03-11-2025, 08:05 PM
News Ransomware Attacks Set Records in February: Cyble
<p><img width="730" height="442" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-1.png" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="record ransomware attacks" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-1.png 730w, https://thecyberexpress.com/wp-content/u...00x182.png 300w, https://thecyberexpress.com/wp-content/u...00x363.png 600w, https://thecyberexpress.com/wp-content/u...150x91.png 150w" sizes="(max-width: 730px) 100vw, 730px" title="Ransomware Attacks Set Records in February: Cyble 15"></p>Ransomware attacks set a single-month record in February that was well above previous highs, according to a Cyble threat intelligence report.
The Cyble <a href="https://cyble.com/blog/february-sees-ransomware-attacks-new-data-shows/">report</a> measured the number of victims claimed by ransomware groups on their Tor-based data leak sites (DLS), which the groups use as part of their extortion tactics by “naming and shaming” victims and threatening to release data unless ransom demands are paid. While not all ransomware victims are included on DLS sites, Cyble said it’s a useful indicator for analyzing ransomware trends.
The record <a class="wpil_keyword_link" title="ransomware" href="https://cyble.com/knowledge-hub/what-is-ransomware/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="21329">ransomware</a> attacks seen in February 2025 were more than 50% higher than the previous record set two years ago, Cyble said.
<h2>CL0P Sends Ransomware Attacks to Record Highs</h2>
Cyble said the previous high for <a class="wpil_keyword_link" title="ransomware" href="https://thecyberexpress.com/what-is-ransomware-how-it-work/" data-wpil-keyword-link="linked" data-wpil-monitor-id="21331">ransomware</a> attacks was set in May 2023, when 544 victims were claimed by ransomware groups.
February’s numbers would have eclipsed that record even without the CL0P ransomware group’s 267 victims, but with the CL0P victims, the total number of victims claimed by ransomware groups in February hit 821, far beyond previous highs (image below).
[caption id="attachment_101253" align="aligncenter" width="550"]<img class="wp-image-101253" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-300x182.png" alt="Ransomware victims by month" width="550" height="333" /> Ransomware victims by month 2021-2025 (Cyble)[/caption]
CL0P has now claimed 386 victims from its exploitation of <a href="https://cyble.com/blog/it-vulnerability-report-cleo-windows-flaws-under-attack/">Cleo MFT vulnerabilities</a>, Cyble said. The high number of victim claims made CL0P the most active ransomware group for the month, followed by <a href="https://thecyberexpress.com/fbi-warns-of-ransomhub/">RansomHub</a> and <a href="https://thecyberexpress.com/tetra-technologies-cyberattack/">Akira</a> (chart below).
[caption id="attachment_101255" align="aligncenter" width="550"]<img class="wp-image-101255" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-group-February-2025-final-300x113.png" alt="Most active ransomware groups, February 2025" width="550" height="206" /> Most active ransomware groups, February 2025 (Cyble)[/caption]
The U.S. far outpaced other nations in ransomware victims, with 10 times more victims than second-place Canada (chart below).
[caption id="attachment_101258" align="aligncenter" width="550"]<img class="wp-image-101258" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-country-February-2025-final-300x125.png" alt="Ransomware attacks by country, February 2025" width="550" height="229" /> Ransomware attacks by country, February 2025 (Cyble)[/caption]
<h2>Are Record Ransomware Attacks the Start of a New Trend?</h2>
While February’s record ransomware victims were well above long-term trends, Cyble questioned whether that surge is the start of a new higher level of ransomware attacks. The <a class="wpil_keyword_link" title="threat intelligence company" href="https://cyble.com" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="21330">threat intelligence company</a> looked at the major ransomware players for clues.
Looking at the last four years, LockBit has been well ahead of other ransomware groups, claiming more than 2,700 victims (chart below). However, LockBit has fallen off considerably in the last year after being hit by global <a href="https://thecyberexpress.com/lockbit-ransomware-digital-architect-arrested/">law enforcement actions</a> and is in the process of attempting a comeback with <a href="https://thecyberexpress.com/lockbit-ransomware-comeback-lockbit-4-0/">LockBit 4.0</a>.
