Ransomware Levels ‘Normalize’ Though Threat Group Activity Remains High: Report
A new report from Guidepoint Security takes an in-depth look at ransomware activity in Q3 2025.
Ransomware victim levels have “normalized.” While the number of those victimized by ransomware decreased from Q1 to Q3 2025, the number of publicly named extortion groups has risen, according to a new report.
The report, published by cybersecurity solutions provider Guidepoint Security, collected data from “publicly available resources” and “threat group themselves,” the report researchers stated.
Methodology researchers collected data from “publicly available resources” and “threat groups themselves”
Ransomware Victim Volume Normalizes
While ransomware victim volume has normalized since Q1 2025, the number of named — publicly known and tracked — ransomware groups continue to multiply at a 57 percent year-over-year increase, and with 77 known active groups in Q3, according to the report.
This normalization is due to “greater consolidation of skilled actors within prolific, established RaaS [Ransomware-as-a-Service] groups, while also an increase in low-skill or ephemeral groups on the scene,” the report researchers concluded.
“Q3 solidifies what we are recognizing as a ‘new normal’ baseline, but it is too soon to declare the problem of ransomware contained,” the report researchers said.
The report also makes a distinction between “ransomware” and “extortion” groups, although the report’s data accounts for both. Extortion groups, unlike ransomware ones, may bypass any encryption tactics and just employ exfiltration and extortion techniques. In fact, they often avoid any intrusion operations altogether, the report states.
Most Active Ransomware Groups
The most active groups responsible for the most ransomware attacks in Q3 are Qilin, Akira Inc., and Play.
Qilin set Q3’s record for successful attacks by claiming 234 victims, the report found. Qilin is likely based in Russian, according to a June 2024 report from the Department of Health and Human Services’ Health Sector Cybersecurity Coordination Center.
Though these threat groups tend to have fleeting existences with a “rapid, volatile lifecycle,” the report stated, they have also become quite organized and professional.
The report presents a case study of one threat actor who used “strategic rebranding and marketing saturation” to recruit affiliates — cybercriminals to carry out the attacks for a share of proceeds — through the dark web.
Qilin, in fact, began offering a “call a lawyer” service to its affiliates who had gotten into legal trouble, MES Computing’s sister publication CRN reported.
While most of these ransomware groups are part of some RaaS network, one threat group emerged as an outlier in Q3. The group, SafePay, is not part of RaaS, rather, it’s made up of a “select group of insiders,” according to the report.
Unlike RaaS groups, SafePay keeps a low profile on the dark web, and even had the courtesy to add a banner to its DLS (Data Leak Site) on the dark web stating: “SafePay ransomware has never provided and does not provide the RaaS.”
Overall, the researchers noted a pause in the “exponential” quarter-over-quarter ransomware activity observed in recent years.
Yet, attacks by established threat groups and those that may work more covertly continue to rise. The report researchers advised organizations to employ security best practices as best defense against “templatized” attacks from RaaS groups and from low-skilled, solo attackers.