Overview

February ransomware attacks set a single-month record, according to an analysis of Cyble threat intelligence data.

The year began with a surge in ransomware attacks, a trend that continued into February. With February’s data now final, the number of organizations claimed as victims by ransomware groups reached numbers well above long-term trends.

We’ll look at what’s behind those numbers and what they mean for future ransomware trends.

Record Ransomware Attacks

The previous high for ransomware attacks recorded by Cyble was May 2023, when 544 victims were claimed by ransomware groups on their Tor-based data leak sites (DLS), which the groups use as part of their extortion tactics of “naming and shaming” victims and threatening to release data to pressure victims into paying ransoms. Not all ransomware victims are published on DLS sites, but it’s a useful tool for ransomware trend analysis.

February’s numbers were on pace to eclipse the May 2023 record even before the CL0P ransomware group published a fourth batch of 218 unique organizations allegedly targeted by the group’s exploitation of Cleo MFT vulnerabilities. The total number of Cleo MFT victims claimed by CL0P now stands at 386, according to Cyble data.

The latest alleged CL0P victims come from the U.S., Mexico, France, Japan, New Zealand, Spain, Taiwan, and India and span 12 industries, ranging from IT and IT services to consumer goods, retail, energy, automotive, transportation, manufacturing, and more.

The late-month spike sent the total number of February ransomware victims to 821, well above any range seen in the last four years when ransomware attacks began to accelerate (see chart below).

The additional CL0P victims made the group the most active for the month, followed by RansomHub and Akira (chart below).

The U.S. was the most-attacked country by far in February, with nearly 10 times more victims than second-place Canada (chart below).

Long-Term Ransomware Trends and Top Ransomware Groups

Returning to the long-term trend chart above, we see that in 2021-2022, monthly ransomware victim totals were generally between 100 and 250, with the lone exception of a spike in November 2021 that was driven in part by increased activity by the Royal ransomware group (now BlackSuit).

Beginning in early 2023 and continuing through 2024, the number of monthly ransomware victims increased from 300 to 500, with brief spikes just above and below those levels.

The January 2025 surge pushed to the top of that range, and February has now vastly exceeded it. Have we entered a new higher range, or are victim totals likely to fall back in the months ahead? Let’s look at the principal threat actors involved for clues.

If we look at the top ransomware groups over the four-year range, we see LockBit well ahead of other groups (chart below).

Surprisingly, CL0P ranks second in claimed victims over that four-year period, with Play, RansomHub, Conti, and Akira (608 victims) rounding out the top six.

Six-year-old CL0P has shown an affinity for managed file transfer (MFT) vulnerabilities, previously targeting MOVEit and other MFT vulnerabilities. But that narrow focus has tended to make the group’s victims more clustered. Of the group’s 901 victims over the last four years, 383 (42.5%) have occurred within the last three months. In the last year, CL0P has claimed only 22 additional victims beyond those 383, so it would be reasonable to assume that CL0P victim totals will continue to fluctuate over time.

However, with RansomHub, Akira, Play, and FOG also increasing ransomware activity in recent months, it’s possible that we’ve entered a higher range of claimed victims by ransomware groups.

Ransomware Defenses

The recent increase in ransomware victims means that organizations should double down on their ransomware defenses, and those that have been lagging in implementing ransomware protection should make stronger defenses a top cybersecurity priority.

The best cybersecurity practices and defenses that can help protect an organization against ransomware attacks can also protect against other types of cyberattacks, so measures that improve cyber resilience and limit lateral movement will never be wasted.

Such practices include patching web-facing vulnerabilities that can be the starting point for an attack, training employees to recognize phishing and other attack attempts, and implementing zero trust, network segmentation and monitoring, and ransomware-resistant backups.

Related

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.