Ransomware Trends & Data Insights: June 2025

The threat landscape in June saw the re-emergence of older groups and a more standard distribution of engagements as the top groups claimed a larger percentage of the total. Throughout June, analysts at Arete identified several distinct trends behind the threat actors perpetrating cybercrime activities:

• Qilin was the most prolific threat group in June, responsible for over 26% of all ransomware and extortion attacks throughout the month. The group has recently exploited known vulnerabilities in Fortinet’s FortiGate appliances — notably CVE-2024-21762 and CVE-2024-55591 — to gain initial access by bypassing authentication and executing remote code on vulnerable systems. Additionally, reporting indicates that Qilin has attempted to recruit ex-RansomHub affiliates on the RAMP forum, posting new features available to affiliates, including legal support and a new DDoS feature.
• Law enforcement, led by Interpol, conducted Operation Secure from January to April 2025, targeting the infrastructure behind information stealers across 26 countries. The operation resulted in 32 arrests, data seizures, and the takedown of 117 servers, disrupting major stealers like Lumma, RisePro, and MetaStealer. Cybercriminals commonly use these tools to collect credentials, crypto wallets, and browser data, which are then sold or used for further attacks. This operation marks a strategic shift in law enforcement’s focus from ransomware groups to the broader support infrastructure enabling cybercrime.

 

Cyberattacks were less evenly distributed than previous months, with a total of 14 unique identified ransomware and extortion groups, down from 18 in May.

Sources

• Arete Internal