May 2025 was a busy month (and not for good reasons). A new wave of cyberattacks hit hard across all sectors: banks, hospitals, public institutions—no one was spared. And if there are two names that keep popping up among the culprits, they’re SafePay and DevMan. Until recently, they were nearly unknown, but now they’re the talk of the cybersecurity world. The reason? Their attacks are swift, well-coordinated, and increasingly difficult to stop. They’ve leveled up—and with them, so has the concern of those trying to keep their networks secure.
Last month, SafePay claimed the top spot among ransomware groups, making it clear it’s no longer a minor threat but a major player in the game. A total of 384 victims were recorded in May, marking the third consecutive month of declining attack numbers. Still, the landscape remains volatile: since RansomHub—the dominant group for over a year—vanished at the end of March (possibly after an infrastructure attack by rival DragonForce), leadership among cybercriminals has been in constant flux.
Top Ransomware Groups
In May, SafePay secured the top spot with 58 confirmed attacks, narrowly surpassing Qilin, which had led in April and added 54 victims this month. Following them were Play, Akira, and NightSpire, rounding out the top five most active ransomware groups.
Once again, the United States was the favorite target of attacks, with 181 victims in May. To put that into perspective, that's more than seven times the number recorded in Germany, which came in second. (The chart below illustrates this clearly.)
The most heavily hit sectors in May were, without a doubt, professional services and construction, which together accounted for 101 attacks. Far behind—though still on cybercriminals' radar—were manufacturing, government, healthcare, finance, IT, transportation, consumer goods, and education, rounding out the top 10 most targeted industries.
SafePay and DevMan: The Relentless New Threats
SafePay is making waves—and big ones. Since its first appearance in the fall of 2024, it has already racked up 198 victims. Its previous record was 43 attacks in March, but in May it shattered all its own numbers and topped the ransomware group rankings for the first time.
How do they do it? Their favorite entry points are VPN and RDP (remote access) connections, often using stolen credentials or password spraying techniques (trying many common passwords until one works). Once inside, they use what's known as double extortion: first they steal the data, then they encrypt it. If you don’t pay, they threaten to publish everything.
Unlike other groups, SafePay claims not to operate under the "ransomware-as-a-service" (RaaS) model—in other words, they don’t rent out their tools to external affiliates. This makes them more closed off and harder to infiltrate.
As for their targets, the United States and Germany are clearly in their sights. In fact, the number of attacks in Germany is well above average. And while SafePay has hit all kinds of industries, it has shown a particular interest in the healthcare and education sectors, whereas government, finance, and tech have been less affected by comparison.
On the other hand, DevMan has been climbing the ranks quickly. Although it began as an affiliate of several ransomware-as-a-service (RaaS) groups, it has recently been seen operating independently, expanding its reach and making it clear that it wants to compete at the highest level. In May, it claimed 13 victims, putting it close to the most active groups of the month and establishing itself as a name to watch.
One of its most notable attacks targeted a media outlet in Thailand. According to the group itself, they managed to encrypt all systems, including NAS devices, using their own custom encryptor that leaves a distinct mark: files end with the extension “.devman1.” They also claim to have used an improved version of their malware in this attack, capable of spreading through networks more quickly by leveraging Windows Group Policy Objects (GPO).
On their leak site, they posted screenshots showing access to shared folders, server admin panels, domain controller configurations, and encrypted directories. They also claimed to have stolen 170 GB of data and stated they’re willing to sell the entire batch to a single buyer.
DevMan has previously collaborated with other well-known groups such as Qilin, Apos, and DragonForce, and now appears to have formed an alliance with RansomHub as well—demonstrating that its presence in the RaaS world is not only ongoing but more diversified than ever.
Read more: 8 Steps to Performing a Network Vulnerability Assessment
VanHelsing Source Code Leak: Drama and Betrayal in the Ransomware World
May also brought a rather curious chapter in the world of ransomware. A well-known malware developer attempted to sell the complete source code of the VanHelsing ransomware on the RAMP forum for no less than $10,000. The package included everything: the control panel, victim chat interface, file server, blog, database—even the TOR network keys!
