If the first half of 2025 made anything clear, it’s that ransomware is not only alive—it’s stronger, smarter, and better organized than ever. At the center of this wave of cyberattacks, three criminal groups took the spotlight. Together, they accounted for more than a third of all reported incidents worldwide: over a thousand attacks in just six months. No sector was out of their reach. No region came out unscathed.
These actors no longer hide in the dark corners of the internet; today they operate with the precision of a well-oiled machine, causing disruptions on a global scale.
The numbers speak for themselves: in the first six months of the year, ransomware attacks rose by 54% compared to the same period in 2024, reaching 3,201 confirmed incidents. While dozens of groups were active, most of the largest offensives came from these three names… and they didn’t act alone.
Let’s step into the world of the top ransomware players in the first half of 2025: CL0P, Akira, and Qilin.
CL0P Ransomware: The Master of Zero-Day Exploits
Active since 2019, CL0P is no ordinary player in the ransomware world—it’s a veteran that has made high-impact extortion its trademark. And in 2025, it didn’t just lead the game; it dominated it. In February alone, for example, it was behind 37% of all ransomware attacks recorded worldwide.
Unlike many groups that operate under the ransomware-as-a-service (RaaS) model, CL0P keeps control at all times. Its structure is more of a centralized operation: they manage every stage of the attack themselves, from finding and exploiting vulnerabilities to publicly leaking stolen data on their own portal, CL0P^_- LEAKS.
Their weapon of choice for gaining entry: zero-day exploits, especially in file transfer software. Tools like MOVEit and GoAnywhere MFT have been frequent targets in their playbook. The pattern is always the same—exploit an unknown vulnerability, steal sensitive data, and then deploy ransomware to complete the masterstroke of double extortion.
In terms of geographical impact, North America—particularly the United States and Canada—was hit the hardest, with a high number of corporate and government victims.
CL0P Ransomware Group Targets by Country (Source: Cyble)
Banks, hospitals, universities, and even government agencies have felt CL0P’s pressure. Its precise and technically flawless attack methods keep it among the most feared names in the ransomware world.
Read more: Ransomware in Mexico: Cyberattacks Cause Major IT Sector Losses
Akira Ransomware: Chaos on Wheels and Production Lines
In the first half of 2025, Akira made its mark across much of North America and Europe, but its hardest blow was felt in Germany—the manufacturing epicenter of the continent.
This group knows exactly where to strike to cause maximum damage. From professional services and construction to automotive and manufacturing, Akira set its sights on sectors that form the backbone of national economies. And it did so with surgical precision—launching attacks at key moments to trigger the greatest possible disruption.
While its ransom demands are not always made public, its strategy makes it clear that money isn’t the only goal. Akira aims to create systemic interruptions, paralyzing entire industries. Its renewed push in Europe, particularly in the DACH region (Germany, Austria, and Switzerland), is no coincidence—it’s a calculated move that should set off alarms for companies in the area.
Sector Focus of the Akira Ransomware Group (Source: Cyble)
Qilin Ransomware: Ransomware-as-a-Service Taken to the Extreme
Qilin is not just another ransomware group—it operates as a true cybercrime franchise under the Ransomware-as-a-Service (RaaS) model. Its growth has been meteoric, with more and more affiliates joining its ranks.
Its biggest differentiator is scale. Qilin offers its partners the ability to launch fully customizable attacks, enabling them to hit virtually any sector—healthcare, manufacturing, construction, energy, and utilities. In April 2025 alone, its campaigns left 72 confirmed victims.
Its infrastructure is built to operate on a global scale. From Singapore and India to the United States and Europe, Qilin is executing an unrestrained expansion strategy. In the APAC region, it was the most active group, with 32 reported attacks in just six months, cementing its position as one of the most aggressive threats of 2025.
The Leading Ransomware Group Targeting the APAC Region (Source:Cyble)
Read more: New Zero-Day Vulnerability in WinRAR CVE-2025-8088
The New Wave: Ransomware Actors Breaking the Rules
While the “Big Three” dominated headlines in the first half of 2025, something equally unsettling was taking shape in the shadows: a new generation of ransomware groups—more agile, more experimental, and with tactics that break the traditional mold.
In recent months, we’ve seen the emergence of actors who don’t necessarily follow the classic script of encrypting files. Some don’t even use lockers, yet still manage to pressure victims with leak threats. Among them:
-
Dire Wolf – Launched a leak site on the dark web, focusing on victims in Asia and Italy.
-
Silent Team – Struck aerospace and engineering companies, stealing over 2.8 TB of highly confidential data.
-
DATACARRY and Gunra – Active in Europe, the Americas, and Asia, testing encryption-free extortion models.
-
“J” – A mysterious operator with victims on five continents, hinting at a globally coordinated offensive.
This trend points to a dangerous mutation: using data theft as the primary weapon, without deploying ransomware. Without encryption, many detection systems aren’t triggered—but the reputational risk and exposure of critical information remain devastating.
An Ever-Evolving Ecosystem
Ransomware is no longer a one-off attack—it’s an expanding criminal ecosystem. Barriers to entry are lower than ever, tactics change quickly, and both old and new actors are moving with greater confidence and sophistication.
For cybersecurity teams and business leaders, it’s no longer enough to monitor the dark web or patch known vulnerabilities. Proactive, intelligence-based defense with anticipatory response is the only way to stay one step ahead in this ever-changing game.
How TecnetOne Can Help Keep You Protected
In the face of this shifting threat, solutions like TecnetProtect offer comprehensive defense that combines advanced backup, real-time anti-malware protection, and detection and response capabilities. Its Active Protection technology is designed to identify and stop ransomware-like behaviors before they can encrypt or exfiltrate data.
Additionally, by integrating immutable backups, it enables rapid data restoration, minimizing impact and downtime. When every second counts, having TecnetProtect means betting on proactive protection—ready to face the ransomware of today… and tomorrow.