[caption id="attachment_101259" align="aligncenter" width="550"]<img class="wp-image-101259" src="https://thecyberexpress.com/wp-content/uploads/top-ransomware-groups-5-years-300x113.png" alt="Top ransomware groups 2021-2025" width="550" height="206" /> Top ransomware groups 2021-2025 (Cyble)[/caption]
<a href="https://thecyberexpress.com/unicred-cyberattack-clop-ransomware-claims/">CL0P</a> came in a distant second with 901 claimed victims over that four-year period, with <a href="https://thecyberexpress.com/play-ransomware-attack/">Play</a>, RansomHub, <a href="https://thecyberexpress.com/putin-team-joins-list-conti-ransomware/">Conti</a> and Akira (608 victims) the next most active ransomware groups.
Six-year-old CL0P has largely focused on managed file transfer (MFT) vulnerabilities like Cleo and <a href="https://thecyberexpress.com/sec-progress-software-moveit/">MOVEit</a>, which has tended to make the group’s victims more clustered, with more than 40% of those victims (383) coming just in the last few months. With only 22 additional CL0P victims in the last year, “it would be reasonable to assume that CL0P victim totals will continue to fluctuate over time,” Cyble said.
But with RansomHub, Akira, Play and <a href="https://thecyberexpress.com/critical-veeam-vulnerability-2/">FOG</a> also increasing ransomware activity in recent months, “it’s possible that we’ve entered a higher range of claimed victims by ransomware groups,” the report noted.
Cyble said organizations should focus on measures that improve cyber resilience and limit <a class="wpil_keyword_link" title="lateral movement" href="https://thecyberexpress.com/what-is-lateral-movement-in-cyber-security/" data-wpil-keyword-link="linked" data-wpil-monitor-id="21328">lateral movement</a>, such as patching web-facing vulnerabilities, training employees to recognize phishing attempts, and implementing zero trust, network segmentation and monitoring, and ransomware-resistant backups.
https://thecyberexpress.com/record-ransomware-attacks/
<p><img width="730" height="442" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-1.png" class="attachment-post-thumbnail size-post-thumbnail wp-post-image" alt="record ransomware attacks" decoding="async" srcset="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-1.png 730w, https://thecyberexpress.com/wp-content/u...00x182.png 300w, https://thecyberexpress.com/wp-content/u...00x363.png 600w, https://thecyberexpress.com/wp-content/u...150x91.png 150w" sizes="(max-width: 730px) 100vw, 730px" title="Ransomware Attacks Set Records in February: Cyble 15"></p>Ransomware attacks set a single-month record in February that was well above previous highs, according to a Cyble threat intelligence report.
The Cyble <a href="https://cyble.com/blog/february-sees-ransomware-attacks-new-data-shows/">report</a> measured the number of victims claimed by ransomware groups on their Tor-based data leak sites (DLS), which the groups use as part of their extortion tactics by “naming and shaming” victims and threatening to release data unless ransom demands are paid. While not all ransomware victims are included on DLS sites, Cyble said it’s a useful indicator for analyzing ransomware trends.
The record <a class="wpil_keyword_link" title="ransomware" href="https://cyble.com/knowledge-hub/what-is-ransomware/" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="21329">ransomware</a> attacks seen in February 2025 were more than 50% higher than the previous record set two years ago, Cyble said.
<h2>CL0P Sends Ransomware Attacks to Record Highs</h2>
Cyble said the previous high for <a class="wpil_keyword_link" title="ransomware" href="https://thecyberexpress.com/what-is-ransomware-how-it-work/" data-wpil-keyword-link="linked" data-wpil-monitor-id="21331">ransomware</a> attacks was set in May 2023, when 544 victims were claimed by ransomware groups.
February’s numbers would have eclipsed that record even without the CL0P ransomware group’s 267 victims, but with the CL0P victims, the total number of victims claimed by ransomware groups in February hit 821, far beyond previous highs (image below).
