The United States remained the primary target by geographical dispersion however, the most targeted industry shifted from Manufacturing to Technology indicating a recalibration of targeting techniques by threat actors.

RANSOMWARE THREAT LANDSCAPE OVERVIEW

During this reporting period, there was a significant realignment among the top ransomware groups in the ecosystem. Warlock emerged as the most active group, responsible for 30 of the attacks, surpassing all other actors. Qilin and Akira continued to be prolific, with 22 and 16 victims, respectively, but their collective dominance from the previous week was challenged by the rise of new groups like Dragonforce (14 victims) and Beast (10 victims).

The Industry focus of ransomware attacks experienced a significant shift with Technology becoming the hardest-hit industry with an increase to 26 victims compared to 17 the previous week. Manufacturing remained one of the top targets with 20 victims while attacks on Business Services decreased to 16 victims. Other industries also saw notable activity, particularly Healthcare with 13 victims.

Geographically, the United States remained the highest targeted country with 58 recorded victims while the United Kingdom was the second most affected country with 7 victims.

OBSERVATIONS

• Ransomware activity surged by 25% this week, with the total number of attacks rising from 115 to 144. This indicates a renewed operational push by threat groups.
• The previous week's top actors, Akira and Qilin, saw a decline in their victim counts, while groups like Warlock and Dragonforce rapidly ascended. This suggests a constant evolution in the RaaS (Ransomware-as-a-Service) market.
• The shift of the Technology industry to the top spot is a notable development as this could indicate threat actors are increasingly targeting technology and software companies to enable supply chain attacks or to leverage their role as service providers to gain access to multiple downstream clients.
• The most prominent Ransomware group for the reporting period (Warlock) appears to have focused more on the Technology industry.
• The growing number of victims with an unknown geographical location is a concerning trend. It complicates attribution and makes it more difficult for law enforcement and cyber authorities to track and respond to these incidents, highlighting a need for better intelligence sharing and data sourcing.

RECOMMENDATIONS

• Given the sharp increase in attacks, technology and IT service companies should immediately reinforce their defenses. This includes a review of network segmentation, access controls, and supply chain security protocols to prevent a single compromise from affecting multiple clients.
• The targeted sectors should reinforce endpoint detection and response (EDR), patch management, and segmented backups to reduce ransomware impact. They should also enforce strict monitoring for Infostealer malware, which is a primary source of initial access for many ransomware groups
• Security teams in the U.S. and other highly targeted countries should prioritize continuous monitoring, early warning intelligence, and rapid response playbooks.
• Organizations should leverage threat intelligence on these groups' TTPs (Tactics, Techniques, Procedures), to ensure early detection.
• Security teams should update detection rules (YARA/Sigma) and hunt for IoCs associated with these groups.
• Organizations should practice timely sharing of attack data among industry peers to improve situational awareness and defense coordination.