March saw notable events, including a potential change at the top of the ransomware world, persistently high attacks, and the emergence of new groups.

March 2025 ended on a surprising note when the onion-based data leak site (DLS) of RansomHub – the largest ransomware group over the last year – went offline, fueling speculation of a possible takeover. A few days later, rival DragonForce claimed to have taken over RansomHub’s infrastructure, raising the potential for a major change in the ransomware landscape in the months ahead.

At a time when ransomware attacks remain at record levels, the possibility of a new leader – and one who promises something of a white-label approach, with affiliates allowed to develop their own brands – could bring about significant changes in the way Ransomware-as-a-Service (RaaS) groups package and deliver malware.

It’s not yet clear if RansomHub’s run is over, but the RaaS group has had a remarkable run over the last year, its staying power driven by perceptions of greater transparency than predecessor groups, predictable payouts, and well-packaged attack playbooks for affiliates, in Cyble’s analysis.

Ransomware Attacks Remain High

Ransomware attacks pulled back from February’s record-shattering levels, yet they still remain above previous highs and at the top of a multi-year range (chart below).

RansomHub returned to the top spot in March, where it has been for much of the last year, followed by Akira, Qilin, SafePay, and Fog (chart below).

Claimed attacks by February’s leader, the CL0P ransomware group, fell off dramatically, from 267 attacks recorded in February to just six in March. The persistently high attack levels, even without the biggest reason for February’s spike, suggest the possibility of a new, higher ransomware attack range going forward, as groups may be trying to make up for lower ransom payments with a higher volume of victims. It remains to be seen if DragonForce can sustain RansomHub’s momentum going forward if the takeover proceeds as claimed.

The U.S. led once again (chart below), with 292 of March’s 564 attacks, which was 52% of all ransomware attacks claimed for the month, down significantly from 67% of the global total in February.

Germany vaulted into second place with 40 attacks, something of a surprise given Europe’s relatively low historic attack levels compared to the U.S. and Canada. A surge in SafePay attacks in Germany, with 13, was the primary reason for the spike, with INC claiming 7 victims for the number two spot in Germany. Those groups did not claim any victims in Germany in February when the country’s total number of ransomware attacks was 22.

The number of notable U.S. victims – either large organizations or organizations with significant impact – was 38 in March (13% of U.S. attacks), roughly similar in percentage to the 12.2% rate in February when Cyble recorded 67 notable attacks out of 548 in the U.S.

New Ransomware Groups Emerge

The continual emergence of new ransomware groups is another factor in the malware’s staying power. Cyble documented the rise of three new ransomware groups in February, as well as two other recently emerged groups with significant new developments.

Arkana Security, a newly emerged ransomware group, made a high-profile debut by claiming responsibility for compromising a U.S.-based Internet Service Provider. The group published on its data leak site (DLS) samples showing alleged customer and infrastructure-level access. In the leak, Arkana taunted the ISP’s CEO by exposing personal data such as shares, address history, emails, and social security number. The group claims access to data impacting 403,000 customers, including usernames, passwords, security questions and answers, emails, full names, and service package details. They further demonstrated alleged access to the ISP’s internal platforms, where they claim to have pushed malware to customer devices and suggested potential manipulation of billing or financial systems. Video and image evidence shared through the leak site showcased detailed access.

Recently emerged ransomware group Secp0 claimed responsibility for compromising a U.S.-based company specializing in IT services, product engineering, and digital transformation solutions. While the group has not disclosed the total volume of stolen data, they have released a 49.22 MB archive as proof of compromise, allegedly containing data related to an investment fund, a software developer for laboratories, and a list of harvested password hashes from the company’s Active Directory accounts and the company’s password manager. Secp0 also claims to have compromised 900 accounts using public NTLM hash databases and encrypted Nutanix servers, Hyper-V servers, and NAS backups. The company was previously compromised by Play ransomware in 2023, which claimed to have stolen 5GB of data. It remains unclear whether Secp0 leveraged previously leaked data for their attack claims.

A new ransomware group, SKIRA TEAM, also surfaced. Analysis of their data leak site (DLS) reveals five victims, including organizations in Turkey, India, and the U.S. The group appears to use a session ID system for potential buyers and had not set any deadlines for ransom payments. Notably, one of SKIRA TEAM’s alleged promoters was banned from BreachForums for advertising ransomware activities.

The Weyhro ransomware group has launched an onion leak site (DLS) listing five victims, with attacks spanning from December 2024 to February 2025. The victims include organizations in Italy, Canada, and the U.S. For each target, Weyhro has leaked stolen data and provided a brief analysis of the exfiltrated information. The group has been active on underground forums, first appearing on XSS in 2024 and more recently on Exploit since February 2025, where the threat actor (TA) shared details of victims added to their leak site.

The Frag ransomware group was first observed in November 2024, exploiting Veeam vulnerability CVE-2024-40711, and has recently been linked to an onion-based data leak site. Research uncovered Linux and Windows ransomware samples, with a ransom note featuring two onion sites, although only one was functional. Analysis of the DLS revealed 25 victims, primarily based in the United States, with two additional cases from the Netherlands and Singapore. From February 28 to March 4, the group leaked stolen data via torrent links. The ransomware encrypts files with a .frag extension. One of the notable victims was earlier targeted by Play ransomware in July 2023.

Conclusion

Cyble’s data and analysis of ransomware trends underscores the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats.

Leading threat groups come and go, but consistent application of good security practices is key for building organizational resilience and limiting the impact of attacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint, and cloud monitoring.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of significant cyberattacks.

For more free threat intelligence data, see Cyble’s monthly threat landscape and other research reports (registration required).

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.