RANSOMWARE THREAT LANDSCAPE OVERVIEW

During the reporting period, Akira (31 victims) and Qilin (25 victims) together were responsible for nearly half of all reported cases. While other players such as Sinobi (10), Play (8), and Everest (5) remained active, the dominance of Akira and Qilin indicates a consolidation of operational capability.

Manufacturing remained the hardest-hit sector, though incidents reduced slightly compared to the previous week. Business Services had a repeated figure of 18 victims compared to other industries that had reduced numbers of attacks highlighting adversaries' continued focus on service providers for their potential multiplier effect across client ecosystems. Technology, meanwhile, saw activity rise from 10 to 17 cases, keeping it among the top targets but shifting the balance of sectoral pressure toward services and operational industries. Healthcare and Financial Services showed stable exposure, with 7 victims each compared to 9 and 8 respectively the prior week. Unlike the broader distribution of attacks during the previous week which included hits on Energy, Hospitality, Public Sector, and even Religious Services, the reporting week revealed a tighter concentration on Manufacturing, Business Services, and Technology, pointing to a more deliberate narrowing of targeting strategies by major ransomware groups.

The United States continued to be the focal point of ransomware activities with 61 recorded victims highlighting its attractiveness to adversaries and the relative visibility of incidents within its borders. Germany remained stable with 6 cases, while the United Kingdom decreased to 8 with new activity emerging instead in smaller economies such as Turkey, South Korea.

OBSERVATIONS

• Ransomware activity showed a slight decline compared to the previous week.
• The geographic distribution became more concentrated which indicates an intensification in a single, high-value market.
• The reporting period saw a tighter concentration of attacks on industries with known operational criticality.
• Groups such as Pear and Blacknevas, which were highly active in the previous week, were not active in the current reporting period. In contrast, Akira surged dramatically, outshining other ransomware groups and reshaping the threat landscape. This sudden dominance suggests shifts in operational capacity or targeting strategies.

RECOMMENDATIONS

• Security teams in the U.S. and other highly targeted countries should prioritize continuous monitoring, early warning intelligence, and rapid response playbooks.
• The targeted sectors should reinforce endpoint detection and response (EDR), patch management, and segmented backups to reduce ransomware impact.
• Organizations should leverage threat intelligence on these groups' TTPs (Tactics, Techniques, Procedures), to ensure early detection.
• Security teams should update detection rules (YARA/Sigma) and hunt for IoCs associated with these groups.
• Organizations should practice timely sharing of attack data among industry peers to improve situational awareness and defense coordination.
• Organizations should assess the security posture of suppliers and partners to prevent supply chain entry points.