Ransomware Activity Trends in 2025: A Deep Dive into Group Dynamics by Quarter

Q1 2025: Aggressive Expansion by Select Groups

The first quarter of 2025 saw increased activity from several major ransomware collectives:

• Qilin launched an aggressive campaign with 113 attacks, marking a 105.5% increase over Q4 2024. Their momentum began building in late 2024 and peaked in Q1.
• DragonForce also posted an impressive rise of 70.6%, signaling their shift from a fringe player to a more central figure in the ransomware landscape.
• Lynx grew by 139.5%, with 103 reported attacks, establishing themselves as a dominant force in early 2025.
• Stormous and RansomEXX both recorded significant growth in Q1, benefiting from aggressive targeting of weaker sectors.
• In contrast, RansomHub, despite leading with 281 attacks, was in the final phase of its lifecycle. Behind the scenes, activity began shifting to splinter groups. This quarter marked their last major offensive before going dark.
• Other groups with notable increases: LeakedData (up from 0 to 25 attacks), NightSpire (13 attacks after dormancy), DarkVault (29 attacks, a 107.1% rise).
• Meanwhile, LockBit, once a global leader, saw only 22 attacks, a 75.8% drop from Q4 2024, indicating either operational restructuring or increased pressure from law enforcement.

Top Ransomware Groups in 2025 – Quarterly Attack Patterns and Volatility in Group Activity (https://darkfeed.io/ransomgroups/)

Q2 2025: Strategic Retractions and Resurgence

Q2 2025 showcased a landscape in flux:

• Qilin nearly doubled again, reaching 207 attacks—an 83.2% jump from Q1. This positioned them as the new de facto leader among active groups.
• Akira continued their consistent growth, logging 130 attacks, albeit down 12.75%, showing signs of leveling off.
• Play bounced back with 125 attacks, a 54.3% increase from Q1, regaining relevance after a quieter Q4 2024.
• Cactus, however, completely disappeared from the radar after a 100% drop from 84 attacks in Q1.
• RansomHub recorded 0 attacks, confirming its full cessation of activity.
• Larger fluctuations appeared elsewhere: RA Team surged to 17 attacks, a 100% increase. InterLock exploded by 316.7%, with 25 attacks, making it one of the fastest-growing mid-tier groups. NightSpire tripled its output with 47 attacks, confirming consistent resource growth.
• At the same time, Medusa Blog, BianLian, and INC each experienced double-digit percentage declines, suggesting possible operational or infrastructural setbacks.

Q3 2025 (Ongoing): Stabilization and Shifting Alliances

Though Q3 2025 is ongoing, early indicators show several stabilization trends:

• Qilin continues to lead and shows no signs of slowing down. Their rapid infrastructure scaling from 2024 has given them a significant lead.
• Play and Akira have maintained strong but controlled output.
• DragonForce and NightSpire are becoming notable tier-two threats, building consistent monthly operations.
• LockBit, once the face of ransomware, continues to decline, now well below former averages.
• RansomHub remains fully inactive. Our intelligence suggests former members have migrated to smaller offshoots or joined other active groups like Akira or Qilin.

The Groups Overview page on Darkfeed provides real-time intelligence, including live statistics, attack volumes, and key details about each ransomware and threat actor group active on our platform (https://darkfeed.io/overview/)

Trend Summary: Who’s Rising, Who’s Falling

On the Rise:

• Qilin – unmatched growth and volume in Q2 and Q3
• InterLock – aggressive jump in Q2
• Stormous – reestablished presence
• DragonForce – steady growth and technical evolution

Stable Performers:

• Play – regained strength with consistency
• Akira – maintained a top-3 position

Declining or Inactive:

• RansomHub – completely inactive since Q1
• LockBit – continual decline since early 2024
• Cactus – dropped to 0 after strong Q1
• DarkVault – resurged in Q1 but dropped again in Q2

Real-Time Intelligence as a Strategic Necessity

Tracking ransomware group activity isn't just about statistics—it’s about enabling smarter defense, faster decision-making, and greater organizational resilience. In a time when cyber threats evolve daily, staying ahead of ransomware trends is critical for businesses of all sizes.

That’s where our intelligence platform plays a transformative role. Built specifically to monitor ransomware operations across the globe, our dashboard delivers live data on ransomware attacks, victim organizations, sectors, geographic targeting, and attacker trends. Whether you’re a small business, a security operations center (SOC), or a large enterprise, the platform offers a cost-effective, easy-to-use, and highly actionable view into the threat landscape.

Affordable Intelligence for Every Organization

Most threat intelligence platforms are costly and complex. Ours is designed to be accessible to companies of any size, offering the power of enterprise-grade threat monitoring at a fraction of the cost.

The platform includes:

• Live victim feed with real-time breach alerts
• Quarterly and monthly ransomware statistics
• Group-by-group behavior tracking
• Country and sector breakdowns
• Visual maps and dashboards for executive-level visibility

This makes our platform uniquely positioned to support both cybersecurity teams and decision-makers. Whether you're trying to defend a startup or manage risk across a multinational corporation, we give you the tools to stay informed, stay protected, and stay ahead.

Live Cyber Attack Tracker – Ransomware & Breach Intelligence (https://darkfeed.io/threat-map/)

Stay Ahead with Affordable Cyber Intelligence

With the ransomware landscape evolving at this pace, it's no longer enough to rely on historical reports or manual tracking. Organizations must pivot to live, affordable threat intelligence—and our platform provides just that. Whether you’re mitigating current risks or planning your future cyber strategy, the insights we deliver can make the difference.

Conclusion

The ransomware ecosystem in 2025 reveals how quickly group dynamics can shift. Once-dominant forces like LockBit and RansomHub have ceded control to rapidly growing operations like Qilin and InterLock. Meanwhile, the void left by RansomHub’s departure is being filled by new or resurgent actors.

Cybersecurity defenders and analysts must stay agile, watching not just for the volume of attacks but for subtle shifts in leadership, infrastructure, and strategic targeting. The current landscape reinforces the necessity of real-time intelligence, strong defense-in-depth strategies, and cross-border coordination.

As always, Darkfeed Intelligence will continue to monitor and publish updates on active threats. For full access to our ransomware tracking dashboard, quarterly summaries, and group breakdowns, visit our platform.

×