Top Ransomware Groups June 2025: Qilin Reclaims Top Spot
Summary:
June 2025 saw Qilin emerge as the dominant ransomware group, reclaiming the top victim count for the second time in three months with 86 reported victims, a significant lead over its rivals. This resurgence is largely attributed to the disruption of RansomHub, which went offline in early April due to suspected sabotage by DragonForce. Qilin, believed to have Russian ties because of their communications and avoidance of targeting CIS targets, operates a sophisticated RaaS model, attracting affiliates with offerings like legal guidance and advanced technical services. Their targeting in June was notable for the variety of industries attacked, hitting high-value sectors such as telecom, blockchain, healthcare, and transportation, with a strong focus on U.S.-based organizations, particularly within the financial sector, a divergence from typical ransomware group methodology. While overall ransomware victim numbers for June are preliminary at 377, they suggest a potential stabilization after a recent decline since February’s record attack numbers. The month also witnessed new developments, including the pro-Russian hacktivist group CyberVolk launching a new ransomware payload on June 26th, the RALord group rebranding to Nova and actively recruiting affiliates for its RaaS, the Chaos RaaS operation seeking affiliates with a multi-platform locker, and the newly identified Kawa4096 group mimicking Akira's leak site. Additionally, the notorious Scattered Spider group appears to have shifted its focus from retail to U.S. insurers and potentially airlines. Qilin’s victims this month include a higher percentage of financial sector targets than its rival ransomware gangs.
Security Officer Comments:
The ransomware landscape in June 2025 reveals a power vacuum stabilizing, with Qilin aggressively leveraging the demise of RansomHub to consolidate its position as one of the most prominent RaaS groups. Their substantial victim count, coupled with their sophisticated and comprehensive affiliate offerings and seemingly unique offering of legal guidance to affiliates, indicates a highly polished and adaptable operation. The diversification of their targeting, particularly their increased focus on the financial sector beyond the usual construction, professional services, healthcare, and manufacturing, suggests a strategic pivot to maximize profit and exploit a broader range of vulnerabilities in fintech.
Additionally, the continuous emergence or rebranding of RaaS operations like Nova (RALord), Chaos, and Kawa4096 underscores the dynamic and resilient nature of the ransomware ecosystem due to its clear profitability. The adoption of new tactics, such as hacktivist groups incorporating ransomware into their operations (CyberVolk), and the rebranding of existing groups to escape scrutiny or come back with improved offerings, are concerning trends. The shift by a group as established as Scattered Spider towards critical sectors like insurance and aviation further emphasizes the escalating and evolving threat, as operational disruption in these sectors is expensive. Organizations must recognize that the "resourcefulness" of these groups underscores the importance of a dynamic and modular security posture. The observed stabilization in overall victim numbers should not be misinterpreted as a decline in threat volume, but rather a recalibration as new players vie for dominance in the cybercriminal community and refine their tactics.
Suggested Corrections:
Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan.
Link(s):
https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/
June 2025 saw Qilin emerge as the dominant ransomware group, reclaiming the top victim count for the second time in three months with 86 reported victims, a significant lead over its rivals. This resurgence is largely attributed to the disruption of RansomHub, which went offline in early April due to suspected sabotage by DragonForce. Qilin, believed to have Russian ties because of their communications and avoidance of targeting CIS targets, operates a sophisticated RaaS model, attracting affiliates with offerings like legal guidance and advanced technical services. Their targeting in June was notable for the variety of industries attacked, hitting high-value sectors such as telecom, blockchain, healthcare, and transportation, with a strong focus on U.S.-based organizations, particularly within the financial sector, a divergence from typical ransomware group methodology. While overall ransomware victim numbers for June are preliminary at 377, they suggest a potential stabilization after a recent decline since February’s record attack numbers. The month also witnessed new developments, including the pro-Russian hacktivist group CyberVolk launching a new ransomware payload on June 26th, the RALord group rebranding to Nova and actively recruiting affiliates for its RaaS, the Chaos RaaS operation seeking affiliates with a multi-platform locker, and the newly identified Kawa4096 group mimicking Akira's leak site. Additionally, the notorious Scattered Spider group appears to have shifted its focus from retail to U.S. insurers and potentially airlines. Qilin’s victims this month include a higher percentage of financial sector targets than its rival ransomware gangs.
Security Officer Comments:
The ransomware landscape in June 2025 reveals a power vacuum stabilizing, with Qilin aggressively leveraging the demise of RansomHub to consolidate its position as one of the most prominent RaaS groups. Their substantial victim count, coupled with their sophisticated and comprehensive affiliate offerings and seemingly unique offering of legal guidance to affiliates, indicates a highly polished and adaptable operation. The diversification of their targeting, particularly their increased focus on the financial sector beyond the usual construction, professional services, healthcare, and manufacturing, suggests a strategic pivot to maximize profit and exploit a broader range of vulnerabilities in fintech.
Additionally, the continuous emergence or rebranding of RaaS operations like Nova (RALord), Chaos, and Kawa4096 underscores the dynamic and resilient nature of the ransomware ecosystem due to its clear profitability. The adoption of new tactics, such as hacktivist groups incorporating ransomware into their operations (CyberVolk), and the rebranding of existing groups to escape scrutiny or come back with improved offerings, are concerning trends. The shift by a group as established as Scattered Spider towards critical sectors like insurance and aviation further emphasizes the escalating and evolving threat, as operational disruption in these sectors is expensive. Organizations must recognize that the "resourcefulness" of these groups underscores the importance of a dynamic and modular security posture. The observed stabilization in overall victim numbers should not be misinterpreted as a decline in threat volume, but rather a recalibration as new players vie for dominance in the cybercriminal community and refine their tactics.
Suggested Corrections:
Developing cyber resilience is critical. Best practices include segmentation of critical assets, zero trust principles, immutable backups, hardened endpoints and infrastructure, a risk-based vulnerability management program, endpoint, network, and cloud monitoring, and a well-rehearsed incident response plan.
Link(s):
https://cyble.com/blog/top-ransomware-groups-june-2025-qilin-top-spot/