GuidePoint Security, a leading cybersecurity solutions provider, recently unveiled its quarterly Ransomware & Cyber Threat Report from the GuidePoint Research and Intelligence Team (GRIT).
Covering the second quarter of 2025, the new GRIT Q2 2025 Ransomware & Cyber Threat Report offers analysis of the evolving Ransomware as a Service (RaaS) ecosystem, threat actor behaviors and emerging cybercrime trends—including a 45 percent year-over-year increase in the number of active ransomware groups.
“While law enforcement’s disruption of dominant groups like LockBit, AlphV and BreachForums has dealt significant blows to cybercriminal networks, the sharp year-over-year rise in active ransomware groups makes it clear that a significant threat remains,” said Justin Timothy, Principal Threat Intelligence Analyst at GuidePoint Security.
“Unfortunately, the quarterly slowdown in publicly reported ransomware incidents appears to stem from more temporary headwinds, such as seasonality, fragmentation and strategic regrouping within the RaaS ecosystem. As groups like Qilin, Akira and Play continue to gain ground, defenders must remain vigilant and prepare for what’s next.”
The Report also investigates Iranian cyber threat activity, the growing momentum of the RaaS group DragonForce and law enforcement’s impact on Lumma Stealer, a prolific information-stealing malware favored by cyber criminals. Other key findings include:
- Ransomware victim numbers remain elevated year-over-year (+43%), but a 23 percent decline in Q2 2025 hints at changing attacker patterns beyond seasonal norms.
- An 85 percent increase in activity from Qilin, the most active threat group of this quarter.
- 52 percent of observed ransomware victims in Q2 2025 were based in the United States.
- Manufacturing was among the most heavily impacted by ransomware.
“We’re seeing a reshuffling within the ransomware ecosystem,” Timothy added. “Disruption of major RaaS players hasn’t reduced overall threat capacity so much as redistributed it. Affiliates are regrouping under existing or emerging banners, and many are standing up their own operations using recycled tools. As we head into the second half of the year, security teams should expect familiar tactics under new names.”
