Ransomware is evolving faster than it’s being stopped
July 10, 2025 – Published on BetaNews
The number of active ransomware groups has jumped 45 percent in the past year, according to a new report from GuidePoint Security’s GRIT team.
Covering Q2 2025, the report outlines how cybercriminals are regrouping, rebranding and using recycled tools to launch fresh attacks across industries.
“While law enforcement’s disruption of dominant groups like LockBit, AlphV and BreachForums has dealt significant blows to cybercriminal networks, the sharp year-over-year rise in active ransomware groups makes it clear that a significant threat remains,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security.
The GRIT team found that 71 ransomware groups were active in Q2 2025, up from 45 in the same quarter last year. That rise has not only increased the overall risk landscape, it has also changed how ransomware operates. Former affiliates are no longer just joining new gangs, many are now starting their own.
“Unfortunately, the quarterly slowdown in publicly reported ransomware incidents appears to stem from more temporary headwinds, such as seasonality, fragmentation and strategic regrouping within the RaaS ecosystem,” said Timothy. “As groups like Qilin, Akira and Play continue to gain ground, defenders must remain vigilant and prepare for what’s next.”
Qilin was the most active group in Q2 2025, with an 85 percent rise in observed activity. The group, like others in the Ransomware-as-a-Service space, depends on a network of affiliates who can distribute malware on its behalf. This structure makes it easier for attackers to bounce back quickly after law enforcement takedowns.
Read More HERE.