Ransomware Attacks Surge by 213% in Early 2025, Targeting Organizations

The first quarter of 2025 has witnessed a dramatic escalation in ransomware attacks worldwide, with incident numbers soaring by an astonishing 213% compared to the first quarter of 2024, according to data analyzed from 74 independent data leak sites.

In just three months, 2,314 victims from across all major industry verticals were reported, a sharp increase from 1,086 victims during the same period last year.

Notably, the number of unique ransomware variants increased to 74 in Q1 2025, 32% higher than the 56 variants observed in the previous year, highlighting the rapid evolution of the ransomware ecosystem.

Industrials, consumer cyclicals, and technology sectors bore the brunt of these attacks, with each experiencing more than three times the number of incidents recorded a year earlier.

North America remains the most heavily affected region, underscoring the global reach and impact of ransomware operations.

Shifting Power Among Ransomware Groups

2025 marks significant changes among the leading ransomware actors. While LockBit previously dominated the landscape, its operations dwindled after law enforcement crackdowns.

In Q1, Cl0p, RansomHub, and Akira emerged as the top ransomware strains, with Cl0p in particular seeing a 1400% surge in activity.

Cl0p’s unprecedented growth stemmed from the exploitation of two zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo Managed File Transfer (MFT) solutions, enabling wide-scale data theft and encryption, particularly in the retail sector.

RansomHub, first observed in early 2024, continued its high-volume campaigns, leveraging partnerships with malware-as-a-service providers, such as SocGholish, to target government, financial, and consulting entities.

However, after March 31, RansomHub went dark, fueling speculation about potential rebranding within the volatile ransomware underground.

Evolving Tactics and the Role of Ransomware-as-a-Service

Ransomware operators continue to employ familiar tactics, including phishing, exploiting software vulnerabilities, and leveraging exposed remote desktop protocols for initial access.

The rise of Ransomware-as-a-Service (RaaS) models, in which skilled developers lease their malware to affiliates, has lowered the technical entry barrier, contributing to a proliferation of new and rebranded groups.

Double extortion schemes, which combine data theft with encryption, remain a favored approach, increasing pressure on victims.

Security experts warn that unless ransom payments and extortion profits are drastically curbed, ransomware will continue to thrive.

The first quarter’s surge, following a year of steady attacks, illustrates that threat actors are constantly adapting, now favoring a combination of volume and targeted high-value strikes.

Organizations are urged to strengthen their defenses against initial access techniques, especially social engineering and supply chain exploits, as the ransomware threat shows no signs of abating.