SafePay took the top spot among ransomware groups in May 2025, solidifying the group’s status as a major threat. Overall, ransomware groups claimed 384 victims in May (chart below), the third straight monthly decline, as leadership continues to shift after RansomHub – the top group for more than a year – went offline at the end of March in what may have been an infrastructure compromise by rival DragonForce.

We’ll look at SafePay, along with DevMan, another emerging ransomware actor, as well as other key ransomware developments that occurred in May.

Top Ransomware Groups

SafePay, with 58 claimed victims, took over the top spot from April leader Qilin, which claimed 54 victims in May. Play, Akira, and NightSpire rounded out the top five ransomware groups (chart below).

The U.S. was once again the most targeted country with 181 victims, more than seven times greater than second-place Germany (chart below).

Professional Services and Construction were by far the most attacked sectors, totaling 101 attacks between them. Manufacturing, Government, Healthcare, Finance, IT, Transportation, Consumer Goods, and Education rounded out the top 10 targeted industries (chart below).

SafePay, DevMan Emerge as Threats

SafePay has claimed 198 victims since the ransomware group first emerged in fall 2024, according to Cyble threat intelligence data. The group’s previous high was 43 victims in March 2025. May was the first month that SafePay led all ransomware groups in claimed victims.

The group has been observed gaining initial access via VPN and RDP connections, often using stolen credentials or password spraying attacks. SafePay uses double-extortion techniques, exfiltrating data before encrypting it and threatening to leak stolen data unless the ransom is paid.

SafePay claims not to offer Ransomware-as-a-Service (RaaS), unlike other groups that often rely on affiliates.

SafePay has so far shown a preference for targets in the U.S. and Germany, with German attacks in particular well above the mean, and while the group has shown the ability to attack a wide range of industries, Healthcare and Education have been above the mean and Government, Finance and IT below (charts below).

DevMan is an affiliate of several RaaS groups and has recently been observed expanding its operations beyond affiliate activity. The threat actor claimed 13 victims in May, placing it just behind the leading ransomware groups and making it one to watch.

In a recent attack on media in Thailand, the group claimed that all systems and NAS devices were encrypted using their own customized encryptor, applying the “.devman1” file extension. DevMan claims the deployment used an upgraded version of their malware that’s capable of faster lateral movement, implemented via Group Policy Object (GPO).

Sample screenshots published on DevMan’s leak site showed apparent access to file shares, server management interfaces, domain controller settings, and encrypted directories. The group claimed to have stolen 170 GB of data and expressed willingness to sell the data to a single buyer.

DevMan has previously worked with Qilin, Apos, and DragonForce RaaS, and recent claims add RansomHub to their multi-RaaS affiliations.

VanHelsing Source Code Leak

In another significant development in May, a known malware developer attempted to auction the VanHelsing Ransomware-as-a-Service (RaaS) source code on the RAMP forum, starting at $10,000. The package allegedly included the full codebase, admin web panel, chat interface, file server, blog platform, database, and TOR keys.

Shortly after the auction attempt, the VanHelsing group themselves leaked the full source code for free on RAMP and denounced the malware developer as a scammer. The group said VanHelsing RaaS v2.0 is in development and will be released soon.

The internal fallout and code leak raise concerns of potential copycat operations, as observed following the leaks of LockBit and Babuk. The widespread availability of VanHelsing’s source code may accelerate the emergence of new ransomware variants in the coming weeks.

New Ransomware Groups

Among new ransomware groups that emerged in May, “Dire Wolf” launched an onion-based data leak site (DLS), listing six victim organizations, primarily across Asia, Australia, and Italy. Dire Wolf posted a file tree, sample files, and descriptions of the allegedly stolen data for each organization.

A new ransomware group named DATACARRY was observed actively targeting European companies through a newly established onion-based data leak site. The group has listed seven victims from diverse sectors and countries, leaking parts of allegedly stolen data. The group communicates with victims via Session messenger and has circulated a ransom note, though no locker has been yet observed.

A newly emerged ransomware group calling itself “J” has launched an onion DLS, following earlier signs of activity observed in March 2025. In its initial disclosure, J listed multiple organizations across South America, Australia, Europe, the U.S., and Asia. The group has shared file trees of allegedly compromised data from victim organizations in support of their claims.