But the story took an unexpected turn: the VanHelsing group itself stepped in, published the entire source code for free on the same forum, and accused the developer of being a scammer. And as if that weren’t enough, they also announced that they’re already working on VanHelsing RaaS version 2.0, which they claim will be released “very soon.”
Why does this matter? Because when ransomware source code is leaked—as happened before with LockBit and Babuk—copies and variants tend to pop up everywhere. So it’s highly likely we’ll start seeing VanHelsing clones circulating in the coming weeks.
New Ransomware Groups That Emerged in May
In addition to the usual suspects, May also introduced new players to the board:
-
Dire Wolf: Launched its own onion site to publish leaks and already has six victims, mostly in Asia, Australia, and Italy. They’re sharing file trees and data samples to prove they mean business.
-
DATACARRY: Another newcomer targeting companies in Europe. They’ve already listed seven victims from various sectors and countries. Although no locker (the malware that encrypts files) has been observed yet, they’re already leaking data and contacting victims through Session Messenger.
-
J: A mysterious group that first surfaced in March and has now launched its own leak site. Their first post includes companies from South America, Australia, Europe, the U.S., and Asia, along with screenshots of compromised files.
Notable Attacks in May: Who Was Targeted and How?
May also brought a substantial list of attacks with potentially high impact. Some are confirmed, while others are still unverified claims, but they stand out due to the nature of their targets.
Here are some of the most noteworthy:
-
United Kingdom: Targeted in a series of retail attacks in late April and early May, possibly linked to Scatter Spider and DragonForce.
-
Silent: Claimed to have hacked a U.S. network security company, stealing over 760 GB of data. They posted screenshots of internal records and sensitive configurations, though the company downplayed the severity of the breach.
-
Qilin: Took credit for attacking a U.S. cybersecurity and satellite communications provider working with the government and critical sectors. They also claimed responsibility for an attack on a Japanese shipyard, potentially compromising data tied to the Coast Guard and Navy.
-
Termite: Claimed to have stolen over 550 GB from a French tech company involved in defense and aerospace.
-
Play: Reported compromising a U.S. provider of early warning and emergency communication systems for government and military agencies.
-
Akira: Claimed responsibility for an attack on a Japanese energy subsidiary and a Greek shipping company specializing in oil transportation.
-
Lynx and Qilin: Targeted architecture firms in Saudi Arabia and a construction company in Singapore, respectively.
-
INC Ransom: Claimed to have attacked a South African airline.
-
BERT: Said it compromised a Taiwanese manufacturer of automation equipment for the semiconductor and electronics industries, though the company denied any real damage occurred.
-
Medusa: Targeted a U.S.-based tech provider offering infrastructure, cloud, and cybersecurity services to governments and enterprises.
-
Arkana: Claimed an attack on a UK-based multinational mining corporation.
-
Everest: Allegedly breached both a UAE airline and a pharmaceutical company in Saudi Arabia.
Conclusion
While some ransomware groups have vanished or lost momentum, it's clear that others remain not only active but are rapidly adapting and evolving. The ransomware landscape is as alive as ever, making it more crucial than ever to maintain a strong cybersecurity foundation.
It's not just about having antivirus software or making occasional backups. Protecting your organization requires consistency and strategy. We're talking about fundamental but effective practices such as: prioritizing vulnerabilities based on real risk, properly securing internet-exposed assets, segmenting critical networks, maintaining ransomware-proof backups, applying Zero Trust principles, correctly configuring systems, and monitoring everything—from networks and endpoints to the cloud.
And this is where TecnetOne can make a real difference. Our cybersecurity solutions help identify exposures before attackers do, prioritize the fixes that truly matter, and detect early warning signs like leaked credentials or suspicious behavior. Want to know how your organization stands against these threats?
