Q1 2025: Our Newest Ransomware Report Update

We’ve just released the Q1 2025 Update to our 2024 IT Ransomware Report. As 2025 continues on, the IT sector has seen a small increase in ransomware attacks over the previous quarter. Our team recorded a total of 1,514 attacks in Q4 of 2024, as compared to 1,537 in the first three months of 2025, marking a 1.51% increase.

However, compared to Q1 2024, where we recorded 572 attacks, ransomware activity has nearly tripled year-over-year. The top three targeted sectors this quarter were critical manufacturing, commercial facilities, and information technology, which together accounted for 28.7% of all ransomware attacks.

Leading the forefront were the ransomware groups CL0P, Akira, RansomHub, Qilin, and Lynx, which together were responsible for 40% of all attacks observed in Q1 2025.

CL0P Dominates 2025 Ransomware Attacks

In Q1 2025, CL0P maintained its position as one of the most prominent ransomware groups, responsible for approximately 10% of all observed attacks during the quarter. A key part of CL0P's recent activity has centered on the exploitation of CVE-2024-50623, a zero-day vulnerability in Cleo’s managed file transfer platforms—specifically, Harmony, VLTrader, and LexiCom. Organizations commonly use these platforms for secure file exchanges, and the vulnerability allows for unrestricted file uploads and downloads, enabling attackers to infiltrate networks, steal sensitive data, or achieve remote code execution. In mid-December 2024, CL0P exploited CVE-2024-50623 to compromise and exfiltrate data from dozens of victims. The CL0P group listed over 60 organizations on its data leak site as part of the Cleo campaign, but noted these were only entities that had been contacted and failed to respond, indicating the true number of affected organizations was likely higher.

By March 2025, CL0P’s data leak site showed another surge in publications, with over 150 organizations listed at the time of writing. These new victims seem to have been added as a result of CL0P's December attack on users of Cleo’s file transfer solutions. While it remains uncertain whether this represents the complete list of victims or if CL0P is still exploiting vulnerable Cleo instances, organizations using the file transfer solution should prioritize applying the latest patches immediately to mitigate potential attacks.

Q1 2025 Ransomware Trends:

1. Impersonation of Ransomware Groups for Extortion: A growing trend in the cybercrime landscape is that of fraudsters who mimic well-known ransomware groups like CL0P and BianLian to extort money from victims. This tactic is becoming more widespread, with attackers increasingly using the reputations of established ransomware groups to enhance the credibility and urgency of their demands. This amplifies the threat of extortion, as it preys on the fear of reputational damage or data breaches. It also blurs the lines between different types of cybercrime, making it more difficult for organizations to discern genuine ransomware attacks from simple fraud.

   
   

2. Shift Towards Vulnerability Exploitation and Persistent Extortion: Traditional ransomware attacks, which typically involve encrypting a victim’s data and demanding payment for decryption keys, are increasingly being replaced by more nuanced and persistent extortion tactics. Today, groups like SecP0 are shifting tactics to focus on discovering critical vulnerabilities in widely used systems and threatening to disclose these flaws to the public unless a ransom is paid. Overall, by threatening to publicly expose vulnerabilities, groups like SecP0 can apply prolonged pressure on organizations, forcing them to pay ransoms to avoid reputational damage, legal ramifications, or further system exploitation. This method provides a more sustained form of leverage compared to traditional encryption-based attacks, as the threat remains hanging over the victim for an extended period, making it more difficult for them to recover or secure their systems.

   
   

Our Takeaways

Overall, Q1 2025 has brought significant changes to the ransomware landscape. CL0P continues to dominate, and the quarter also highlighted a disturbing rise in the impersonation of notorious ransomware groups, such as CL0P and BianLian, by fraudsters seeking to extort organizations using fear tactics. Additionally, the trend towards vulnerability exploitation and persistent extortion tactics is gaining traction, with groups like SecP0 shifting focus from traditional encryption-based attacks to threats involving the public disclosure of critical vulnerabilities. These evolving tactics underscore the increasingly complex and pervasive nature of threat actors, making it essential for organizations to remain vigilant and proactive in securing their systems.

For our full Q1 2025 Ransomware analysis, as well as a rundown of stats for March 2025, take a look at our full report. And stay tuned this summer for our Q2 2025 Update, coming soon!