Key Findings
  • The number of publicly-mentioned and extorted victims in Q1 reached the highest ever number, with a 126% increase year-over-year.
  • Cl0p returned to prominence as the most prolific ransomware actor in Q1 2025, exploiting new zero-day vulnerabilities in Cleo-managed file transfer products Harmony, VLTrader, and LexiCom.
    • 83% of Cl0p’s victims were in North America.
    • 33% of Cl0p’s victims were from the consumer goods & services sector.
  • Ransomware groups like Babuk-Bjorka and FunkSec now routinely fabricate or recycle victim claims, with dozens of questionable entries published. What began as a marginal tactic of Lockbit after its takedown has become widespread, making the tracking of ransomware groups based on shame websites more complicated.
Ransomware in Q1 2025: A Record-Breaking Surge

Ransomware remains one of the most persistent and damaging cyber threats facing organizations globally. The first quarter of 2025 marked an unprecedented surge in activity, with 74 distinct ransomware groups publicly claiming victims on data leak sites (DLS). These groups collectively reported 2,289 victims—more than double the number disclosed in the same period last year, which saw 1,011 published cases – a year-over-year increase of 126%.

Even when discounting the 300 victims attributed to Cl0p’s mass February disclosure related to its exploitation of the Cleo file transfer platform, the numbers remain historically high. The adjusted monthly average exceeds 650 victims, compared to ~450 per month throughout 2024. With Cl0p included, the average for Q1 rises to 760 per month—setting a new benchmark for ransomware activity.

This sharp rise may partially reflect a growing trend among threat actors to exaggerate their impact, including the fabrication of victim data to project greater reach and intimidate targets. At the same time, it is worth noting that organizations which pay ransoms swiftly are typically excluded from public disclosure on leak sites, suggesting that historically, published figures may have significantly underrepresented the true scale of ransomware incidents. This discrepancy warrants further analysis, which is explored below.

Figure 1 – Total Number of Reported ransomware Victims in DLS, per month

The most active groups in Q1 were Cl0p, Ransomhub, and Babuk-Bjorka.

Figure 2 – Ransomware Groups by publicly Claimed Victims – Q1 2025

Geographic Distribution Remains Consistent

The geographic distribution of ransomware victims in Q1 2025 continues to reflect longstanding patterns in the ransomware ecosystem. As in previous years, the United States accounted for approximately half of all reported victims, underscoring its position as the primary target for financially motivated threat actors. Most publicly listed victims continue to originate from Western, developed nations where organizations are perceived to have greater financial resources and a higher likelihood of paying ransoms.

Figure 3 – Ransomware Victims by Country, Q1 2025

A closer look at victim data by country reveals that some ransomware groups exhibit distinct geographic preferences. In the United Kingdom, for example, the Medusa ransomware group is disproportionately active— they are responsible for more than 9% of reported victims in the country, compared to just 2% of victims globally. This suggests a deliberate targeting strategy or a stronger operational foothold in the region.

Figure 4 – UK Victims by Actor, Q1 2025

In Germany, the Safepay ransomware group stands out with a high level of activity. Among the 74 ransomware victims reported in Germany during Q1 2025, Safepay was responsible for 17.5%—the highest share attributed to any group in the country.

Figure 5 – Germany Victims by Actor, Q1 2025

Cl0p: Encryption-less Attacks and Supply Chain Exploitation

With 392 publicly named victims, Cl0p was the most prolific ransomware actor in Q1 2025. The group has continued its strategic reliance on encryption-less attacks, focusing instead on data exfiltration and data extortion. Cl0 operates in waves, leveraging zero-day vulnerabilities in widely used third-party platforms to compromise service providers and subsequently access the data of their clients. Following previous high-impact campaigns like  GoAnywhere in early 2023 and MOVEit in mid-2023, Cl0p’s 2025 activity was largely driven by its exploitation of the Cleo-managed file transfer products Harmony, VLTrader, and LexiCom—an attack responsible for more than 300 of its Q1 disclosures.

The geographic distribution of Cl0p’s victims reveals a striking concentration in North America, with 83% of victims based in the United States and Canada, followed by the United Kingdom and Germany. This stands in contrast to the broader ransomware ecosystem, where organizations in the United States typically account for approximately 55% of total victims. Cl0p’s victims industry analysis also deviates from the norm: 33% of its victims are from the consumer goods & services sector, while 12% are from transportation and logistics—more than double that sector’s 4.8% representation across all ransomware incidents. This skew reflects the customer profile of Cleo’s platform, which is widely used by North American firms operating in manufacturing, supply chain, and logistics.

Figure 6 – Cl0p Victims by Country, Q1 2025

RansomHub: A Rising Force in the Post-LockBit Landscape

RansomHub emerged in February 2024 and has positioned itself as one of the dominant ransomware groups, publicly naming 228 victims in Q1 2025 alone. Its swift ascent follows the disruption of LockBit’s operations by law enforcement in early 2024, filling the vacuum left by one of the most established ransomware-as-a-service (RaaS) operations. RansomHub has distinguished itself through an aggressive affiliate recruitment strategy, emphasizing a favorable profit-sharing model.

