Ransomware Attacks on Organizations Surge 213% in Q1 of 2025
Ransomware assaults on businesses around the world have increased by 213% in the first quarter of 2025, with 2,314 victims reported over 74 distinct data breach sites, compared to just 1,086 in the first quarter of 2024. This is a startling increase in cyber dangers.
According to Optiv’s Global Threat Intelligence Center (gTIC), this surge follows a year of relatively stable attack numbers and marks a significant shift from Q4 2024’s 1,782 victims.
Unprecedented Growth in Ransomware Victims
The report highlights a 32% increase in ransomware variants, rising from 56 in Q1 2024 to 74 this year, driven by the emergence of new strains and rebranding efforts.
Notably, Cl0p, RansomHub, and Akira have overtaken LockBit previously the dominant player since 2022 as the leading ransomware strains by victim count.
Cl0p alone saw a 1400% spike in activity, listing 358 victims in Q1 2025, largely due to exploiting zero-day vulnerabilities in Cleo managed file transfer (MFT) solutions, targeting sectors like retail.
This dramatic rise in ransomware activity spans all industry verticals, with industrials, consumer cyclicals, and technology emerging as the most targeted sectors, the latter two experiencing over triple the attacks compared to last year.
Geographically, North America remains the hardest hit, though all regions reported increased compromises.
Persistent Threats Across Verticals
Attackers continue to rely on proven initial access methods, including social engineering via phishing, exploitation of software vulnerabilities in tools like VMware ESXi and Microsoft Exchange, and supply-chain attacks facilitated by initial access brokers (IABs).
The gTIC assesses with high confidence that ransomware will remain a pervasive threat over the next 12 months, fueled by the profitability of extortion payments and the proliferation of ransomware-as-a-service (RaaS) models.
Double-extortion tactics, where data is encrypted and threatened to be leaked, are expected to dominate, while new groups like VanHelsing and deceptive operations like Babuk2 further complicate the threat landscape.
VanHelsing, a multi-platform RaaS targeting Windows, Linux, and ESXi systems, emerged in March 2025, while Babuk2 appears to be a social engineering ruse repurposing old leaks.

The report also warns of continued targeting of file transfer products like Progress MOVEit and Fortra GoAnywhere, as seen in Cl0p’s recent exploits.
Meanwhile, RansomHub, linked to Alphv (BlackCat), maintained high activity in Q1 but mysteriously went dark by March 31, sparking speculation of a rebrand to DragonForce.
Optiv’s gTIC predicts with moderate confidence a rise in state-sponsored advanced persistent threat (APT) groups using ransomware for disruption or financial gain, especially against critical sectors like healthcare and energy, which are attractive due to high-value data and minimal tolerance for downtime.
As ransomware operators adapt with minimal incentive to cease amid ongoing payments, the landscape is poised for further fragmentation, with rebranding, affiliate migration, and partnerships with IABs likely to intensify, making 2025 a challenging year for cybersecurity defenses globally.
Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free
Source link