InfoSecBulletin Cybersecurity for mankind
Ransomware attacks dropped by 43% worldwide in Q2 2025 from Q1, largely due to law enforcement efforts and internal conflicts, reports NCC Group. A total of 1180 attacks were recorded from April to June, which compares to 2074 attacks in Q1.
Ransomware attacks decreased for the fourth month in a row in June 2025, dropping 6% from May to 371. Q2 saw a slowdown after a spike in attacks in the first quarter, mainly due to aggressive campaigns by major groups like Clop, RansomHub, and Akira.
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
Anthropic’s Mythos reportedly broke NSA classified systems in hours
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
AryStinger botnet infected thousands of D-Link routers globally
Hacker suspected of sending alerts across Brazil
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
Barracuda hosts Dhaka roundtable on cyber resilience
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
CISA: Splunk flaw under active exploit, patch by Sunday
Texas data breach exposes 3 million driver’s licenses
Recent law enforcement actions have disrupted major ransomware operators, specifically targeting Clop and RansomHub affiliates. As a result, Clop and RansomHub are no longer among the top 10 active ransomware groups in Q2.
“These disruptions likely caused a ripple effect across the ransomware group’s ecosystem, forcing affiliates to regroup or shift to emerging ransomware groups,” NCC Group researchers noted.
The July 23 report noted that internal leaks and conflicts among ransomware groups may have contributed to the slowdown.
In May, insider information from the notorious LockBit group was leaked.
Meanwhile, researchers have observed DragonForce fighting a “turf war” with rival ransomware operators as it seeks to assert its dominance in the cybercrime marketplace.
DragonForce likely caused RansomHub’s infrastructure outage in late March 2025, disrupting operations.
The decline in attacks may also be linked to seasonal slowdowns in Q2 from global holidays like Easter and Ramadan.
Qilin Leads the Way in Fragmented Market:
Qilin was the most active ransomware group in Q2, with 151 attacks, accounting for 13% of the total. This increased from 95 attacks in Q1.
In second place was Akira with 131 attacks, followed by Play (115) and SafePay (108).
SafePay gained attention in May for reporting 70 attacks. It was first spotted in September 2024, and researchers found little public information on the group.
Experts have connected SafePay to notable groups like LockBit, BlackCat, INC Ransom, and Play.
NCC Group reported tracking 86 active attack groups in 2025 so far, likely exceeding 2024’s record.
“The increased number of attackers means a broader range of attack methods that businesses need to be prepared for,” commented Matt Hull, global head of threat intelligence, NCC Group.
In Q2, the industrial sector experienced the most attacks, totaling 353, which is 30% of all attacks.
Consumer discretionary ranked second with 251 attacks, accounting for 21% of the total, heavily impacting retail in Q2. Information technology, healthcare, and financial services followed, making up the top five targeted industries with 10%, 8%, and 6% respectively.
