Global ransomware attacks in April 2025 declined to 450 from 564 in March – the lowest level since November 2024 – as major changes among the leading Ransomware-as-a-Service (RaaS) groups caused many affiliates to align with new groups. Still, the long-term trend for ransomware attacks remains decidedly upward (chart below) so April’s decline could be reversed as soon as new RaaS leaders are established. 

For now, the uncertainty at RansomHub – which went offline at the start of April but plans to return – resulted in new groups taking over the top global attack spots. Qilin, which gained affiliates from the RansomHub uncertainty, led all groups with 74 attacks claimed in April (chart below), followed by Akira at 70, Play with 50, Lynx with 31 attacks, and NightSpire at 24. DragonForce, which claimed to be taking over RansomHub’s infrastructure, claimed 21 victims in April, up from 16 in March. 

RansomHub, which has led all groups since early 2024, claimed just three attacks, all on April 1, the day the group’s data leak site (DLS) went offline. 

In a note to clients, Cyble said the RansomHub-DragonForce clash “highlights not only the volatility within the cybercriminal underworld but also the high-stakes competition driving rapid evolution in ransomware capabilities.” 

Meanwhile, hacktivist groups are increasingly moving into ransomware, suggesting no shortage of threat actors willing to use this destructive malware. 

While no industry was spared the scourge of ransomware attacks in April, several attacks hit software and IT companies, raising the potential for downstream supply chain impacts. 

U.S. Again Leads in Ransomware Attacks 

The U.S. once again led all countries in ransomware attacks, with 234 attacks, or 52% of the global total, followed by Canada, Germany, Italy and the UK (chart below). 

In the U.S., the Play ransomware group claimed the most attacks with 42 (chart below), followed by Qilin, Akira, Lynx and DragonForce, which was largely focused on U.S. targets. 

In the UK and Europe, Akira was the top attacker, while Spain and Switzerland rounded out the top five European countries for ransomware attacks (charts below). There were 108 claimed attacks in total in the region. 

In the META region (Middle East, Turkey and Africa), RALord – a new group that emerged in March – and Cicada3301 were the top attackers, while Egypt, the UAE and Saudi Arabia were the most attacked countries (charts below). There were 12 claimed attacks in total in the META region in April. 

The Asia-Pacific region (APAC) saw 36 attacks in April 2025, with Qilin, Akira and NightSpire the top attackers, and Taiwan and Singapore the most attacked countries (charts below). 

Australia and New Zealand saw nine claimed attacks, seven in Australia and two in New Zealand, while Sarcoma, Qilin and Akira were the top attackers (chart below). 

Ransomware Attacks and New Groups 

Cyble observed the emergence of two new ransomware groups in April. 

Silent Team surfaced with an onion data leak site (DLS), claiming two victims: a U.S.-based engineering company and a Canadian aerospace manufacturer. According to the leak site, the group allegedly exfiltrated 2.85 TB of data across 597,028 files and posted multiple samples showing internal documents, ID scans, technical schematics, database structures, engineering blueprints of aircraft, and other sensitive documents. The Silent Team DLS design mimics that of Hunters International. No known encryptor samples have yet surfaced. 

A newly identified ransomware group, tentatively named Gunra by the threat intelligence community, has surfaced with an onion data leak site. The group has listed three victims so far: a Japan-based real estate company; a medical firm in Egypt; and a Panama-based beverage and distribution company. 

Below are some of the potentially more sensitive incidents involving ransomware groups in April. 

An IT services subsidiary of a large international conglomerate confirmed that it was impacted by a ransomware incident, believed to be the responsibility of the Akira ransomware group. The incident may have impacted multiple projects tied to government entities, raising broader concerns about potential supply chain effects. 

The Play ransomware group claimed responsibility for compromising two U.S.-based software companies that provide critical services such as security applications, network operations center (NOC) solutions, and business consulting software, raising concerns about potential downstream supply chain impacts. The attackers claim to have exfiltrated private and personal confidential data, client documents, budgets, payroll information, accounting records, tax documents, IDs, and other sensitive financial information. Given the nature of the services provided by the victims, Cyble said there is a heightened risk of broader disruption across multiple sectors reliant on the companies’ software and consulting offerings. 

Akira ransomware group claimed responsibility for compromising a U.S.-based energy cooperative that supplies electricity to rural areas across ten northeast Georgia counties. 

RaaS affiliate and threat actor DevMan announced a new set of victims on their DLS, including a Chinese critical infrastructure construction company, and claimed to exfiltrate 50 GB of data and encrypting it with DragonForce ransomware. Previously, DevMan has claimed to be working with Qilin and Apos RaaS groups, and the recent claims add DragonForce to their multi-RaaS affiliations. To date DevMan has claimed nine victims, mostly in affiliation with Qilin. Qilin and DevMan also claimed to compromise a Taiwan-based LCD technology company and a UAE-based IT & IT services company. 

Qilin claimed responsibility for compromising a France-based software provider serving the transportation and logistics industry. The group claims that it encrypted the company’s network and exfiltrated over 1.1TB of data, including offers, videos, archives, contracts, ACS-related data, source code, customer documents, logistics data, databases, OneDrive-stored files, product development materials, and employee personal records. Qilin also claims to have compromised a major South Korean industrial conglomerate, including the theft of over 1TB of sensitive data. 

Hellcat ransomware group allegedly compromised a China-based company specializing in display technologies and electronic solutions. The threat actor claims to have exfiltrated 166 GB of data, including blueprints, financial records, and internal correspondence. 

The Rhysida ransomware group claimed responsibility for compromising a U.S.-based company involved in engineering, architecture, and critical infrastructure projects. 

Conclusion 

The ever-present and growing threat of ransomware highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats. 

Even as leading threat groups change, consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint and cloud monitoring. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

For more free threat intelligence data, see Cyble’s monthly threat landscape and other research reports (registration required).