ZeroFox Intelligence Assessment - Q2 2025 Ransomware Wrap-up

July 29, 2025|by Alpha Team

DDW

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

View the full report here.

ZeroFox observed at least 1,366 separate ransomware and digital extortion (R&DE) incidents during Q2 2025—a drop of approximately 30 percent from the record-breaking 1,961 incidents observed during the first quarter of the year.
North America-based organizations were the most targeted by a substantial margin, accounting for approximately 57 percent of all incidents. This is consistent with the 58 percent average observed throughout 2024 and a slight decrease from the 66 percent observed in Q1 2025.
During Q2 2025, organizations in the manufacturing industry were targeted by more R&DE incidents than those in other industries, experiencing a total of at least 33 attacks. