Ransomware reaches new heights: Inside the record-breaking surge of Q1 2025 – CRN

The first quarter of 2025 has rewritten the rulebook on ransomware — and not in a good way.

A staggering 2,289 ransomware victims were publicly named between January and March, marking a 126% year-over-year increase and setting a chilling new record for cyber extortion. Analysts warn that these numbers may only scratch the surface.

“The sheer scale of public victim disclosures in Q1 is unprecedented,” says a cybersecurity expert from Check Point Research. “Even when adjusted for potential exaggeration or recycled data, the volume suggests a profound escalation in both scope and frequency.”

At the center of this spike is Cl0p, the most prolific ransomware actor of the quarter. Cl0p alone accounted for 392 named victims, largely driven by its exploitation of zero-day vulnerabilities in Cleo-managed file transfer products — Harmony, VLTrader, and LexiCom. These encryption-less attacks, focused purely on data exfiltration, allowed Cl0p to bypass complex malware deployment, striking fast and deep across supply chains.

North America was hit hardest. A staggering 83% of Cl0p’s victims were based in the U.S. and Canada. The group zeroed in on industries like Consumer Goods & Services (33% of its victims) and Transportation & Logistics (12%), a distribution that closely aligns with Cleo’s customer base. These attacks reveal a strategic targeting pattern — one where software dependencies become liabilities.

But Cl0p isn’t the only threat actor adapting rapidly. Following the takedown of LockBit in early 2024, new groups like RansomHub have rushed to fill the power vacuum. RansomHub publicly named 228 victims in Q1, propelled by an aggressive affiliate model and revenue-sharing approach. Its rise is emblematic of a fragmented but thriving Ransomware-as-a-Service (RaaS) market.

Adding to the chaos are groups like Babuk-Bjorka and FunkSec, which have muddied the waters by fabricating victim claims. Initially a fringe tactic, these deceptive disclosures have now gone mainstream, making it increasingly difficult to distinguish real incidents from digital smoke and mirrors. Babuk-Bjorka, for instance, claimed 167 victims — but many were found to be duplicates or recycled data from older attacks. FunkSec’s emergence in late 2024 brought another layer of complexity. Allegedly leveraging AI-generated malware, FunkSec has blurred the lines between criminal activity and hacktivism, making motives murky and attribution harder than ever.

“In 2025, the ransomware ecosystem isn’t just growing — it’s splintering,” notes a threat intelligence analyst. “We’re seeing a surge of new entrants, each with their own tools, tactics, and often questionable credibility.”

Groups like VanHelsing, launched in March 2025, exemplify this trend. With a slick affiliate platform, low entry barriers ($5,000), and a promise of 80/20 profit splits, VanHelsing represents a new breed of ransomware operators marketing to attackers of all skill levels. In just two weeks, it claimed three confirmed victims with ransom demands of up to $500,000.

Meanwhile, law enforcement continues its global crackdown. In a major coordinated action, four Russian nationals were arrested in connection with 8Base, another major ransomware actor of 2024. Still, enforcement struggles to keep pace with the evolving threat landscape, where data extortion is replacing traditional encryption-based attacks.

As ransomware actors move away from encryption, victims are now often blindsided by data leak site disclosures — sometimes before they even realize they’ve been breached. This model allows attackers to claim success without ever locking a file, and in some cases, without even targeting the company in question.

That shift has introduced new risks, distortions, and ethical dilemmas. With recycled claims and AI-driven malware on the rise, measuring the true scale of ransomware has become a moving target. Chainalysis reports a 35% drop in actual crypto payments to ransomware actors — evidence that many “attacks” may be more theater than threat.

Still, the numbers don’t lie: Q1 2025 marks the most active quarter for ransomware ever recorded.

And if current trends continue, it may soon be remembered not as a peak — but as a warning.