In February 2025, ransomware attacks reached a new peak, setting a single-month record that surpassed previous highs, according to a report by Cyble, a threat intelligence company. The report analyzed the number of victims claimed by ransomware groups on their Tor-based data leak sites (DLS), which are used by these groups to pressure victims into paying ransom by threatening to release sensitive data.
The record-breaking ransomware attacks in February 2025 were more than 50% higher than the previous record set in May 2023, with a total of 821 victims claimed by ransomware groups. The CL0P ransomware group played a significant role in this surge, claiming 267 victims and making it the most active group for the month.
CL0P primarily targeted vulnerabilities in Cleo MFT systems, claiming 386 victims in February alone. This made CL0P the most active ransomware group for the month, followed by RansomHub and Akira. The United States experienced the highest number of ransomware victims, far surpassing other countries like Canada.
Cyble raised concerns about whether the spike in ransomware attacks in February signals the beginning of a new trend of increased activity. Looking at the major ransomware players over the past four years, LockBit emerged as the most prolific group, claiming over 2,700 victims. However, LockBit’s activity has decreased in the past year due to global law enforcement actions, although it is attempting a comeback with LockBit 4.0.
Despite CL0P being a relatively young group, it has become the second most active ransomware group in recent years, focusing on vulnerabilities in managed file transfer systems. Other groups like Play, RansomHub, Conti, and Akira have also seen an uptick in ransomware activity, indicating a potential escalation in claimed victims by ransomware groups.
Cyble emphasized the importance for organizations to enhance their cyber resilience and mitigate the risk of ransomware attacks by implementing measures such as patching vulnerabilities, training employees on cybersecurity best practices, adopting zero trust principles, network segmentation, monitoring, and maintaining ransomware-resistant backups.
Overall, the increase in ransomware attacks in February 2025 raises concerns about the cybersecurity landscape and underscores the need for proactive security measures to protect against evolving cyber threats. It remains to be seen whether this surge in ransomware activity is an isolated incident or the beginning of a new era of heightened cyber threats.