Notable Ransomware Attacks

Here are some of the notable ransomware attacks that occurred in May, sourced from Cyble dark web researchers and OSINT sources. Several of the claimed attacks are noteworthy for their potential impact on the software supply chain and critical infrastructure. Many of the attack claims were unconfirmed by victim organizations, hence Cyble’s characterization of the alleged attacks as claims.

• The UK was hit by high-profile retail cyberattacks in late April and early May, with possible connections to Scattered Spider and DragonForce ransomware.
• The Silent ransomware group claimed to have compromised a U.S.-based network security company. The group alleges it exfiltrated 764 GB of data across 186,955 files and posted several samples appearing to show access to internal configuration files, encrypted data blocks, system logs, and administrative commands, but responses from the company appear to dispute the significance of the data.
• The Qilin ransomware group claimed responsibility for compromising a U.S. satellite communications (SATCOM) and cybersecurity solutions provider to defense, government, aerospace, and critical infrastructure clients. File samples suggest that the allegedly stolen data appears to span multiple years and includes both personal identity information and operational business files. Qilin also claimed responsibility for an attack on a Japanese shipbuilder, potentially exposing data not just related to merchant ship construction but also related to the Japanese Coast Guard/Navy.
• The Termite ransomware group claimed to exfiltrate over 550 GB data containing 700,000 files from a French technology company and supplier in the French aerospace and defense ecosystem.
• Play ransomware claimed to compromise a U.S. emergency communication and early warning systems provider to government, military and critical infrastructure.
• The Akira ransomware group claimed responsibility for a cyberattack on a U.S.-based energy trading subsidiary of a Japanese corporation.
• The Lynx ransomware group claimed responsibility for a cyberattack on a Saudi Arabian architecture and engineering firm, while Qilin claimed responsibility for a cyberattack on a Singapore-based construction and engineering firm.
• The INC Ransom group claimed responsibility for an attack on a South African airline.
• The BERT ransomware group claimed to have compromised a Taiwanese manufacturer of automation equipment for the semiconductor, LED, and passive component industries. The company responded that there was no significant operational or data impact.
• The Medusa ransomware group claimed responsibility for compromising a U.S.-based technology solutions provider specializing in IT infrastructure, cloud services, cybersecurity, and systems integration for public sector and enterprise clients.
• The Akira ransomware group claimed a cyberattack on a Greece-based international shipping company specializing in the transportation of petroleum and chemical products.
• A U.S.-based developer of mathematical computing software confirmed that it had experienced a ransomware attack that led to outages in both customer-facing applications and internal platforms.
• The Arkana ransomware group claimed responsibility for an attack on a UK-based multinational mining company.
• The Qilin ransomware group claimed responsibility for a cyberattack targeting a U.S. contract pharmaceutical manufacturer.
• The Play ransomware group claimed to have compromised a U.S.-based provider of high-performance graphics, video capture, and signal processing solutions for the defense and aerospace industries.
• The Everest ransomware group claimed to have breached a UAE-based airline and a Saudi Arabian pharmaceutical company.

Conclusion

The resilience of ransomware actors and affiliates in the face of major upheaval among the leading groups underscores the ever-present threat of ransomware and highlights the enduring importance of cybersecurity best practices for protecting against a wide range of cyber threats.

Consistent application of good security practices is critical for building organizational resilience and limiting the impact of any cyberattacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint and cloud monitoring.

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free threat assessment report for your organization.

Disclaimer: This blog is based on our research and the information available at the time of writing. It is for informational purposes only and does not constitute legal, financial, or professional advice. While we strive for accuracy, we do not guarantee the completeness or reliability of the content. If any sensitive information has been inadvertently included, please contact us for correction. Cyble is not responsible for any errors, omissions, or decisions made based on this content. Readers should verify findings and seek expert advice where necessary. All trademarks, logos, and third-party content belong to their respective owners and do not imply endorsement or affiliation. All content is presented “as is” without any guarantee that it is free of confidential, proprietary, or otherwise sensitive information. If you believe any portion of this content contains inadvertently shared or sensitive data, please contact us immediately so that we may address and rectify the issue. No Liability for Errors or Omissions Due to the dynamic nature of cyber threat activity, this [blog/report/article] may include partial, outdated, or otherwise incorrect information due to unverified sources, evolving security threats, or human error. We expressly disclaim any liability for errors or omissions or any potential consequences arising from the use, misuse, or reliance on this information.