Figure 7 – Number of Monthly Victims Claimed by RansomHub

The group’s victim distribution mirrors broader ecosystem trends. Notably, organizations based in the United States account for approximately 59% of reported cases, consistent with the general pattern observed across the ransomware landscape.

Figure 8 – RansumHub Victims by country – Q1 2025

Babuk-Bjorka: Reputation Building Through Recycled Victims

Positioning itself as a revival of the original Babuk ransomware operation, which ceased activity in 2021 after its source code was leaked, though there is no evidence linking Babuk-Bjorka and the original group. It is more likely that the new actor is leveraging the Babuk name to generate media attention and attract affiliates under a RaaS model.

In January alone, Babuk-Bjorka claimed an eye-catching 68 victims, but further analysis revealed that many were duplicates of incidents previously attributed to other ransomware groups. Despite maintaining a high profile on underground forums—a strategy seemingly aimed at boosting affiliate recruitment—most of the group’s claimed Q1 victims are suspected to be fabricated or recycled, reflecting a broader trend of inflated victim disclosures to boost credibility and visibility in a competitive RaaS marketplace.

Figure 9 – Babuk-Bjurka Activity Initiation Announcement, Actor DLS

FunkSec: AI-Driven Malware and Blurred Motivations

FunkSec, a ransomware group that emerged in December 2024, exemplifies several evolving trends in the ransomware ecosystem. Since its appearance, the group has claimed responsibility for more than 170 attacks, though the credibility of these claims remains uncertain. Check Point Research investigation suggests that FunkSec’s malware was likely developed with the assistance of AI tools—an approach that enabled rapid iteration and refinement even in the absence of advanced technical skills. This use of AI significantly lowered the barrier to entry for threat actors, allowing for the deployment of sophisticated ransomware by relatively inexperienced individuals. In addition to questions surrounding the legitimacy of its victim claims, FunkSec further complicates attribution by operating at the intersection of hacktivism and financially motivated crime, making its underlying motives difficult to assess with confidence.

New Groups and Shifting Tactics in a Fragmented Landscape

Following the high-profile disruptions of LockBit and ALPHV, the ransomware ecosystem experienced a surge in newly formed groups trying to fill this void. Several factors are contributing to this proliferation: leaked ransomware source code has lowered technical barriers; AI tools are accelerating malware development; and a growing crisis of trust between affiliates and RaaS operators—highlighted by ALPHV’s betrayal of its affiliate “Notchy”—is pushing experienced actors to seek other platforms or launch their own operations.

One prominent example of these dynamics is VanHelsing, a new RaaS group reported by Check Point Research in March 2025. VanHelsing charges a $5,000 entry fee and markets itself to affiliates of all skill levels, offering an 80/20 revenue split. Its platform features an intuitive control panel and a versatile locker capable of targeting Windows, Linux, BSD, ARM, and ESXi environments. Like other Eastern European groups, it explicitly prohibits operations against Commonwealth of Independent States (CIS) countries. Within just two weeks of its launch, VanHelsing was linked to three confirmed victims, with ransom demands reaching $500,000. Check Point researchers also observed two distinct Windows variants compiled only five days apart, underscoring the group’s agility and rapid development cadence.

Law enforcement efforts to combat ransomware crime continued in 2025 with the takedown of 8Base, one of the most active ransomware groups of 2024. In a coordinated international operation, authorities from 14 countries arrested four Russian nationals suspected of leading the group, which had been active since 2022. This operation followed earlier arrests of key Phobos affiliates in South Korea and Italy, collectively dealing a significant blow to the broader ransomware ecosystem.

Data Extortion and the Challenge of Measuring Impact

Estimating the true scale of ransomware attacks has become increasingly difficult as many groups continue to shift from traditional file encryption to pure data extortion. This trend reflects both the declining willingness of victims to pay for decryption keys and the operational complexity associated with maintaining and deploying encryption infrastructure. Often, victims first learn of an incident not through system disruption, but when stolen data samples appear on data leak sites.

This tactic has also created opportunities for abuse. Now that the mere publication of stolen—or seemingly stolen—data is sufficient to claim a successful attack, some ransomware actors have begun fabricating victim disclosures. In many cases, this involves posting previously leaked or publicly available material, either to coerce payment from uninvolved companies or to artificially inflate their reputation and attract new affiliates. This behavior has been particularly evident with Babuk-Bjorka and was adopted by LockBit after its takedown in early 2024.

As a result, victim statistics based solely on ransomware group disclosures are becoming increasingly unreliable. It remains unclear whether the sharp rise in reported victims reflects a true increase in breaches or simply a spike in false or recycled claims. Supporting this skepticism, a recent analysis by Chainalysis shows a 35% drop in actual cryptocurrency payments to ransomware actors—suggesting either a lower rate of successful extortion or a widening gap between claimed and real-world incidents.

The industry distribution of ransomware victims in Q1 2025 reflects a typical cross-sectoral spread, with no single vertical overwhelmingly targeted.

Figure 10 – Ransomware Victims by Industry, Q1 2025

You may also like