Overview

U.S. ransomware incidents in February have surged well beyond January’s totals despite the significantly shorter month. According to Cyble data, ransomware attacks started in 2025, up 150% from the year-ago period, likely driven by the perception among ransomware groups that U.S. organizations are more likely to pay ransom. Canada, too, continues to experience elevated ransomware attacks, while other global regions have remained largely stable (chart below). That trend has continued through the month of February.

According to Cyble data, the U.S. was hit by 372 ransomware attacks on February 27, well beyond the 304 attacks it saw for all of January 2025. Globally, ransomware attacks increased from 518 in January to 599 for the first 27 days of February, so the U.S. share of global ransomware attacks has also increased, from 58.7% to 62.1%.

We’ll look at what’s behind the increase in ransomware attacks (hint: a big name returned in a big way), as well as other developments in the ransomware threat landscape this month.

New Ransomware Groups Emerge

Cyble documented the rise of three new ransomware and ransomware-as-a-service (RaaS) groups in February.

“RunSomeWares” was one of the new groups that surfaced, listing four victims and leaking their data in multiple batches. The group claims to have compromised a U.S.-based supply-chain services firm, a financial services company, a certified public accounting firm, and a Thailand-based manufacturer. While RunSomeWares’ logo suggests that they encrypt data, it remains unclear whether they use a locker, as no samples have been observed in the wild. Cyble continues to monitor the group for further developments.

On February 23, threat actor superSonic announced a new RaaS program, Anubis, on the RAMP forum, featuring elliptic curve cryptography, high-speed CHACHA+ECIES encryption, and cross-platform compatibility for Windows, Linux, NAS, and ESXi. It supports automated domain-wide propagation, VM shutdowns, shadow copy removal, and irreversible backup destruction, with a Lite version designed for sabotage and information gathering. Anubis also introduced an Extortion model, where they allow shaming their victim on their Data Leak Site (DLS). The initial partner split is 80/20 for ransomware operations, 60/40 for extortion, and 50/50 for access brokerage, where affiliates receive detailed company reports in real-time.

Cyble’s continuous ransomware activity monitoring identified another potential new group, Linkc, which surfaced at the end of January. Operating an onion-based DLS, Linkc has so far claimed one victim: a U.S.-based IT and ITES company specializing in artificial intelligence and machine learning solutions. The alleged attack occurred on January 29, involving both data encryption and theft. Investigations reveal that communications between the company and the ransomware group commenced on February 6, during which Linkc demanded a ransom of $15 million for data decryption and removal. After the ransomware failed to extort the victim, the group released several samples on February 17, purportedly showcasing access to GPT model source code, customer data, and financial records.

What’s Behind the Latest U.S. Ransomware Surge?

So what’s behind the latest surge in U.S. ransomware attacks, at least beyond the country’s attractiveness as a rich target.

It’s not coming from older attacks. On February 4, the Akira ransomware group released a list of 34 companies allegedly breached in 2024. These organizations were either never listed, briefly displayed, or removed from their data leak site (DLS) without being publicly claimed. More older victim names will likely follow, as it appears to be a strategic move to pressure other victims—who have not yet been publicly named or claimed—into initiating negotiations. Akira is ramping up its extortion campaign, using fear and intimidation to coerce ransom payments.

But Cyble added those victims to January’s total, making February’s surge in ransomware attacks even more dramatic than it seems.

CL0P claimed an additional 34 U.S. victims in February, and 15 elsewhere, as the group continues to release names from its attacks on Cleo MFT vulnerabilities. But those 49 names are well below the 81 the group released in January.

As we look at the most active ransomware groups globally for January (first chart below) and February (second chart below), we see that CL0P has fallen off dramatically this month, Akira is up even with the addition of older attack victims to January’s data – and RansomHub has returned to the top, claiming 99 victims through February 27. Play and Fog also saw a resurgence this month.

The most logical conclusion is that the surge in ransomware attacks this month is real, with 56 additional RansomHub victims accounting for most of the 81-victim increase globally in February.

If we look at the U.S. in isolation, the picture becomes even clearer. RansomHub was not among the most active U.S. ransomware groups in January (first chart below), while this month the group topped the list with 66 victims, accounting for nearly all of the increase in U.S. ransomware attacks in February (second chart below).

RansomHub’s Resurgence

RansomHub has shown remarkable staying power even as security researchers have been waiting to see if LockBit can return to the top with its 4.0 release.

RansomHub’s February victims have spanned almost all industries, including media, manufacturing, energy and utilities, real estate, healthcare, transportation and logistics, education, construction, IT/technology, hospitality, professional services, aerospace and defense, agriculture and livestock, consumer goods, telecommunications, government, financial services, automotive, pharmaceuticals and biotechnology.

Ransomware groups come and go and become the basis for the next generation of threat groups, but RansomHub – itself a product of older groups like Knight and ALPHV/BlackCat – has shown that it won’t be dethroned easily, perhaps not without the kind of global enforcement actions that have disrupted LockBit and other groups.

Regardless of which ransomware group is on top in a given month, the best defenses are those that limit damage and lateral movement, such as patching web-facing vulnerabilities that can be the starting point for an attack, and implementing zero trust, network segmentation and monitoring, and ransomware-resistant backups.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.