Ransomware has continued to remain a prevalent threat to organizations worldwide through the first quarter of 2025, making headlines for high profile attacks, departures and rebrandings, and the emergence of new variants. After a year of relatively steady numbers, 2,314 ransomware victims were listed on 74 unique data leak sites in Q1, representing a 213% increase in the number of victims and 32% increase in the number of variants compared with 56 variants in Q1 2024. In a shakeup from previous years during which LockBit claimed the most victims, 2025 so far is led by Cl0p, RansomHub, and Akira as the top ransomware strains with the most victims listed. Attacks against all verticals increased throughout Q1 2025 with industrials, consumer cyclicals, and technology being the top three most targeted verticals. Additionally, all geographies observed increases in ransomware compromises, with North America remaining the most affected geography in Q1 2025. Ransomware operators continued to use tried-and-true methods to gain initial access to victims – social engineering/phishing, exploitation of software vulnerabilities, compromising exposed and insecure software, supply-chain attacks and leveraging the initial access broker (IAB) community.

Optiv’s Global Threat Intelligence Center (gTIC) previously assessed that ransomware attacks will continue to remain a prevalent threat over the next 12 months, and current data confirms our assessment going forward. Despite disruptions, rebranding, new variants joining the landscape and the overall attention from government and law enforcement, there is currently little incentive for ransomware operators to cease operations. Additionally, Optiv’s gTIC assesses with high confidence that ransomware groups will increasingly turn to ransomware-as-a-service (RaaS) operations and double extortion techniques. Throughout 2025, more ransomware groups are likely to emerge through rebranding, splits and presence of lower-skilled or fly-by-night operations, while loyalty and relationships between affiliates, developers and partners are likely to decrease and affiliates and members work for multiple cartels or migrate from group to group. Additionally, if extortion payments continue to be made and attackers continue to profit, targeted ransomware attacks will very likely continue over the next 12 months.

Previously observed techniques and tooling will also remain consistent across IABs and ransomware compromises in 2025 with phishing and exploitation of RDP, firewall appliances and VPN clients for initial access; exploitation of VMWare ESXi, Microsoft Exchange, Zoho ManageEngine, and NAS devices for lateral movement, credential access, and discovery; and use/abuse of over-the-counter and publicly available file transfer and remote administrator tools including Atera RMM, AnyDesk, SplashTop,  FreeFileSync, Progress MoveIT, Cleo MFT and Fortra GoAnywhere.

First Quarter Trends

The first quarter of 2025 saw a sharp increase in the overall volume of ransomware attacks listed on data leak sites. In fact, the first quarter of 2025 (2314 listed victims) showed a 213% increase when compared with the first quarter of 2024 (1086 listed victims). Ransomware actors tend to behave seasonally, with the fourth quarter being favored for not just ransomware attacks but all cybercriminal activity. However, Q1 2025 still showed a sharp increase in comparison to Q4 2024’s 1782 ransomware victims. This trend began after relatively flat ransom numbers observed throughout 2024. During 2024, ransomware actors seemingly focused less on volume of attacks and focused more on highly targeted attacks that would yield the greatest ransom demands.

Although this surge in ransomware activity represents a change from the trends of the past year, the ever-increasing number of ransomware groups is in line with the gTIC’s estimations based on the last several quarters’ activity. Quarter after quarter, the gTIC has observed increasing numbers of active ransomware groups. The gTIC assesses with moderate confidence that the number of ransomware groups will continue to grow over the next 12 months. Additionally, the gTIC assesses that rebranding and fly-by-night operations are likely to increase while loyalty to single cartels and relationships/collaboration between affiliates, developers and partners have an even chance to deteriorate.

Note that the numbers discussed through this report include only victims listed on data leak sites. It is almost certain that the number of overall victims is significantly higher as data leak sites do not typically list victims who pay a ransom within a certain period and there are several ransomware variants that do not maintain data leak sites.

Image

Figure 1: Ransomware Attacks by Vertical in Q1 2025 (Green) vs Q1 2024 (Blue)

As can be seen in the chart above, all verticals saw an increase in ransomware activity this quarter in comparison to Q1 of 2024; however, some verticals, to include consumer cyclicals and technology each saw over triple the number of ransomware attacks.

During the first quarter of 2025, victims were listed on 74 independent data leak sites. The chart in Figure 2 only shows variants who listed 25 or more victims. These 74 groups represent significant growth in comparison to the 56 data leak sites in Q1 2024. There were some significant shifts in which actors held the dominant positions as well. LockBit has been top of the leaderboard since Conti left the landscape in 2022; however, the number of attacks listed by LockBit continued to dwindle since a law enforcement disruption disrupted its online infrastructure in February 2024. In the first quarter of 2025, LockBit listed 24 victims, ranking 22nd by volume of attacks.

