Ransomware attacks have reached a record high in Q1 2025. Check Point Research’s latest State of Ransomware report reveals a 126% YoY surge, with 2,289 publicly named victims across 74 ransomware groups—the most ever recorded in a single quarter.
The Trends:
- Cl0p led Q1 activity with 392 victims, exploiting zero-day flaws in Cleo file transfer tools abandoning encryption infavour of data theft and extortion. 83% of its victims were in North America, and 33% came from the Consumer Goods & Services sector—reflecting strategic targeting of the supply chain.
- RansomHub, a LockBit successor, claimed 228 victims, propelled by aggressive affiliate recruitment and generous profit-sharing, allowing them to inherit LockBit’s abandoned criminal marketshare.
- Babuk-Bjorka and FunkSec routinely post recycled or fake victim claims (167 victims for Babuk – Bjorka and over 170 victims for FunkSec), muddying the data and inflating their reputations, whilst also attracting affiliates and pressurizing victims. FunkSec is also suspected of using AI-developed malware, lowering barriers to entry for attackers and blurring the lines between financial crime and hacktivism, complicating attribution and response.
The Where’s and the Why’s:
- The U.S. remains ransomware’s top target, with nearly 50% of victims, due to a higher likelihood of ransomware payments.
- In the UK, Medusa ransomware accounted for 9% of local victims, a fivefold increase over its global share.
- In Germany, Safepay dominated with 17.5% of reported incidents—suggesting deliberate, regional targeting.
Looking at this geographical concentration, ransomware groups aren’t casting wide nets—they’re making surgical, strategic decisions based on local infrastructure, legal systems, and payment potential.
While victim disclosures are skyrocketing, actual ransomware payments dropped by 35% according to Chainalysis. This widening gap suggests two worrying trends of either victims are increasingly refusing to pay, or some “victims” may not be real at all.
Ransomware’s evolution into extortion without encryption—combined with groups faking attacks using old or public data—means reputation damage, not decryption, is now the main leverage. Traditional metrics based on leak site disclosures no longer paint an accurate picture. This also makes it that much harder for defenders, regulators, and even law enforcement to monitor threat actors accurately or understand the real scale of risk.
Said Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software, “The 126% spike in ransomware is more than just a number, its a signal. This denotes smarter, faster, and harder-to-track campaigns and groups that try to manipulate our mind. AI tools, fake victim claims, and regionally tailored tactics mean organizations must move beyond reactive defenses and adopt prevention-first, intelligence-led security.”
