Summer 2025 review
I had the joy of paddling in Canada’s wilderness areas this summer. The downside is that I’ve not been current with all of the cyber stories that transpired over the summer, so inevitably in September I try to do a little catchup to get up to speed on what I’ve missed. Wanting to kill two birds with one stone, I thought I’d make a blog post as I did.
Statistics and Clickbait
Last week I was going through some industry reports and noticed something that struck me as a little odd: a published report with strikingly good news regarding a big reduction in ransomware attacks. An article in Infosecurity Magazine ran with the title of Global Ransomware Attacks Plummet 43% in Q2 2025.
It’s always nice to see some good news reported, but whenever it contains statistics, I get concerned and recall Mark Twain’s words. Or was Benjamin Disraeli the source?
Looking more closely, the period used for this metric is April-June 2025, and it states that “Ransomware attacks fell by 43% globally in Q2 2025 compared to Q1” according to a report from the NCC Group. Since the source of the data is so important to understanding the context of these numbers, I went to the NCC Group’s Q2 Cyber Threat Intelligence Report to get a deeper understanding. The report, which is apparently a summary of their more detailed report available to customers only, gave a little more detail, stating that “in Q2, Hack and Leak numbers dropped to a total of 1180 attacks, a decline of 43% from Q1 2025”.
A source for these numbers isn’t given in the summary report, which is unfortunate because it’ helpful when trying to interpret the data. It also didn’t explain what exactly is meant by “Hack and Leak numbers”.
I contacted the NCC Group using the contact form on their website for clarification but haven’t heard back yet. If/when I do hear back, I’ll add an addendum to this post.
To see whether I can verify any trends independently I started looking at available sources, but let me start by saying that my intent isn’t to dispute or criticize the work done by NCC Group. What I hope to do is provide some context to best understand the meaning of ransomware data along with any threats and trends that exist.
Before looking at any data, understand that the actual number of data breaches over any given period isn’t known by anyone. Not all attacks become public knowledge: in fact, the majority likely never come to light (I’ve posted on this before). So, for any statistics being reported or consumed, it’s always good form to list the source(s). In my investigation I started by downloading 2024 and 2025 ransomware attack data from two well-known and respected industry sources: ransomware.live and ransomlook.io. Both of these use automatic crawlers to monitor hundreds of sites on the web and dark web to look for incidents. In my analysis I tracked attacks by the dates published, although the incidents may have taken place weeks or months earlier: the key with any data is to remain consistent with the method of data collection. Keep in mind also that the data from these sources is imperfect at best, because claims made by ransomware gangs on their dark web dedicated leak sites are known to be embellished at times to suit their own objectives.
From the data I downloaded from each of these two sources, I looked at the Q1 & Q2 data from both 2024 and 2025 and started running the numbers. First looking at 2025 Q1 vs Q1, I see that the victim counts and quarter over quarter changes are in line with what NCC Group reports. The numbers from all three sources are in the same ballpark, and we do indeed see a drop in alleged victim counts from Q1 to Q2.
| Source | Q1-25 Alleged Victims | Q2-25 Alleged Victims | Change |
| Ransomware.live | 2395 | 1496 | -38% |
| Ransomlook.io | 2509 | 1694 | -22% |
| NCC Group | 2070* | 1180 | -43% |
* Calculated using Q2 victim count and Q2/Q1 % change.
Good news, right? Hold on, let’s look at the numbers from the same period last year. Since we don’t have this data from NCC Group, we’ll only look at ransomware.live and ransomlook.io:
| Source | Q1-24 Alleged Victims | Q2-24 Alleged Victims | Change |
| Ransomware.live | 1249 | 1393 | +12% |
| Ransomlook.io | 1156 | 1481 | +28% |
In 2024 we see the unrelenting increase in victims that we’ve unfortunately come to expect. Maybe we can get some insight from the year-over-year numbers:
| Source | Q1-25 vs Q1-24 Alleged Victims | Q2-25 vs Q2-24 Alleged Victims |
| Ransomware.live | +92% | +7% |
| Ransomlook.io | +117% | +33% |
Now the real story behind the statistics starts to emerge. 1Q25 saw a huge increase in attacks over 1Q24, whereas 2Q25 saw a much more modest increase. The numbers suggest that the cause of the 2Q25 drop in ransomware attacks isn’t because things are looking better, but that things looked significantly worse in 1Q25 along with a recurring drop in Q2 victims.
So is it time to panic, or celebrate? Well, neither. But hopefully this gives you a better idea of what threats and trends exist. While I was looking at the data, I compiled some numbers from the Summer of ‘25 (Jun – Aug) to share with you:
By the Numbers
Active Ransomware Groups
2025 has seen ongoing international law enforcement activities targeting individuals and infrastructure associated with ransomware operations. While their results are encouraging, it’s been reported that one unintended consequence has been an explosion of new, smaller groups. This is reflected in the numbers below, which indicate an increase of roughly 20-30% in the number of active ransomware groups between summer 2024 and summer 2025.
| Source | Summer 2024 | Summer 2025 | Change |
| Ransomware.live | 45 | 53 | +18% |
| Ransomlook.io | 62 | 80 | +29% |
Tracked Victims
And while international efforts to bring ransomware gangs to justice continue, unfortunately the number of victims continues to increase between 10-20% year-over-year.
| Source | Summer 2024 | Summer 2025 | Change |
| Ransomware.live | 1298 | 1413 | +8.9% |
| Ransomlook.io | 1412 | 1694 | +20.0% |
Most Active Groups Globally
Profiles of the most active groups are available from a variety of online sources, often including technical descriptions of the TTPs used by the groups. Armed with this information, a robust cyber defence strategy may want to include actively threat hunting for known IoCs of these groups.
| Ransomware.live Summer 2024 | Ransomware.live Summer 2025 | ||
| Ransomhub | 173 | Qilin | 220 |
| Play | 80 | Akira | 139 |
| Akira | 79 | Inc Ransom | 105 |
| Lockbit3 | 62 | Dragonforce | 74 |
| Meow | 62 | Play | 70 |
| Ransomlook.io Summer 2024 | Ransomlook.io Summer 2025 | ||
| Ransomhub | 224 | Qilin | 234 |
| Lockbit3 | 90 | Akira | 127 |
| Play | 81 | Inc Ransom | 105 |
| Meow | 61 | Safepay | 99 |
| Akira | 57 | Play | 78 |
As we head into the last third of 2025, it’s a perfect time to take a look at your own cyber defenses to determine your state of readiness, in case you’re part of next month’s statistics. Here’s a quick and, by no means complete, checklist to start with:
- Endpoint protection with EDR;
- Perimeter and endpoint firewalls;
- Strong passwords with MFA;
- Data encryption;
- Off-site immutable backups;
- Email protection;
- Ensure all software is up to date;
- Employee cyber awareness training;
Finally, every organization should invest some time to develop an incident response plan BEFORE it’s needed.
Emsisoft Endpoint Protection: Award-Winning Security Made Simple
Experience effortless next-gen technology. Start Free TrialStay safe out there!