Image

Figure 2: Ransomware Attacks by Variant in Q1 2025

With LockBit’s decline, RansomHub and Akira continued to target companies at a high volume and Cl0p grew significantly from 93 victims listed on their data leak site in all of 2024, compared with 358 victims in the first quarter of 2025. In addition to growth by these established actors, several new ransomware groups were observed operating data leak sites, to include VanHelsing and Babuk2.

Top Threat Actors

The graphics below illustrate the Optiv Threat Actor Metric™ calculated for the top various ransomware outfits by volume in Q1 2025. The Optiv Threat Actor Metric™ developed by the gTIC is a multifaceted, qualitative approach to determine an adversary or campaign’s potential risk to an organization or industry on a scale of 0 to 100. The metric considers known and assessed non-technical capabilities and intentions. See Appendix A for a more detailed explanation of the Optiv Threat Actor Metric™. Metrics are also provided for additional threats discussed in this report.

Clop Threat Profile

Clop is a ransomware variant first discovered in February 2019 and is an updated version of the CryptoMix ransomware from 2016. The Clop ransomware has been updated multiple times since it was first identified.

The Clop variant is packed to obfuscate its inner workings prior to runtime and is signed with a legitimate certificate that fools security solutions into trusting the binary. Clop terminates itself before the encryption routine if it is used to target an organization in Russia or another Commonwealth of Independent States (CIS) country. 

The Clop ransomware appends the “.ClOP” extension to files that are encrypted. The group primarily targets active directory servers leading to the compromise of an entire network ecosystem.  

The Clop ransomware operates as a RaaS; therefore the initial access vectors vary depending on the affiliate. Methods observed include phishing attacks, exploiting vulnerabilities, weak passwords and exposed remote desktop protocol (RDP).

The operators of the Clop ransomware operate the dark-website >_CLOP^_-LEAKS, on which victims’ data is leaked if the ransom demand is not met. Ransom notes indicate that the ransom demand amount depends on how quickly the victim organization contacts the operators. In Q1 2023, Clop exploited the GoAnywhere vulnerability, CVE-2023-0669, to target a reported 130 organizations. The group did not encrypt the victims but rather focused on stealing data and holding it for ransom. The organizations that did not pay were leaked on the Clop data leak site. This attack was similar to the Clop attack targeting Accellion FTA vulnerabilities in 2021.

In Q1 of 2025, Clop’s activity increased 1400% in large part due to its exploitation of two zero day-vulnerabilities, CVE-2024-50623 and CVE-2024-55956, in Cleo managed file transfer (MFT) solutions. In just February, Clop listed 389 victims. This is a shocking comparison to just 26 victims throughout all of 2024. As can be seen in Figure 1, the retail industry saw a huge jump in comparison to last year, largely attributed to Clop’s focus on retail organizations. Clop was responsible for nearly half of the retail victims in Q1 2025.

Image

Figure 3: Threat Actor Metric Score for Clop Ransomware © 2025 Optiv Security Inc. All Rights Reserved

RansomHub Threat Profile

RansomHub is a RaaS operation that was first observed in February 2024. The operation uses the double extortion method, encrypting the victim’s data and subsequently threatening to leak the data on their data leak site if the ransom is not met. The operation has been linked to both the Alphv (BlackCat) ransomware operation and the former Knight ransomware group, with which RansomHub shares significant code overlaps. RansomHub is written in Golang and C++. The operation prohibits affiliates from targeting previously targeted organizations, non-profit organizations and organizations in the CIS, Cuba, North Korea and China. The ransomware can target Windows, Linux, ESXi and devices running on MIPS architectures.

Similarly to the Clop ransomware operation, since RansomHub is a RaaS, initial access methods vary depending on the affiliate. Observed methods include phishing, vulnerability exploitation, malware deployment and more.

RansomHub was the second most prominent ransomware operation in Q1 2025 after taking the top spot throughout all of 2024. The group saw a very small reduction in activity after it announced that its profit split with its affiliates would drop from 90/10 to 85/15.

In Q1 2025, RansomHub partnered with SocGholish to deliver ransomware attacks against U.S. government organizations as well as some banking and consulting organizations. Attacks have also occurred in Japan and Taiwan. SocGholish is the threat actor behind the FakeUpdates malware-as-a-service (MaaS) framework. The attack begins with the attackers infecting legitimate websites with SocGholish malicious scripts via an obfuscated JavaScript loader. Those sites then redirect visitors to fake browser update notifications, attempting to convince victims to download and execute a malicious file. The threat actors then use SocGholish to load the RansomHub binary.

