The threat landscape is always shifting, requiring organizations to stay on top of current threat trends, and ransomware trends are no exception. Halcyon recently released its Ransomware Malicious Quartile, exploring the top ransomware groups in Q1 2025. This report serves as a strategic snapshot of ransomware group capabilities and trends. It shows a number of recent shifts in the ransomware landscape, and it is important for organizations to follow threat intelligence like this in order to stay on top of the most pressing risks.
Akira Takes the Crown
In the Frontrunners quadrant, ransomware group Akira has risen to become a leader in the rankings in this report. The group used a combination of technically advanced tactics and high-volume attacks to surge to the top spot on the ransomware threat actor rankings. As of April 2024, over 250 attacks had garnered Akira around $42 million worth of ransom payments from their targets, and the group’s activity went on to significantly spike later in the year.
Key tactics, techniques, and procedures (TTPs) used by Akira include exploiting VPN credentials, leveraging PowerShell to prevent the restoration of encrypted data, avoiding critical system files to maintain the system’s stability, and disabling EDR solutions. They also carry out reconnaissance of target systems and use Living-off-the-Land techniques to achieve lateral movement while evading detection. Akira’s attacks have targeted the education, finance, and manufacturing sectors, primarily in North America, Europe, and Australia.
Cl0p’s Comeback
An older player among ransomware threat groups known as Cl0p, first observed in 2019, had a significant rise in Q2 of 2023, using automated file transfer vulnerability exploitation to become the most active ransomware actor. The group’s activity tends to vary over time, with sharp surges in mass exploitation campaigns interspersed with periods of less activity. Cl0p’s targeted attack tactics have also led to variance in their ransom amounts; data from 2023 indicates that the group’s average ransom demand was around $2.51 million, and the average payout per victim was over $1.73 million.
Notable Cl0p attacks include the MOVEit Transfer flaw that accounted for 21% of all ransomware attacks in July of 2023, and the late 2024 exploitation of Cleo Integration Cloud vulnerabilities that represented the group’s return to the Frontrunners quadrant. The recent resurgence through the Cleo exploitation has sparked a steep increase in ransomware activity, a significant comeback after Cl0p’s previous decline.
New Threats in the Spotlight: Lynx and SafePay
Lynx, first observed in July 2024, focuses its efforts on the manufacturing and construction sectors and claims to deliberately avoid targeting sectors like government, healthcare, and non-profits, though its attacks frequently disrupt critical industries. Lynx uses advanced encryption techniques, terminates processes that may disrupt encryption, and blocks recovery efforts by disabling typical backup mechanisms. Lynx works as a closed group, with code built for Windows systems that is very similar to INC ransomware.
SafePay emerged in November 2024 and has risen to prominence quickly by launching a large volume of attacks in a short time span. SafePay is believed to have incorporated a LockBit variant from 2022, and its attacks are sophisticated, using tactics like exploiting known vulnerabilities and encrypting files with the .safepay extension. The ascent of these two relatively new players highlights the fact that advanced and adaptable TTPs are on the rise and present a major threat.
Legacy Players Lose Momentum
According to the Halcyon report, several legacy ransomware actors show signs of waning, including BlackBasta, 8Base, and LockBit, though they currently remain front-runners in the quartile. These older players may be decreasing in prominence for a number of reasons, including external pressure, internal issues, or deliberate strategic slowdown of activity. These ransomware groups are liable to show declines in activity at times, as the spotlight of being a major ransomware player brings increased scrutiny.
BlackBasta activity has declined in 2025 partly as a result of internal fragmentation and conflict, as well as pressure from the public and law enforcement. 8Base has similarly faced recent problems with the law, as international enforcement agencies have worked together to seize their dark websites and arrest certain players. LockBit saw a decline in 2024 due to their network of affiliates and infrastructure being weakened, also in part thanks to law enforcement and internal conflict.
The Fall of Hunters International
Major player Hunters International has dropped in the ranking of this report from the Leaders Quartile to the Contenders quartile. The group emerged in 2023 and is believed to be connected to the Hive ransomware group, which was dismantled by law enforcement shortly before Hunters International arrived on the scene. They have used techniques including phishing, compromising supply chains, and exploiting Remote Desktop Protocol (RDP). The group’s fall to the Contenders quartile could be due to a variety of reasons, including the refinement of the group’s focus to sectors with higher payout potential, a shift in priorities toward pure data theft and extortion, setbacks in operations, or the fragmentation of the group.
Implications for Defenders
The rankings according to Halcyon’s RMQ report should inform defense strategies and incident response priorities by enlightening experts on the most pressing current threat groups, their TTPs, and the risks they present. Defenders must employ adaptive, threat-informed security postures in order to account for the constant shifting of the threat landscape and the advanced tactics that ransomware actors continue to employ.
Jon Miller, CEO of Halcyon, notes: “One of the biggest takeaways from our Q1-2025 Ransomware Malicious Quartile report is just how central EPP/EDR/XDR bypass has become to modern ransomware operations. These crews aren’t just slipping past defenses—they’re showing up with custom tools designed to remove them.” It is crucial for organizations to take this into account and consider that “if ransomware makes it to the headlines, it’s already beat your endpoint security.” Protecting against emerging and evolving ransomware threats necessitates investing in robust, advanced security that works to combat modern threat technology.
Conclusion
The ransomware landscape is a volatile ecosystem, always subject to change and upset depending upon a wide range of factors, from law enforcement activity to technological advances enabling more sophisticated attacks. Different ransomware groups and technologies are always rising and declining, evolving their tactics, and shifting their activity to increase success and outmaneuver security efforts. Organizations relying only on traditional endpoint protection are not adequately prepared to fight modern ransomware threats. Continuous threat tracking and intelligence sharing is of the utmost importance for any organization hoping to stay on top of ransomware trends to defend against attacks.
