Ransomware Trends In May 2025

Uploaded on 2025-06-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

The ransomware landscape in May 2025, as detailed by Cyfirma in their latest Tracking Ransomware: May 2025 report, reveals a 15.9% rise in global incidents from April, with 545 attacks recorded. This escalation, part of a broader upward trend - 331 incidents in 2023, 520 in 2024, and now 545 in 2025 - illustrating the growing audacity of cybercriminals.

The United States bore the brunt, with 272 victims, dwarfing Germany (31) and Canada (28), as shown in the report’s geographical analysis.

The preference for these nations reflects their wealth, data-rich enterprises, and critical infrastructure, making them ripe for high-stakes extortion. The predominance of attacks in the  U.S highlights its status as a prime target due to its economic heft and digital reliance.

Shifting Players, Evolving Tactics

The report illustrates a volatile ecosystem. Newcomers SafePay and SilentRansomGroup led with 72 and 67 attacks, respectively, eclipsing established groups like Qilin (down from 72 to 55 incidents), Play (51 to 44), and Akira (55 to 31). This shift suggests a rapid rise of agile, aggressive actors. SafePay’s meteoric ascent, with 198 victims since late 2024, relies on double-extortion tactics - encrypting systems and exfiltrating data - often via vulnerable VPNs and Remote Desktop Protocol (RDP) endpoints. SilentRansomGroup’s sudden rise to prominence may stem from a newly launched leak site, hinting at prior covert activity.

Tactically, ransomware groups are growing more sophisticated. Qilin, for instance, has adopted Rust-based coding and advanced loaders like NETXLOADER and SmokeLoader, enabling stealthy in-memory execution, as detailed in the report’s section on group evolution. A novel delivery method - ransomware embedded in JPEG images paired with decoy documents - evades detection by exploiting user trust in common file formats. The report’s analysis of the  attack chain shows a stager script activating upon image viewing, fetching the ransomware executable from a remote server.

Additionally, groups like Qilin - responsible for last year's damaging attacks on London Hospitals - and Hunters International abuse legitimate tools like Kickidler for reconnaissance, harvesting credentials without triggering alerts, a tactic outlined in the report’s technical analysis.

Industry Under Siege

The Professional Goods & Services sector faced the heaviest onslaught, with 94 incidents, followed by Consumer Goods (70) and Manufacturing (52), although the May attacks have a wide reach across finance, IT, real estate, and even less-targeted sectors like automotive and energy. Manufacturing’s vulnerability, noted in prior reports, stems from outdated software and the high cost of downtime, making it a perennial target.

The exploitation of SAP NetWeaver vulnerabilities (CVE-2025-31324) by groups like Qilin and BianLian further amplifies risks for enterprises reliant on complex software ecosystems.

High-Profile Breaches & Broader Impacts

Key events in May 2025 highlight the stakes. Germany’s doxing of Vitaly Kovalev, a ringleader behind Conti and TrickBot, exposed the organised nature of these groups, with profits in the hundreds of millions. An Iranian national’s guilty plea for RobbinHood attacks on U.S. cities, using tactics like BYOVD to disable antivirus protections, underscores the global reach of these threats. MathWorks’ ransomware attack disrupted critical services, while Kettering Health’s outage, linked to Interlock, crippled operations. The leak of VanHelsing’s ransomware builder, detailed in the report, risks spawning copycat groups, echoing past leaks like Babuk.

The business impact is stark: 31% of attacked enterprises halt operations, 40% downsize staff, and 60% of small businesses close within six months. The average cost per incident, pegged at $200,000, compounds reputational and regulatory damage, as outlined in the report’s impact analysis.

A Call for Resilience

The report’s recommendations - robust cybersecurity, employee training, and incident response planning - are urgent. As ransomware groups wield advanced tools and exploit human and technical vulnerabilities, organisations must prioritise patch management, network segmentation, and multi-factor authentication.

The May 2025 surge, driven by new players and stealthy tactics, signals a relentless threat. Proactive defence, rooted in threat intelligence and governance, is no longer optional but essential for survival against escalating cyber threats.

Image: Cyfima 

You Might Also Read: 

Recent Ransomware Attacks Have Focused On Identity Gaps:

If you like this website and use the comprehensive 7,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Retailers Can Combat The Rising Cyberthreat

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Authentic8

Authentic8

Authentic8 transforms how organizations secure and control the use of the web with Silo, its patented cloud browser.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

Talend

Talend

Talend is a leader in cloud and big data integration software. Applications include Risk and Compliance management.

Mitol PerfectBackup

Mitol PerfectBackup

Mitol PerfectBackup provide Enterprise Online Backup, Disaster Recovery and Cloud Computing Services.

Boldon James

Boldon James

Boldon James are market leaders in data classification and secure messaging software.

Redbelt Security

Redbelt Security

Redbelt is a cyber security consultancy. We integrate people, systems, services and products to transform how your information security is delivered.

Research Institute in Verified Trustworthy Software Systems (VeTSS)

Research Institute in Verified Trustworthy Software Systems (VeTSS)

The main purpose of VeTSS is to support program analysis, testing and verification, to achieve guarantees of software correctness, safety, and security.

Infinite Ranges

Infinite Ranges

Infinite Ranges delivers secure, comprehensive digital solutions by connecting experts with the best products and services for the digital age.

Lunio

Lunio

Lunio makes the internet a safer and more reliable place for everyone trying to grow their business by automatically getting rid of fake clicks, traffic, and leads on all ad platforms.

Matrium Technologies

Matrium Technologies

Matrium Technologies has been a leading provider of technology solutions since 1991, with a strong industry background in Network Testing, Network Visibility and Security.

MindWise

MindWise

MindWise is a comprehensive global threat monitoring solution with implementations for fraud prevention and enterprise threat intelligence.

Tentacle

Tentacle

Tentacle has developed a configurable data management tool that helps organizations to improve their information security programs and overall security posture.

Legit Security

Legit Security

Legit Security's mission is to secure every organization's software factory by protecting the pipelines, infrastructure, code and people for faster and more secure software releases.

Tenable

Tenable

Organizations around the world rely on Tenable to help them understand and reduce cybersecurity risk across their attack surface—in the cloud or on-premises, from IT to OT and beyond.

Siren

Siren

Siren provides the leading Investigative Intelligence Platform to some of the world’s leading Law Enforcement, National Security and Cyber threat investigators.

Mediatech

Mediatech

Mediatech, specialized in managed Cybersecurity and Cloud services, a single point of contact for your company's IT and infrastructure.

Quantum Squint

Quantum Squint

Quantum Squint is a cutting-edge cybersecurity company specializing in the use of advanced regression management techniques to detect, analyze, and prevent vulnerabilities in digital systems.

Harmonia Holdings Group

Harmonia Holdings Group

Harmonia Holdings Group was born in 2006 with the vision to bring innovation and change to the federal IT sector.