[caption id="attachment_101253" align="aligncenter" width="550"]<img class="wp-image-101253" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-month-2021-2025-300x182.png" alt="Ransomware victims by month" width="550" height="333" /> Ransomware victims by month 2021-2025 (Cyble)[/caption]
CL0P has now claimed 386 victims from its exploitation of <a href="https://cyble.com/blog/it-vulnerability-report-cleo-windows-flaws-under-attack/">Cleo MFT vulnerabilities</a>, Cyble said. The high number of victim claims made CL0P the most active ransomware group for the month, followed by <a href="https://thecyberexpress.com/fbi-warns-of-ransomhub/">RansomHub</a> and <a href="https://thecyberexpress.com/tetra-technologies-cyberattack/">Akira</a> (chart below).
[caption id="attachment_101255" align="aligncenter" width="550"]<img class="wp-image-101255" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-group-February-2025-final-300x113.png" alt="Most active ransomware groups, February 2025" width="550" height="206" /> Most active ransomware groups, February 2025 (Cyble)[/caption]
The U.S. far outpaced other nations in ransomware victims, with 10 times more victims than second-place Canada (chart below).
[caption id="attachment_101258" align="aligncenter" width="550"]<img class="wp-image-101258" src="https://thecyberexpress.com/wp-content/uploads/Ransomware-attacks-by-country-February-2025-final-300x125.png" alt="Ransomware attacks by country, February 2025" width="550" height="229" /> Ransomware attacks by country, February 2025 (Cyble)[/caption]
<h2>Are Record Ransomware Attacks the Start of a New Trend?</h2>
While February’s record ransomware victims were well above long-term trends, Cyble questioned whether that surge is the start of a new higher level of ransomware attacks. The <a class="wpil_keyword_link" title="threat intelligence company" href="https://cyble.com" target="_blank" rel="noopener" data-wpil-keyword-link="linked" data-wpil-monitor-id="21330">threat intelligence company</a> looked at the major ransomware players for clues.
Looking at the last four years, LockBit has been well ahead of other ransomware groups, claiming more than 2,700 victims (chart below). However, LockBit has fallen off considerably in the last year after being hit by global <a href="https://thecyberexpress.com/lockbit-ransomware-digital-architect-arrested/">law enforcement actions</a> and is in the process of attempting a comeback with <a href="https://thecyberexpress.com/lockbit-ransomware-comeback-lockbit-4-0/">LockBit 4.0</a>.
[caption id="attachment_101259" align="aligncenter" width="550"]<img class="wp-image-101259" src="https://thecyberexpress.com/wp-content/uploads/top-ransomware-groups-5-years-300x113.png" alt="Top ransomware groups 2021-2025" width="550" height="206" /> Top ransomware groups 2021-2025 (Cyble)[/caption]
<a href="https://thecyberexpress.com/unicred-cyberattack-clop-ransomware-claims/">CL0P</a> came in a distant second with 901 claimed victims over that four-year period, with <a href="https://thecyberexpress.com/play-ransomware-attack/">Play</a>, RansomHub, <a href="https://thecyberexpress.com/putin-team-joins-list-conti-ransomware/">Conti</a> and Akira (608 victims) the next most active ransomware groups.
Six-year-old CL0P has largely focused on managed file transfer (MFT) vulnerabilities like Cleo and <a href="https://thecyberexpress.com/sec-progress-software-moveit/">MOVEit</a>, which has tended to make the group’s victims more clustered, with more than 40% of those victims (383) coming just in the last few months. With only 22 additional CL0P victims in the last year, “it would be reasonable to assume that CL0P victim totals will continue to fluctuate over time,” Cyble said.
But with RansomHub, Akira, Play and <a href="https://thecyberexpress.com/critical-veeam-vulnerability-2/">FOG</a> also increasing ransomware activity in recent months, “it’s possible that we’ve entered a higher range of claimed victims by ransomware groups,” the report noted.
Cyble said organizations should focus on measures that improve cyber resilience and limit <a class="wpil_keyword_link" title="lateral movement" href="https://thecyberexpress.com/what-is-lateral-movement-in-cyber-security/" data-wpil-keyword-link="linked" data-wpil-monitor-id="21328">lateral movement</a>, such as patching web-facing vulnerabilities, training employees to recognize phishing attempts, and implementing zero trust, network segmentation and monitoring, and ransomware-resistant backups.
https://thecyberexpress.com/record-ransomware-attacks/