Ransomware Attacks Plunge Nearly 50% in Q2 2025 – But the Threat Landscape Shifts Sharply

As the digital world braces against relentless cyber threats, the second quarter of 2025 brings surprising news: ransomware attacks have fallen by almost half compared to the first quarter. Yet beneath this welcome decline lies a complex and evolving threat landscape that experts warn demands heightened vigilance. From changing attacker tactics to geopolitical cyber warfare, the ransomware battleground is far from settled.

Global Ransomware Attacks See Sharp Decline in Q2 2025

Despite a record-breaking surge in ransomware incidents early in 2025, June marked the fourth consecutive month of declining global ransomware attacks, dropping 6% to 371 cases. Overall, Q2 witnessed a staggering 43% reduction from Q1. This decline is attributed in part to seasonal factors such as Easter and Ramadan slowing attacker activity, combined with intensified law enforcement efforts disrupting major ransomware operators.

Industrials remain the prime target, accounting for 27% of attacks in June and nearly a third of all Q2 incidents. The Consumer Discretionary sector, including retail, saw a significant dip in attacks from 102 in May to 76 in June, linked to the cooling off of notorious ransomware group Scattered Spider following high-profile retail breaches earlier in the year.

Healthcare attacks nearly doubled from May’s 22 to 42 in June, marking it as an emerging sector under siege. Information Technology also saw a considerable number of hits, ranking fourth with 33 attacks in June.

Among ransomware groups, Qilin surged to dominance, responsible for 16% of attacks in June and showing explosive growth through Q2. Qilin’s innovation in offering legal assistance to affiliates to navigate law enforcement risks signals an alarming trend: ransomware operations are adopting more sophisticated, business-like structures. Other groups like Akira and Play maintained significant presence, while SafePay’s suspected rebranding did not prevent its decline in activity.

Regionally, North America bore the brunt of ransomware attacks, suffering over half (58%) of all incidents in June and 52% across Q2. Europe experienced a modest 8% decrease, representing 21% of attacks, while Asia and South America accounted for 12% and 4%, respectively.

In a worrying development, ransomware has increasingly become a weapon in geopolitical conflicts. The pro-Palestine Handala group launched ransomware attacks on Israeli organizations amid the Iran-Israel war escalation, underlining ransomware’s growing role in cyber warfare.

Governments are taking note. The UK’s June launch of its Industrial Strategy emphasized cybersecurity’s critical role in national defense, highlighting the expanding intersection of ransomware and international security.

Matt Hull, NCC Group’s Global Head of Threat Intelligence, warns that despite fewer attacks, the threat isn’t diminishing. Law enforcement successes and ransomware source code leaks might suppress volume temporarily, but attackers are evolving with new tactics like social engineering and rebranding. Hull stresses the urgency for organizations and nations to invest heavily in cyber defenses to keep pace with increasingly agile cybercriminals.

What Undercode Say:

The sharp decline in ransomware attacks during Q2 2025 offers a breath of relief, but it’s far from a signal that the ransomware crisis is over. The seasonal dips and law enforcement crackdowns reflect temporary setbacks for attackers rather than an eradication of threat. What’s more concerning is how the ransomware ecosystem is adapting, becoming more sophisticated and business-savvy—exemplified by Qilin’s legal support for affiliates, which transforms ransomware from crude extortion to a semi-legitimate service industry.

This evolution signals a dangerous maturation of cybercrime, where affiliates are better equipped to evade law enforcement, prolonging the threat landscape. Attackers increasingly rely on social engineering, indicating a shift from purely technical exploits to psychological manipulation—phishing, spear phishing, and business email compromise attacks that prey on human error.

The sectoral analysis reveals a critical insight: Industrials remain the prime target, likely due to their complex, interconnected operations and potentially outdated cybersecurity infrastructures. Healthcare’s rising attacks echo the sector’s vulnerability, as hospitals and health services carry sensitive data and can ill afford downtime, making them lucrative ransomware victims.

The geopolitical use of ransomware by groups like Handala also adds a new dimension of risk, where cybercrime intersects with global conflicts. Cyber warfare raises stakes, as attacks serve both financial and political motives, blurring lines between criminality and state-sponsored activity.

From a regional perspective, North America’s dominance in attack volume shows that despite advanced cybersecurity measures, its vast digital economy remains highly vulnerable. Europe’s moderate drop suggests differing regional resilience or law enforcement impact, while Asia and South America, though lower in volume, cannot be overlooked given their growing digital footprints.

Governments worldwide will likely intensify cyber defense strategies, possibly inspired by the UK’s Industrial Strategy emphasizing cybersecurity as a national security pillar. Organizations must heed Matt Hull’s warning: complacency is dangerous. Investment in intelligence-led, adaptive cybersecurity defenses, continuous staff training, and proactive threat hunting will be critical to outmaneuver increasingly clever ransomware actors.

In summary, while ransomware numbers fell, the quality and danger of attacks are rising. The cybercriminal landscape is evolving into a sophisticated ecosystem that demands an equally advanced and dynamic defense approach.

🔍 Fact Checker Results:

✅ The reported 43% decline in ransomware attacks from Q1 to Q2 is corroborated by multiple cybersecurity intelligence reports.
✅ Qilin’s rise and its legal assistance strategy are documented in ransomware-as-a-service analyses.
❌ No evidence found of Handala group targeting Israeli organizations outside the documented June period, indicating possible limited scope of those claims.

📊 Prediction:

Ransomware attacks will likely rebound in Q3 as disrupted groups regroup and leverage more sophisticated social engineering tactics. We can expect increased collaboration between traditional ransomware actors and social engineering experts, leading to multi-layered attacks that blend technical exploits with psychological manipulation.

Geopolitical cyber warfare will intensify, with ransomware used more frequently for political messaging and retaliation. Governments will escalate cyber defense spending and international cooperation, but cybercriminal networks will continue evolving rapidly, challenging defenders to stay one step ahead.

Industrials and healthcare sectors will remain prime targets due to their critical infrastructures and sensitive data. North America will continue facing the highest attack volumes, but emerging markets in Asia and South America may see rising activity as digital transformation accelerates.

Organizations that fail to invest in intelligence-led, adaptive cybersecurity frameworks risk becoming prime victims in the next wave of ransomware escalation.