In August, Qilin was the most active ransomware group for the fourth time in five months, while a new ransomware group is quickly moving up the ranks. 

Qilin’s 104 claimed victims in August were nearly double second-place Akira’s 56, but the rapid rise of Sinobi to third place has been one of the more intriguing recent developments in the ransomware landscape (chart below).  

The dominance of Qilin and the rise of Sinobi were among the revelations in Cyble’s latest global threat landscape report, which also documents a surge in supply chain and critical infrastructure attacks, among other findings. 

Ransomware attacks rose to 467 in August, the fourth straight monthly increase, even as attack totals remain well below February’s record (chart below). Several attacks had significant supply chain implications and were covered in a recent Cyble blog addressing the doubling of supply chain attacks in recent months. 

The U.S. remains overwhelmingly the biggest target for ransomware groups, while Europe and Canada continue to draw significant interest from attackers (chart below), with Germany and the UK moving past Canada into second and third place, respectively. 

Qilin’s Dominance and Sinobi’s Emergence 

Qilin’s run since the decline of RansomHub has been impressive. Qilin’s 398 claimed victims since April are more than 70% ahead of Akira (chart below), as the group’s features and incentives appear to be gaining traction with former RansomHub and other affiliates. 

Of the 2,164 total ransomware attacks since April, Qilin has claimed 18.4%, while Akira, at 10.7%, is the only other ransomware group above 10%. 

However, the rapid rise of Sinobi might be even more impressive, as the group has vaulted into third place after only two months in existence.  

Sinobi surfaced earlier this summer and has claimed 41 victims to date, 39 of which have been in the U.S. and one each in Australia and Taiwan. 

Because of code overlaps and similarities in data leak sites, some initially thought Sinobi might be a rebrand of Lynx. However, Lynx continues to claim new victims, including some so far in September, and 34 in all since Sinobi first appeared on Cyble’s radar, so the groups appear to be separate but connected. Lynx itself has also been connected to INC Ransom, which remains quite active and has claimed more than 80 victims since Sinobi first emerged. 

Sinobi could find itself challenged to match its meteoric rise in the coming months, as the group has claimed only one new victim since August 24. So far, the group’s targets have spanned more than 10 sectors, including a well-known U.S. financial company, which suggests an ongoing large-scale campaign. 

Another very active new group – The Gentlemen – has emerged in September, claiming more than 30 victims so far this month, so the most active ransomware group list may well change again this month. 

Meanwhile, longtime ransomware threat LockBit is making another comeback attempt with its 5.0 release, hoping to reverse a slide that began with global law enforcement actions against the group in 2024. 

Ransomware Attacks by Country and Industry 

Construction, Professional Services, Manufacturing, and Healthcare remain the most targeted sectors, followed by IT and Technology companies and the Automotive and Finance industries (chart below). 

Qilin was the most active ransomware group in all global regions, highlighting the group’s significant reach. Other leading ransomware groups differ by global region, providing important threat intelligence to organizations in those regions. 

In the APAC region, BlackNevas and Dire Wolf were also significant threats in August (chart below). South Korea, Japan, Thailand, Singapore, and Taiwan each experienced four or more ransomware attacks. 

In Europe and the UK, SafePay, DragonForce, Warlock, and Everest are among the threats to watch (chart below). 

In the META region, Qilin, Warlock, and INC were the top ransomware threats, while Australia’s eight attacks were spread among seven groups. Qilin was the only group claiming more than one attack in Australia. 

In South America, Brazil led all countries with eight ransomware attacks, followed by Colombia with four, and Qilin was the only ransomware group claiming multiple attacks in the region. 

New Ransomware Groups and Strains 

BlackNevas, aka “Trial Recovery,” was first observed in November 2024 and has now added an onion data leak site. The group listed 12 victims spanning various sectors, including Energy, Professional Services, Education, Manufacturing, and ICT, across countries such as the U.S., UK, Germany, Italy, Lithuania, Spain, Thailand, South Korea, and Japan. The group claims to have exfiltrated sensitive information, including financial records, personal data, product formulas, and more. Several sample files have been published to support their claims. The ransomware used appears to be a variant of the Trigona family, and previous research indicates the group may be partnering with other threat actors or data monetization groups such as Kill Security, Hunters International, DragonForce, Blackout, Embargo Team, and Mad Liberator. 

The newly observed ransomware strain Charon has been associated with APT-style tactics reminiscent of the China-linked group Earth Baxia, and is actively targeting public sector and aviation organizations in the Middle East. 

The Cephalus ransomware group emerged with a new onion-based data leak site (DLS). The group’s activity was first observed in early August through a ransomware sample that used the .sss encryption extension and included ransom notes with victim ID, email contact, and TOX ID. The group has listed 10 victims on its DLS. Investigation indicates that the group has been active on DarkForums since June 2025 under the same alias, and that six of the listed victims had already been leaked on DarkForums. Notably, two of the victims were also recently claimed by Qilin and Kawa4096 on their leak sites, suggesting possible collaboration between groups to amplify extortion pressure. 

Conclusion 

The continued evolution of ransomware groups and variants remains one of the biggest threats faced by cybersecurity teams and organizations of all sizes. The financial, data, infrastructure, and operational damage caused by these attacks requires the strongest possible vigilance on the part of security teams. 

Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. Get a free external threat profile for your organization today.