Despite a high volume of attacks in Q1, RansomHub has gone dark since March 31, 2025. There has been much speculation behind the reason for this, including a potential rebrand to DragonForce ransomware.

Image

Figure 4: Threat Actor Metric Score for RansomHub Ransomware © 2025 Optiv Security Inc. All Rights Reserved

New Ransomware Operations

A new multi-platform RaaS operation, dubbed VanHelsing, was first promoted on cybercrime platforms on March 7 and has been observed targeting Windows, Linux, BSD, ARM and ESXi systems. VanHelsing forbids targeting organizations in the Commonwealth of Independent States, which is common amongst Russian or pro-Russian cybercriminal groups. Operators take a 20% cut of the ransom payments that the affiliates negotiate. Affiliates are provided with access to a panel with full operational automation as well as direct support from the development team. VanHelsing operators have been observed setting ransomware demands of $500,000. The ransomware variant is written in C++ and supports rich CLI customization to tailor attacks per victim.

Image

Figure 5: VanHelsing Ransomware Ransom Note

Another new ransomware operation that disrupted the landscape in Q1 2025 was Babuk2. Babuk2 was first observed in January 2025. The group has no affiliation with the original Babuk group despite using their name. The group listed at least 85 victims in Q1 2025, however, none of the attacks have been validated by the listed organizations. The group has been linked to threat actors Bjorka and Skywave and has been observed reposting previous Bjorka victims on Babuk2’s data leak site. The collaboration can be observed on the “Contact Us” tab of Babuk2’s data leak site, with the logos of Skywave and Bjorka, as well as another possible affiliate, GDLockerSec. A ransomware sample from Babuk2 was shared on Telegram, however, the sample was actually LockBit 3.0. Although the group has claimed dozens of high-profile victims, Babuk2 appears to simply be reposting previous data leak posts from other ransomware operations such as RansomHub, FunkSec and LockBit. The group has gone to significant lengths to masquerade as legitimate ransomware operation, for example, they provide a tiered pricing strategy on their site. At this point, however, the group appears to simply be a deception-based social engineering strategy rather than an actual ransomware operation.

Image

Figure 6: Babuk2’s Data Leak Site

Image

Figure 7: Babuk2’s “Victim” Overlap with Previous RansomHub Attack

Optiv’s gTIC Analyst Comments and Assessments

As the volume of ransomware attacks remained relatively steady throughout 2024, the steep surge in attacks in Q1 2025 represents a shift in the trends of ransomware operations in the last couple of years. Although this surge in ransomware activity represents a change from the trends of the past year, the ever-increasing number of ransomware groups is in line with the gTIC’s estimations based on the last several quarters’ activity.

Optiv’s gTIC assesses with high confidence that ransomware is likely going to remain a prevalent threat over the next 12 months. Despite high-profile ransomware incidents and government and law enforcement attention on ransomware operations, there is currently little motive for ransomware operations to cease. Ransomware operators have continued to operate and adapt and are assessed to focus on continuing to build infrastructure and capabilities around themselves as a one-stop-shop, with less reliance on marketplaces and forums over the next 12 months. Optiv’s gTIC assesses with moderate confidence that state-sponsored APT groups will increase the use of ransomware as part of their campaigns over the next 12 months (as seen previously by China, Iran and most recently by North Korea sponsored threats) as a means to destroy their targets’ system and/or for financial gain. Critical verticals – healthcare, energy, transportation, industrial services, government - are likely to remain an attractive opportunity for ransomware operators due to the high-value information, inability to have significant downtime and likelihood of a ransom payment. 

Additionally, if extortion payments continue to be made and attackers continue to profit, targeted ransomware attacks will very likely continue over the next 12 months. Finally, more ransomware groups are likely to emerge, and rebranding and fly-by-night operations increase and relationships between affiliates and developers change. The rapid change in the landscape can be observed in the rapid climb of RansomHub followed by its swift departure. It is possible that RansomHub will return, rebrand or affiliates will join other ransomware operations, further cross-pollinating the landscape. 

The double-extortion method will very likely remain the primary procedure across the ransomware threat landscape. It is likely that ransomware operators will increasingly partner with initial access brokers to gain initial access and use remote access markets, which are automated stores that allow threat actors to sell and exchange access credentials. These roles and markets play an essential role in the ransomware landscape, as they allow quick access to victim environments.

