Qilin once again topped the ransomware group rankings in June, marking the second time in just three months that it has reached the top spot. Everything points to it taking advantage of the chaos that has sidelined RansomHub since early April.
RansomHub had been the most active group for over a year, until DragonForce (its main rival) claimed to have taken control of its infrastructure, in what many see as possible sabotage. Amidst this turmoil, Qilin seized the opportunity and took the top spot in April. Although SafePay briefly took the lead in May, Qilin came back strong in June and completely dominated.
Although June's numbers could still rise as more reports are updated, the fact is that Qilin already has 86 confirmed victims this month. That puts it more than 50 cases ahead of its closest competitors, making it clear who is setting the pace in the world of ransomware right now.
Top 5 most active ransomware groups (Source: Cyble)
Overall, preliminary data indicates that ransomware groups had a total of 377 victims by the end of June. This figure is quite close to the May total, which closed with 401 cases (as seen in the chart below). After three consecutive months of decline since February's record high, this could be a sign that activity is beginning to stabilize somewhat.
Read more: Ransomware in May 2025: SafePay and DevMan as Main Threats
Although its name comes from a mythical Chinese creature, everything points to Qilin having Russian roots. This can be deduced both from the language they use in their communications and from the fact that they avoid attacking countries in the Commonwealth of Independent States (CIS), a common practice among groups with ties to that region.
Qilin operates as a well-established business under the Ransomware-as-a-Service (RaaS) model, and recently it has even been seen to offer its affiliates things like legal advice and other “benefits,” as if it were a kind of illegal company with customer support included.
During June, the group went after high-value targets in key sectors such as telecommunications, blockchain, healthcare, and transportation. One of its most high-profile attacks was against a US company that provides mobile network solutions for government, commercial, and military customers. According to leaked data, it appears that Qilin managed to access sensitive documents from the facilities, technical plans, and even confidential contracts.
They also claimed responsibility for an attack against a US technology firm specializing in blockchain, which would not only affect the company itself, but also its entire supply chain, including partners and customers who rely on its infrastructure and innovative legal frameworks.
Another major target in June was a large logistics and freight transport company, also based in the US. Qilin seems to have a clear focus, as, like other major ransomware groups, it concentrates most of its attacks on the United States. In fact, in June, it claimed responsibility for 50 of the 213 attacks recorded in that country.
Interestingly, unlike other ransomware groups that tend to focus almost exclusively on sectors such as construction, professional services, healthcare, or manufacturing, Qilin has shown a more balanced approach. Its attacks in June were more evenly distributed across different sectors, and in fact, targeted a higher percentage of financial sector targets compared to other groups.
It remains to be seen whether Qilin will manage to stay at the top for as long as RansomHub did, but the truth is that its strategy of attracting affiliates with advanced technology and well-established services is working (and quite well) for now.
Read more: Ingram Micro Suffers Cyberattack Caused by SafePay Ransomware
Although Qilin dominated the month, its competitors did not sit idly by. June brought several interesting developments in the world of ransomware, with new groups emerging and affiliate programs entering the scene.
One striking example was the pro-Russian hacktivist group CyberVolk, which on June 26 announced its own ransomware payload for future attacks. Just two days later, an active sample was already detected in circulation. This ransomware encrypts files using the “.CyberVolk” extension and leaves a ransom note named “READMENOW.txt.” Everything points to hacktivists further crossing that thin line between digital activism and cybercrime.
Another actor, known as RALord, began looking for affiliates on forums such as DarkForums to launch his ransomware-as-a-service platform, called Nova. In his post, he detailed a whole “professional” package: an internal chat for negotiations, a control panel for affiliates, detailed statistics, a ticket system, customized lockers for different operating systems, and even a complete guide.
They offered lifetime access for $300, with discounts for early adopters. RALord, which first appeared in March 2025, changed its name to Nova at the end of April. Its system offers 85% of profits to affiliates, lockers at €200 per operation, and charges 10% in the event of the sale of decryption tools. The malware is programmed in Rust, designed specifically to attack Windows machines, and adds the .RALord extension to encrypted files.
A new group offering its RaaS platform under the name Chaos was also detected. They advertised themselves on the RAMP forum, highlighting that their ransomware is fast, customizable, and compatible with multiple systems (Windows, Linux, NAS, ESXi, etc.).
Among the features they promote are: individual key encryption, specific path configuration, speeds of up to 1 TB in 10 minutes, and the ability to operate silently without leaving any traces. Their control panel promises AI-powered tools, detailed victim statistics, integrated chat, and ticket support. The entry price is not insignificant: a $10,000 deposit, which is returned if the affiliate achieves their first “successful payment.” And, like other groups, they claim to avoid attacking governments or countries such as the BRICS or the CIS.
A new group called Kawa4096 has also appeared on the radar. Open source intelligence (OSINT) revealed that they already have an active leak site on the Tor network and are operating normally. Their ransomware uses random extensions on encrypted files and leaves a ransom note with instructions to contact them via Tox or visit their site on the dark web.
So far, the site shows five victims, although the names of four of them are hidden. Interestingly, the site's design is almost identical to that of the Akira group, which could indicate inspiration... or a more direct connection.
On the other hand, there are indications that Scatter Spider may be behind several recent attacks against insurance companies in the US. The FBI has even warned that airlines could be targeted by this group. Everything indicates that they have left the retail sector behind and are going after bigger targets.
Read more: How to Protect Your Business from Ransomware Attack with TecnetProtect
What all these developments make clear is that ransomware groups continue to evolve, testing new tactics and offering increasingly sophisticated “services” to their affiliates. It's a constant game of cat and mouse, where defenders cannot afford to let their guard down.
To address these threats, organizations need much more than just a good antivirus. Here are some best practices that can make a difference:
TecnetProtect, our advanced cybersecurity solution, uses powerful Acronis technology to provide comprehensive, proactive defense against ransomware. It protects critical systems with a multi-layered approach that includes real-time detection of malicious behavior, automatic blocking of suspicious processes, and immutable backups that ensure secure data recovery in the event of an attack.
In addition, TecnetProtect constantly monitors file integrity, prevents unauthorized modification of sensitive information, and enables rapid restoration of affected systems, minimizing downtime. All this with a centralized, easy-to-use console, ideal for organizations seeking effective protection against the most sophisticated threats.