Report by ReliaQuest

Ransomware and Cyber Extortion in Q2 2025

18 FINDINGSPublished Jul 3, 2025
View Original Report →

Key Findings

The US remained the most targeted country by ransomware, accounting for 67% of the total organizations named on ransomware data-leak sites in Q2.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareUSData leak site

Spain and other Spanish-speaking countries each accounted for less than 4% of Qilin's total victim volume in Q2.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareQilinSpain

DragonForce emergence: December 2023.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareDragonForce

DragonForce activity was up 119% between Q1 and Q2 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareDragonForce

Lynx experienced a 41% drop in activity between Q1 and Q2 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareLynx

80% of the organizations named by Qilin in Q2 were based in the US.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareQilin

Qilin showed an 80% increase in activity in Q2 compared to Q1 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareQilin

Akira has already listed 15% more victims in the first half of 2025 than it did throughout the entirety of 2024.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareAkira

Germany rose to second most targeted country by ransomware in Q2 2025, climbing two spots from fourth in Q1 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareGermany

Q2 2025 saw a 31% decrease in named ransomware victims compared to the previous quarter, marking a return to more typical levels.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
Ransomware

In Q1 2025, Clop named 389 victims on its data-leak site in February alone.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareClop

SafePay's activity increased by 42% in Q2 2025 compared to Q1 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareSafePay

Akira listed approximately 130 organizations to its data-leak site each quarter in 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareAkira

LockBit named just 24 organizations on its data-leak site in Q2 2025. This figure represents only 11% of its Q2 2024 victim count.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareLockBit

Retail trade accounted for only 4% of total ransomware victims in Q2 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareRetail

Construction was the third most targeted sector by ransomware in Q2 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareConstruction

Akira showed a 348% rise in the number of organizations named in Q2 2025 compared to the same period last year.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareAkira

Qilin emerged as the top ransomware threat in Q2 2025.

ReliaQuestRansomware and Cyber Extortion in Q2 2025 ·Jul 3, 2025
RansomwareQilin