Ransomware attacks declined by 23% from the previous quarter, although they are up 43% on this time last year, with the dip only partially explained by normal seasonal variations. In Q2 of 2025, 1,591 new victims of ransomware attacks were posted publicly on data leak sites, at an average of 17.5 per day, compared to 22.9 per day in Q1 of 2025 and 12.2 per day in Q2 of 2024.Compared to last year, Alphv/BlackCat — a major player in the ransomware ecosystem — has shut down, LockBit has been subject to law enforcement action, and there has been significant disruption to the RansomHub operation, all of which have contributed to the fragmentation of the ransomware ecosystem. Compared to last year, there are more small groups and lone wolves operating, who find it much easier to stay under the radar of law enforcement.In Q2, 2024, there were 41 active ransomware groups, and 71 in Q2, 2025, according to the quarterly *[Ransomware -& Cyber Threat Report](https://www.guidepointsecurity.com/resources/grit-q2-2025-ransomware-and-cyber-threat-report/)* from the GuidePoint Research and Intelligence Team (GRIT), a 45% year-over-year increase.The United States is still the primary target for ransomware groups, accounting for 52% of attacks in the quarter, followed by Canada, Germany, and the United Kingdom. Healthcare organizations continue to be attractive targets for ransomware groups; however, the sector dropped to 5^th^ spot for attacks behind manufacturing, technology, legal services, and construction. This is due in part to some of the most active groups concentrating their attacks on other sectors. The most active groups targeting healthcare in Q2 of 2025 were IncRansom, Qilin, and Everest.The overall most active group in the quarter was Qilin. The group conducted more than 200 attacks in the quarter, having significantly increased its attack volume since the start of the year. Qilin conducted almost double the number of attacks as the next main players, Akira, Play, and SafePay. Akira and Play do attack the healthcare sector, but they favor attacks on other sectors. The DragonForce cartel, which attempted a hostile takeover of RansomHub, was in fifth spot and has a policy of not attacking critical infrastructure. DragonForce has failed to conduct attacks at the expected volume, given its aggressive recruitment strategy and attempts to dominate the ransomware ecosystem.’We’re seeing a reshuffling within the ransomware ecosystem,’ Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security, said. ‘Disruption of major RaaS players hasn’t reduced overall threat capacity so much as redistributed it. Affiliates are regrouping under existing or emerging banners, and many are standing up their own operations using recycled tools. As we head into the second half of the year, security teams should expect familiar tactics under new names.’There has been a trend of escalating coercive tactics with ransomware groups, including contacting company employees via phone, fax, email, and text, and even individuals whose personal data has been stolen. The aim is to pile on the pressure to get victims to negotiate or pay the ransom, although these tactics are generally not effective. According to GRIT, these tactics often have the opposite effect and make negotiation of any ransom less likely, as ransomware groups are viewed as less professional and untrustworthy.While the reduction in the number of attacks is good news, GRIT believes it is only a temporary dip, and that attacks are likely to rise once again after the summer, especially if a major ransomware-as-a-service group emerges to replace RansomHub, which appears to have experienced a sudden death in March 2025. GRIT suggests there was no clear alternative group for its affiliates to join, although GRIT believes a new major player will emerge sooner rather than later to capture the vacant market share.The post [Ransomware Attacks Fall in Q2 as Ecosystem Reshuffles](https://www.hipaajournal.com/ransomware-attacks-fall-q2-2025/) appeared first on [The HIPAA Journal](https://www.hipaajournal.com).
Related Tags:
RansomHub
Playcrypt
Play
GOLD SAHARA
Akira
PUNK SPIDER
NAICS: 621 – Ambulatory Health Care Services
NAICS: 54 – Professional
Scientific
Technical Services
NAICS: 334 – Computer And Electronic Product Manufacturing
Associated Indicators: