Ransomware in First Half of 2025: An Ecosystem in Flux

The first half of 2025 has been a period of disruption and realignment within the ransomware ecosystem. Following years of dominance by a few key players, the landscape has fragmented into a chaotic and highly competitive market defined by new leaders, divergent attack strategies, and a laser focus on high-pressure targets. In total, more than 3,000 ransomware incidents were recorded in the first six months of the year. The overall threat has not diminished; it has become more unpredictable.  

For years, the ransomware landscape was characterized by a stable, if dangerous, hierarchy. A few dominant Ransomware-as-a-Service (RaaS) groups, led by the prolific Lockbit operation, accounted for the majority of attacks. The first half of 2025 has shattered that stability. The ecosystem is now in a state of flux, defined by the fall of old leaders and an aggressive, chaotic race to establish new dominance.  

The ransomware landscape in the first half of 2025 was characterized by a sustained, high volume of attacks, with activity peaking in the first quarter before gradually declining through the second. This trend reflects a volatile market where new and established groups compet for dominance.  

The total volume of ransomware attacks remained at a critically high level, peaking at over 650 incidents in March before moderating in the second quarter. 

The monthly ransomware/extortion incident counts for the first half of 2025 are as follows:  

• January: 469 incidents  
• February: 585 incidents  
• March: A peak of 659 incidents  
• April: 477 incidents  
• May: 462 incidents  
• June: 432 incidents  

Key Ransomware Trends in 2025 

1. The Fall of Lockbit and the Rise of New Threat Actors 

Lockbit, once the most prolific ransomware-as-a-service (RaaS) platform, collapsed following a major infrastructure breach and law enforcement crackdown. Its demise created a power vacuum that  fueled fierce competition among emerging groups. 

Agenda has emerged as the frontrunner, showing consistent month-over-month growth and deploying sophisticated tools like NETXLOADER. 

Akira and Play have maintained high attack volumes, establishing themselves as reliable threats in the new ransomware order. 

2. Two Distinct Attack Models: Marathon Runners vs. Sprinters 

Ransomware groups are now operating under two primary models: 

Marathon Runners (e.g., Agenda, Akira, Play): These groups focus on sustained, high-volume campaigns. 

Akira and Play have been workhorses, consistently delivering high victim counts month after month. Akira peaked at 61 victims in March, while Play peaked at 51 in April. Their steady performance has made them reliable and dangerous mainstays of the new landscape.  

Sprinters (e.g., Clop, RansomHub): These actors execute short, high-impact bursts, often exploiting zero-day vulnerabilities to compromise hundreds of victims in days. 

RansomHub group serves as a cautionary tale of market volatility. It exploded onto the scene with 100 victims in February, briefly becoming the most active group in the world, only to vanish completely by May.  

3. Manufacturing Under Siege 

The manufacturing sector has been the most targeted industry by a wide margin, with attackers exploiting the high financial leverage of disrupting physical production lines. In March alone, there were 245 ransomware incidents in this sector. 

Other high-risk sectors include: 

• Business Services and Retail (broad attack surfaces and sensitive data) 
• Healthcare (critical uptime needs) 
• Finance (high-value data and frequent state-sponsored targeting) 

4. Initial Access Brokers and Geopolitical Threats 

Ransomware is often the final stage of a longer attack chain. Initial access brokers like Sly Marauder (a.k.a. Scattered Spider) use advanced social engineering — such as pretending to be the help desk (vishing) — to gain privileged access, which is then sold to ransomware affiliates. 

State-sponsored actors and hacktivist groups are also contributing to the threat landscape, using similar tactics and occasionally paving the way for financially motivated attacks. 

How to Prevent Ransomware Attacks 

BlueVoyant recommends a multi-layered, intelligence-led defense strategy to combat today’s ransomware threats: 

 1. Embrace Intelligence-Led Defense 

Static defenses are no longer enough. Organizations must actively track the tactics, techniques, and procedures (TTPs) of emerging ransomware groups and initial access brokers to anticipate and block attacks before they escalate. 

2. Prioritize Agile Patch Management 

Sprinter campaigns prove that the window to patch critical vulnerabilities is now measured in hours — not weeks. Rapid identification and remediation of exposed systems is essential. Organizations should also be concerned about the patch status of their third-party ecosystem and work with these vendors and suppliers to ensure they are patching. 

3. Invest in Human-Centric Security 

Sophisticated social engineering remains a top threat vector. Continuous security awareness training — especially for high-privilege roles like help desk staff — is critical to reducing risk. 

4. Strengthen Resilience and Recovery 

Assume a breach will happen. Focus on: 

• Network segmentation 
• Immutable backups 
• A well-rehearsed incident response plan 

These measures ensure business continuity and minimize the impact of successful attacks. 

The ransomware threat is evolving rapidly, but with the right intelligence and proactive defense strategy, organizations can stay ahead.