Ransomware attacks fell by 43% globally in Q2 2025 compared to Q1, with law enforcement actions and internal conflicts having a major impact on the threat landscape, according to new findings from NCC Group.
A total of 1180 attacks were recorded from April to June, which compares to 2074 attacks in Q1.
The firm also observed that claimed ransomware attacks fell for the fourth consecutive month in June 2025, down by 6% from May to 371.
The slowdown in Q2 followed a dramatic rise in attacks in the first three months of the year, which was driven by aggressive campaigns from dominant groups such as Clop, RansomHub and Akira.
However, recent law enforcement activity has disrupted some key ransomware operators, including targeting Clop and RansomHub affiliates. Notably, Clop and RansomHub disappeared from the top 10 list of active ransomware groups in Q2.
“These disruptions likely caused a ripple effect across the ransomware group’s ecosystem, forcing affiliates to regroup or shift to emerging ransomware groups,” NCC Group researchers noted.
The report, dated July 23, also highlighted internal leaks and conflicts between different ransomware actors as a possible factor in the slowdown.
In May, insider information from the notorious LockBit group was leaked.
Meanwhile, researchers have observed DragonForce fighting a “turf war” with rival ransomware operators as it seeks to assert its dominance in the cybercrime marketplace.
DragonForce appears to have been responsible for RansomHub’s infrastructure outage in late March 2025, curtailing operations.
Read now: Ransomware Enters ‘Post-Trust Ecosystem,’ NCA Cyber Expert Says
Another possible factor for the fall in attacks is due to seasonal slowdowns in Q2 from global holidays such as Easter and Ramadan.
Qilin Leads the Way in Fragmented Market
Qilin was the most active ransomware group in Q2, with 151 claimed attacks, 13% of the total. This was up from 95 attacks in Q1.
In second place was Akira with 131 attacks, followed by Play (115) and SafePay (108).
SafePay drew significant attention in May, when it claimed 70 attacks. It was first observed in September 2024 and the researchers noted there is relatively little publicly available information on the group.
Experts have linked SafePay to other well-known actors, such as LockBit, BlackCat, INC Ransom and Play.
NCC Group revealed it has already tracked 86 new and existing active attack groups in 2025, which is on course to surpass 2024’s record.
“The increased number of attackers means a broader range of attack methods that businesses need to be prepared for,” commented Matt Hull, global head of threat intelligence, NCC Group.
The sector that suffered the highest number of attacks in Q2 was industrials with 353 attacks, making up 30% of the total.
In second place was consumer discretionary, with 251 attacks making up 21% of the total. This sector includes retail, which was heavily targeted in Q2.
Information technology (10%), healthcare (8%) and financial services (6%) made up the top five most targeted industries in the quarter.
