Global ransomware attacks are back up after a notable first quarter of the year that saw a decline in detections.
Cyber security researchers have observed a 21.1% increase in ransomware attacks compared to Q1 2022 driven by huge increases in activity from three of the more prolific active operations.
The AlphV group ramped up activity by 117.9% during Q2 of this year, including a recent hack on Bandai Namco, while Palermo hackers Vice Society also claimed more victims, representing a 100% increase, Digital Shadows said in a report.
LockBit was the most active operation, accounting for 32.77% of all successful ransomware attacks during the quarter, though its activity only represented a 13.8% increase from its Q1 activity.
These ransomware operations accounted for a sizeable proportion of the total confirmed attacks, the researchers said, after some operations notably closed during the same period, such as Conti in May, the activity of which dropped 37.4% against its Q1 figures.
The same researcher previously revealed that ransomware attacks dropped significantly, by 25% during Q1 2022 - a notable discovery given that ransomware activity rarely ever drops.
When analysing how many attacks were claimed, researchers determined their figures by using each known ransomware operation’s leak sites. Digital Shadows said LockBit claimed 231 victims out of the quarter's total of 705, setting a record for the most number of victims in one quarter.
LockBit attracted attention for more than just the number of successful attacks this year. It also released the third iteration of its ransomware program, LockBit 3.0, earlier this month and researchers said its code appeared to be very similar to that of now-shuttered BlackMatter’s - the group that succeeded Colonial Pipeline hackers DarkSide.
At the same time, it also announced the first-known bug bounty hosted by a ransomware operation. The group invited any security experts to find flaws in its payload, offering a maximum reward of $1 million.
LockBit was also at the centre of a successful PR stunt in June after claiming to have successfully attacked cyber security company Mandiant.
It followed US-sanctioned Evil Corp allegedly beginning to use LockBit’s ransomware program in attacks earlier this year. This was significant because it showed Evil Corp attempting to evade US sanctions by using another ransomware from a different operation.
RELATED RESOURCE
By sanctioning Evil Corp, the US effectively banned any US company from conducting business with the group, and it also meant that outside cyber security experts could not legally facilitate a ransom payment between the victim and Evil Corp.
If Evil Corp was using LockBit, it could threaten the LockBit operation's ability to generate payments through ransoms, being associated with a sanctioned entity.
The PR stunt that involved the apparent hack on one of the world’s largest cyber security companies was designed to attract attention to LockBit.
When the group’s timer ran down, usually signalling the time at which it would leak a victim's data as part of its double extortion model, instead of Mandiant’s data, LockBit released miscellaneous files along with a note explaining it was not affiliated with Evil Corp.
The US still a prime target
Organisations in the US were still the most targeted this quarter, according to the researchers. More than 270 US organisations were attacked in Q2 compared to fewer than 60 in Germany, the next most-targeted nation.
Researchers said the US will likely remain among the most-targeted nations as it is seen as the most profitable nation for cyber criminal outfits.
Most countries saw an increase in attacks on their organisations, according to the report. The UK was the third most-targeted nation with successful attacks up 16.2%, though Germany and Canada saw the biggest increases with a rise of 66.7% and 50% respectively.
Researchers said they expect to see Q3 and Q4’s figures increase steadily compared to Q2, but not dramatically so.
-
Westcon-Comstor and Vectra AI launch brace of new channel initiativesNews Westcon-Comstor and Vectra AI have announced the launch of two new channel growth initiatives focused on the managed security service provider (MSSP) space and AWS Marketplace.
-
Third time lucky? Microsoft finally begins roll-out of controversial Recall featureNews The Windows Recall feature has been plagued by setbacks and backlash from security professionals
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackersNews Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
-
Healthcare systems are rife with exploits — and ransomware gangs have noticedNews Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
-
Alleged LockBit developer extradited to the USNews A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
-
February was the worst month on record for ransomware attacks – and one threat group had a field dayNews February 2025 was the worst month on record for the number of ransomware attacks, according to new research from Bitdefender.
-
CISA issues warning over Medusa ransomware after 300 victims from critical sectors impactedNews The Medusa ransomware as a Service operation compromised twice as many organizations at the start of 2025 compared to 2024
-
Warning issued over prolific 'Ghost' ransomware groupNews The Ghost ransomware group is known to act fast and exploit vulnerabilities in public-facing appliances
-
The Zservers takedown is another big win for law enforcementNews LockBit has been dealt another blow by law enforcement after Dutch police took 127 of its servers offline
-
There’s a new ransomware player on the scene: the ‘BlackLock’ group has become one of the most prolific operators in the cyber crime industry – and researchers warn it’s only going to get worse for potential victimsNews Security experts have warned the BlackLock group could become the most active ransomware operator in 2025
