213% Increase in Ransomware Attacks Targeting Organizations With First Quarter of 2025

The first quarter of 2025 has witnessed an unprecedented surge in ransomware attacks, with 2,314 victims listed across 74 unique data leak sites, representing a staggering 213% increase compared to the 1,086 victims recorded in the same period last year.

This dramatic escalation marks a significant departure from the relatively stable ransomware landscape observed throughout 2024, where threat actors appeared to focus on highly targeted attacks rather than volume-based campaigns.

The ransomware ecosystem has undergone substantial transformation, with 74 active ransomware groups operating data leak sites in Q1 2025, up from 56 variants in the corresponding period of 2024.

This expansion reflects the growing sophistication and diversification of the ransomware-as-a-service (RaaS) model, where cybercriminals lease their malicious software to affiliates who conduct the actual attacks.

The surge has affected organizations across all industry verticals, with industrials, consumer cyclicals, and technology sectors bearing the brunt of these attacks.

Perhaps most striking is the dramatic shift in the ransomware hierarchy, with Cl0p emerging as the dominant threat actor after listing 358 victims in Q1 2025, compared to just 93 victims throughout all of 2024.

This represents a remarkable 284% increase in activity, primarily driven by the group’s exploitation of two zero-day vulnerabilities in Cleo managed file transfer solutions.

Optiv analysts identified that Cl0p’s February 2025 campaign alone resulted in 389 victims, demonstrating the devastating impact of supply chain vulnerabilities when weaponized by skilled threat actors.

The ransomware landscape has also seen the emergence of new players, including VanHelsing and Babuk2, while established groups like RansomHub and Akira maintained high attack volumes.

Notably, the previously dominant LockBit ransomware operation has continued its decline following law enforcement disruption in February 2024, dropping to 22nd position with only 24 victims listed in Q1 2025.

Cl0p’s Zero-Day Exploitation Campaign

The most significant development in Q1 2025 was Cl0p’s sophisticated exploitation of CVE-2024-50623 and CVE-2024-55956, two zero-day vulnerabilities discovered in Cleo’s managed file transfer software.

This campaign exemplifies the evolution of ransomware tactics, where groups leverage supply chain vulnerabilities to achieve maximum impact with minimal effort.

The Cl0p ransomware, first identified in February 2019 as an evolution of the 2016 CryptoMix variant, employs sophisticated obfuscation techniques and is digitally signed with legitimate certificates to evade security detection.

The malware’s technical architecture includes geographic restrictions that terminate execution when targeting Commonwealth of Independent States countries, a common characteristic among Russian-affiliated ransomware operations.

Cl0p primarily targets Active Directory servers to achieve comprehensive network compromise, appending the “.ClOP” extension to encrypted files while maintaining its dark web presence through the “>CLOP^-LEAKS” data leak site.

This dual-extortion approach combines traditional file encryption with data theft, maximizing pressure on victims to pay ransoms.

The retail sector experienced particular devastation during this campaign, with Cl0p responsible for nearly half of all retail victims in Q1 2025, highlighting how supply chain vulnerabilities can cascade across entire industry verticals when exploited by determined threat actors.

Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now