Qilin continues to stake a claim as the top ransomware group in the wake of the decline of RansomHub earlier this year.
In July, Qilin led all ransomware groups in claimed victims for the third time in the four months since RansomHub went offline in a possible compromise by rival DragonForce, according to a Cyble blog post published this week.
Qilin’s 73 victims in July accounted for 17% of the month’s total of 423 victims, while INC Ransom was second with 59, boosted by critical infrastructure attacks and an increase in victim disclosures, Cyble said. SafePay, Akira and Play rounded out the top five ransomware groups for the month.
Qilin Leads as Ransomware Attacks Rise
July’s total was the third consecutive monthly increase in ransomware victims, Cyble said, following a three month decline from February’s record ransomware attacks (image below).
Cyble noted that while ransomware victims in recent months have been half of February’s record, the long-term uptrend for ransomware attacks remains intact, as 2025’s lowest month (402 attacks in May) remains well above the lows of 2023 (161 in January 2023) and 2024 (243 in January 2024).
The U.S. remains by far the most attacked country with 223 victims, eight times greater than second-place Canada (chart below).
Critical Infrastructure, Supply Chain Targeted by Ransomware
Cyble noted that there were 25 possible critical infrastructure ransomware incidents in July, and an additional 20 incidents targeted the software supply chain, highlighting the seriousness of many of the attacks. The blog post detailed eight of the more significant incidents during the month, in addition to technical details on attacks, emerging ransomware groups and new ransomware variants.
Professional Services, Construction, Manufacturing, Healthcare and IT were the five most attacked sectors, accounting for nearly half of all ransomware attacks during July.
Among the vulnerabilities apparently exploited by ransomware groups were CVE‑2025‑5777, a Citrix NetScaler ADC and Gateway Out-of-Bounds Read vulnerability, and four Microsoft SharePoint vulnerabilities (CVE-2025-53770, CVE-2025-53771, CVE‑2025‑49704 and CVE‑2025‑49706), among others.
Nearly 40 new ransomware variants were identified in July, in addition to several new threat groups.
Emerging ransomware groups identified in the Cyble blog included the BEAST Ransomware Group, D4RK4RMY, Payouts King, Sinobi, AiLock ransomware, and KaWaLocker ransomware.
New ransomware variants included DeadLock, Crux, and a powerful new Linux ransomware variant from the Gunra ransomware group.
“With the finances and motivation to support ongoing research and development, ransomware groups can be counted on to continually evolve, and security teams must prepare for these evolving threats,” Cyble concluded.
