Welcome to the February 2025 ransomware update, highlighting the latest trends, threat actors, and significant developments shaping the ransomware landscape. The Black Kite Research & Intelligence Team (BRITE) tracked 809 ransomware incidents this month, marking the highest monthly total ever recorded and surpassing the previous peak of around 590 victims.
The United States was once again the primary target with 513 incidents, followed by Canada with 51 and the United Kingdom with 23. Manufacturing was hit hardest with 193 victims, while Professional and Technical Services (118) and Wholesale (82) followed as top impacted sectors.
Clop dominated with 283 victims, fueled by its CLEO exploit, while RansomHub (98), Akira (50), and Play (48) rounded out the leading groups. Meanwhile, the takedown of 8Base, leaks exposing Black Basta’s internal chaos, and the continued rise of RaaS highlighted how dynamic and volatile the ransomware ecosystem remains.
February’s record numbers underscore the urgent need for resilience, proactive defenses, and stronger global cooperation as ransomware continues to escalate in scale and impact.
February 2025 set a historic record with 809 incidents, and at the center of it all stood Clop, fueled by its aggressive CLEO exploit campaign. Following closely were RansomHub and Akira, both maintaining steady pressure on global targets.
Yet, the story doesn’t end with the top three. Groups like Play, Qilin, Lynx, Cactus, and Medusa contributed significantly to the month’s surge, reminding us that the ransomware ecosystem is more crowded—and more dangerous—than ever.
By analyzing the tactics of these dominant and emerging players, organizations can anticipate evolving threats and strengthen their defenses against what is shaping up to be the most challenging year yet in the fight against ransomware.
Ransomware’s global footprint reached historic levels in February 2025, with 809 recorded incidents worldwide. The United States once again stood out as the epicenter, suffering 513 attacks—an unprecedented concentration that highlights its ongoing vulnerability.
Canada followed with 51 incidents, while the United Kingdom recorded 23 cases, underscoring how North America and Western Europe remain prime targets. Wealthy and digitally advanced nations continue to attract ransomware groups due to their rich data environments and higher potential payouts.
Yet, motivations differ. Some groups pursue pure financial gain, while others avoid certain regions for nationalistic or political reasons. This mix of economic incentives and ideological choices shapes the global ransomware map, making it both complex and unpredictable.
Not all industries are targeted equally. In February 2025, Manufacturing was hit the hardest with 193 incidents, followed by Professional, Scientific, and Technical Services with 118, and Wholesale Trade with 82. Other heavily impacted sectors included Transportation (58), Health Care (40), and Retail Trade (32).
While these top industries bear the brunt of attacks due to the high value of their data and often complex digital environments, no sector is immune. Even areas like Agriculture (10), Utilities (5), and Mining (3) faced disruptions, underscoring ransomware’s wide reach.
By understanding which industries are most frequently targeted, organizations can better anticipate where attackers see the greatest opportunities—and allocate resources to strengthen defenses where they are needed most.
In February 2025, the United States stood out as the epicenter of ransomware activity with 513 incidents, far surpassing other nations. Canada (51) and the United Kingdom (23) followed, while countries such as Germany, France, Italy, Spain, and Brazil also experienced consistent targeting.
Clop dominated the U.S. with 185 victims, while groups like RansomHub (68), Play (38), Qilin (30), and Cactus (29) added significant numbers. In Canada, Clop again led with 24 victims, while RansomHub, Play, and Medusa were also active. The UK saw smaller but diverse activity, with Clop, Akira, RansomHub, and Medusa each leaving their mark.
These patterns highlight how groups not only scale globally but also tailor their focus by region, reflecting both financial motivations and strategic preferences. Yet, cybercrime knows no borders—organizations in every country remain potential targets. The diversity in targeting underscores the global nature of the ransomware threat and the continued need for international cooperation.
In February 2025, Manufacturing was once again the hardest-hit industry, recording over 160 incidents, with Clop (89 victims) and RansomHub (23) leading the way. Professional, Scientific, and Technical Services followed closely, with 118 attacks, driven heavily by Clop (24), RansomHub (18), and BianLian (11). Wholesale Trade also saw significant pressure, with 82 victims, where Clop (49) dominated the activity.
Other critical industries such as Transportation and Warehousing (58), Healthcare and Social Assistance (40), and Retail (32) also remained prime targets. Even less-expected sectors like Agriculture, Education, Arts & Entertainment, and Public Administration faced ransomware incidents, showing the expansive reach of threat actors.
These patterns highlight that while ransomware is a universal threat, attackers do show sector preferences—particularly toward industries with valuable data and operational vulnerabilities. By understanding these patterns, organizations can better anticipate risks and strengthen their defenses.
Leveraging the data-rich platform of Black Kite, we analyze ransomware indicators to identify common vulnerabilities that ransomware groups exploit. These indicators, including IP addresses, domains, or hashes, have been associated with our list of victims this month.
By shedding light on MX and DNS Misconfiguration, at least one credential leaked in the last 90 days, and at least one possible phishing domain, we highlight the cyber vulnerabilities ransomware groups actively exploit. Recognizing these indicators and taking prompt preventive measures can significantly strengthen an organization’s defenses against ransomware attacks.
0
At least one IP address that was part of a botnet, malware propagation, or spam propagation
0
At least one record found in stealer logs
0
Use of out-of-date services/products with possible vulnerabilities of high exploitability
0
Open RDP or SMB ports publicly visible
0
At least one credential leaked in the last 90 days
0
At least one possible phishing domain
0
MX and DNS misconfiguration that may allow spoofing and phishing attacks
In our continuous monitoring of hundreds of thousands of companies, we’ve computed the average RSI (Ransomware Susceptibility Index values for each industry. These values paint a comprehensive picture of the industry-specific cyber risks that organizations face. In this month’s analysis, Manufacturing, Professional, Scientific, and Technical Services, and Healthcare show the highest average RSI values. The data suggests that these industries may have heightened exposure to ransomware threats and need to be especially proactive in bolstering their cybersecurity defenses.
Share the report data