Ransomware groups have historically used phishing attacks to gain initial access to victim’s network and use global events to lure victims into interacting with the email. Social engineering remains one of the top initial access vectors for threat actors. It is likely that threat actors will continue to conduct social engineering attacks over the next 12 months. As uncertain times continue – regional conflicts, economic instability, etc., – ransomware groups will use these events to exploit the fear and curiosity of employees to lure victims.

Over the last few years, file transfer products, such as Progress’ MOVEit and Fortra’s GoAnywhere MFT, were targeted by a wide range of threat actors, including ransomware groups. Optiv’s gTIC assesses with high confidence that threat actors, including APTs and financially motivated threat actors, will continue targeting file transfer products to steal sensitive information and credentials and deploy malware over the next six months. This was evidenced in Q1 2025 by the surge in Clop attacks that leveraged two zero-day vulnerabilities in the Cleo MFT software.

Sources

Blackpoint Cyber (2024, August 26) RansomHub Ransomware. https://blackpointcyber.com/threat-profile/ransomhub-ransomware-apg/

Check Point Research (2025, March 23) VanHelsing, New RaaS In Town. https://research.checkpoint.com/2025/vanhelsing-new-raas-in-town/

Rapid7 (2025, April 2) A Rebirth of a Cursed Existence? Examining “Babuk Locker 2.0” Ransomware. https://www.rapid7.com/blog/post/2025/04/02/a-rebirth-of-a-cursed-existence-the-babuk-locker-2-0/

Reliaquest Threat Research Team (2025, April 15) Threat Spotlight: Ransomware and Cyber Extortion in Q1 2025. https://reliaquest.com/blog/threat-spotlight-ransomware-cyber-extortion-q1-2025/

SOCRadar (2025, April 11) Dark Web Profile: Babuk/Babuk2. https://socradar.io/dark-web-profile-babuk-babuk2/

Appendix A: Assessments and Probability Statements

Throughout this report, Optiv’s gTIC employed the use of analytic assessments, comments, probability statements and estimative intelligence/forecasting to supplement the information reported. These comments aim to also define the probability and effects of potential adversary future operations (FUOPS). Due to the qualitative and subjective nature of intelligence and risk assessments, an explanation of the various statements and methodology are provided here.

Intelligence and Cyber Intelligence Frameworks

MITRE ATT&CK: The framework developed by the MITRE organization which illustrates technical, endpoint-based activity and behaviors of threats and adversaries. Activities and behaviors are organized into 14 tactics, which are further broken down into techniques. A wide range of procedures are the actions and behaviors to achieve the technique, while the techniques are the actions to achieve the main tactics.

Optiv Threat Actor Metric™: The Optiv Threat Actor Metric™ was developed by Optiv’s gTIC and is a multifaceted, qualitative approach to determine a cyber adversary’s or campaign’s potential threat to an organization or industry. The metric considers known and assessed non-technical capabilities and intentions and is scored out of a total possible 100. The purpose of this metric is to provide an added layer of depth to risk-based intelligence analysis and support proactive and remediating recommendations by presenting a visualization of non-technical, qualitative risk factors of adversaries and threat campaigns. It is similar in function to the U.S. Department of Defense’s CARVER targeting scale.

5W+H: Information collected and analyzed are presented concisely leveraging the reporting fundamentals of 5W+H where possible (who, what, where, when, why, how). A combination of multiple components of 5W+H supports relevant and timely information that will be interpreted and effectively analyzed into intelligence to support operations.

Analytical Comments, Statements, and Best Practices

Words of Estimated Probability: The gTIC employs the use of both probability statements for likelihood of events or actions and confidence levels for analytic assessments and judgments. Probability statements and confidence statements are inherently subjective; however, the gTIC leverages professional experience and intelligence fundamentals to deliver reasonable and relevant statements and assessments. Probability statements and the degree of likelihood of an assessed event/incident are modeled after the Intelligence Community Directive (ICD) 203: Analytic Standards, published by the United States’ Office of the Director of National Intelligence (ODNI), and are as follows:

Confidence statements, as defined by Optiv’s gTIC, apply to the reliability and relevance of information reported and are as follows:

Per ICD 203 standards, confidence-level statements are not combined with probability and degree of likelihood terms proposed in the above chart.

Copyright Optiv Security Inc. 2025.  All rights reserved.   

No license, express or implied, to any intellectual property or other content is granted or intended hereby.

This blog is provided to you for information purposes only. While the information contained on this site has been obtained from sources believed to be reliable, Optiv disclaims all warranties as to the accuracy, completeness or adequacy of such information.

Links to third party sites are provided for your convenience and do not constitute an endorsement by Optiv. These sites may not have the same privacy, security or accessibility standards.

Complaints / questions should be directed to Legal@optiv.com