Ransomware attacks have soared 50% in 2025 despite major changes among the leading ransomware groups, according to a new Cyble report.
Through October 21, there have been 5,010 ransomware attacks claimed by ransomware groups on their dark web data leak sites, up from 3,335 in the same period of 2024, according to a Cyble blog post.
“From the decline of RansomHub to the rise of Qilin and newcomers like Sinobi and The Gentlemen, ransomware group leadership has been in flux for much of 2025, but affiliates have been quick to find new opportunities, and a steady supply of critical vulnerabilities has helped fuel attacks,” Cyble said.
The threat intelligence company noted that its new threat landscape report (registration required) also documents record data breaches and supply chain attacks, as the cyber landscape has become more dangerous in general this year.
Qilin Led All Ransomware Groups Once Again
September marked the fifth consecutive monthly increase in ransomware attacks, and Qilin led all ransomware groups for the fifth time in six months, as the group has solidified its leadership in the wake of RansomHub’s decline.
In all, ransomware groups claimed 474 victims in September, up slightly from August (chart below). That’s well below February’s record, “yet still among the highest monthly ransomware attack totals on record,” Cyble said.
The U.S. remains by far the biggest target for ransomware groups, with its 259 victims accounting for nearly 55% of attacks in September (chart below). Germany, France, Canada, Spain, Italy and the UK remain consistent targets, but South Korea emerged a new major target, in second place behind the U.S. with 32 attacks, largely due to one campaign by Qilin.
Of the 32 South Korean attacks recorded in September, 29 came from Qilin’s “KoreanLeak” campaign that targeted asset management companies in the country. Cyble noted that “One of the asset management firms said its systems were impacted through a ransomware attack on its IT management provider, indicating a possible supply chain compromise affecting multiple firms simultaneously.”
The campaign also made South Korea by far the most attacked country in the APAC region in September, well ahead of India, Thailand and Taiwan.
Qilin’s South Korean campaign made Banking, Financial Services and Insurance (BFSI) the third most attacked sector in September, behind Construction and Manufacturing and ahead of Professional Services, IT and Healthcare (chart below).
The Emergence of The Gentlemen Ransomware Group
Qilin led all ransomware groups with 99 claimed victims, 40 ahead of second-place Akira (chart below).
The emergence of The Gentlemen was a noteworthy development, a new group that has claimed 46 victims to date. “The group’s use of custom tools targeting specific security vendors and the geographic diversity of its targets … suggests that the group may have the resources to become an enduring threat,” Cyble said.
The full Cyble blog detailed 11 significant ransomware incidents in September, including some with supply chain implications, and also included recommendations for defenders.
