In 2025, the Ransomware-as-a-Service (RaaS) landscape has evolved into a highly professionalized criminal enterprise ecosystem, with several dominant groups executing devastating attacks against major global organizations. These sophisticated threat actors have demonstrated remarkable adaptability, technical expertise, and an ability to exploit vulnerabilities at scale.
This report examines five of the most active and impactful ransomware groups operating in 2025, based on verified incidents and confirmed breaches.
1. RansomHub: Rise and Fall of a Dominant Player
RansomHub emerged in early 2024 as one of the most formidable ransomware operations, quickly establishing itself by recruiting experienced affiliates from previously disrupted groups, including LockBit and ALPHV/BlackCat. This strategy of absorbing talent from defunct operations allowed RansomHub to scale its capabilities and expand its victim portfolio rapidly.
Operational Success and Dominance
During the first quarter of 2025 (January through March), RansomHub was identified as the most prolific ransomware type according to Unit 42 research. This period represented the peak of the group's operational effectiveness, during which they executed numerous high-profile attacks against enterprise targets across multiple sectors.
Confirmed Major Breach: American Standard
On January 22, 2025, RansomHub claimed responsibility for breaching American Standard, a major kitchen and bathroom manufacturer, alleging the theft of approximately 400 GB of sensitive data. This attack exemplified the group's preference for big game hunting—targeting large, well-established corporations with significant resources and valuable data assets.
The group’s modus operandi centered on a double-extortion model, involving:
- Encryption of victim systems to disrupt operations
- Exfiltration of sensitive data to leverage additional ransom demands
This dual-threat approach amplified pressure on victims by combining operational disruption with regulatory and reputational risk.
Unexpected Shutdown
Despite its dominant position, RansomHub abruptly ceased operations in April 2025. Its infrastructure went offline, and affiliates reportedly migrated to the DragonForce ransomware group. This sudden collapse highlights the volatility of the ransomware ecosystem, where law enforcement actions, internal disputes, or strategic shifts can rapidly reshape the threat landscape.
2. Qilin (Agenda / Stinkbug): The New Dominant Force
Following RansomHub’s demise, Qilin—also known as Agenda or Stinkbug—emerged as the most prolific ransomware operator of 2025. This Russian-linked group demonstrated extraordinary operational tempo and effectiveness throughout the year.
Record-Breaking Activity
By October 2025, Qilin had executed approximately 700 ransomware attacks, surpassing RansomHub’s total of 547 victims for all of 2024. This unprecedented activity reflected an extensive affiliate network, mature infrastructure, and efficient victim targeting at scale.
Major Breach: Synnovis and NHS Disruption
One of Qilin’s most devastating attacks targeted Synnovis, a pathology services provider working with the UK’s National Health Service.
- Attack date: June 2024
- Ransom demand: $50 million
- Data exfiltrated: 400 GB
- Affected records: 300 million patient interactions
The breach caused severe disruption to healthcare delivery across London hospitals. By June 2025, it was confirmed that the attack contributed to the death of one patient, underscoring the life-threatening consequences of ransomware attacks on critical healthcare infrastructure.
Asahi Group Holdings Attack
On September 29, 2025, Qilin claimed responsibility for a cyberattack against Japan’s Asahi Group Holdings. The incident forced the shutdown of multiple production facilities and significantly disrupted operations.
Tactical Approach
Qilin’s success is driven by its focus on exploiting unpatched vulnerabilities, particularly in widely deployed enterprise products such as Fortinet security appliances. This strategy highlights how failures in basic security hygiene can lead to catastrophic breaches.
3. Akira: Persistent Multi-Platform Threat
First appearing in 2023, Akira established itself as a major ransomware threat through 2025, with notable expertise in targeting:
- Windows systems
- Linux environments
- VMware ESXi infrastructure
Financial Impact and Scale
According to an FBI analysis released in April 2024, Akira had already collected approximately $42 million in ransom payments from attacks on more than 250 organizations.
Confirmed 2025 Breach: Hitachi Vantara
On April 26, 2025, Akira successfully attacked Hitachi Vantara, a subsidiary of Hitachi specializing in data storage and infrastructure solutions. The attack forced critical servers offline and caused significant disruption to data storage and infrastructure systems.
This breach raised serious concerns regarding:
- Supply chain security
- Client data protection
- Enterprise infrastructure resilience
Operational Characteristics
Akira operates a distinctive retro-themed leak site where stolen data is published if victims refuse to pay. The group primarily targets high-value organizations in manufacturing, technology, and IP-intensive sectors.
- Ransom demands: $200,000 to over $4 million
- Pricing strategy: Calibrated to victim size and ability to pay
4. Clop (Cl0p): Zero-Day Exploitation Specialists
Active since 2019, Clop has become synonymous with large-scale exploitation of zero-day vulnerabilities in widely deployed enterprise software, particularly file transfer and business management platforms.
Oracle E-Business Suite Campaign
Beginning in late September 2025, Clop launched a mass extortion campaign exploiting CVE-2025-61882, a zero-day vulnerability in Oracle E-Business Suite. Evidence suggests exploitation began as early as August 9, 2025.
This campaign demonstrated Clop’s ability to:
- Identify zero-day vulnerabilities
- Weaponize them before patch availability
- Maximize exploitation windows
Confirmed Victims: GlobalLogic
GlobalLogic confirmed that nearly 10,500 current and former employees had personal data exposed, including:
- Names
- Social Security numbers
- Passport numbers
- Bank account details
This exposure created significant identity theft and fraud risks.
The Washington Post Breach
On October 27, 2025, The Washington Post confirmed that data belonging to 9,720 individuals was stolen, including names, bank account numbers, and Social Security numbers. This incident illustrated the campaign’s wide-reaching, cross-industry impact.
Strategic Approach
Clop prioritizes mass data exfiltration over system encryption, using stolen data as leverage for extortion. This approach allows sustained pressure while potentially avoiding rapid law enforcement escalation triggered by operational outages.
5. Play: Consistent Global Threat
First observed in 2022, Play has maintained a consistent presence as a global ransomware threat throughout 2025, targeting organizations across critical infrastructure and multiple industry sectors.
Scale of Operations
In a 2025 advisory, the FBI stated that Play had attacked more than 900 organizations since its emergence. This sustained activity highlights the group’s resilience and adaptability despite increased defensive measures.
Confirmed 2025 Breach: Dairy Farmers of America
In June 2025, Play successfully attacked Dairy Farmers of America, one of the largest dairy cooperatives in the United States.
-
Affected individuals: 4,546
-
Exposed data:
- Social Security numbers
- Bank account details
- Medicare and Medicaid identification numbers
This breach underscored the vulnerability of critical food supply chains and the potential national security implications of ransomware attacks.
Technical Capabilities
Play employs:
- Custom encryption implementations
- Double-extortion tactics
Initial access is typically achieved through:
- Compromised VPN credentials
- Exploitation of Remote Desktop Protocol (RDP) vulnerabilities
This reinforces the importance of securing remote access infrastructure.
Conclusion
The 2025 ransomware landscape illustrates the continued evolution and professionalization of cybercriminal operations. The collapse of dominant players like RansomHub did not weaken the ecosystem; instead, groups such as Qilin rapidly filled the void.
Confirmed breaches affecting organizations such as American Standard, Synnovis, Hitachi Vantara, GlobalLogic, and Dairy Farmers of America demonstrate that no sector or organization size is immune. The confirmed patient death linked to the Synnovis attack highlights that ransomware is not merely a financial or technical issue, but a critical public safety concern requiring sustained attention from organizations, governments, and law enforcement worldwide.