensure recovery without payment.
4. **Geographic Monitoring:** Companies operating internationally must be aware of evolving regional hotspots (e.g., South Korea becoming a major target due to specific campaigns like Qilin's "KoreanLeak").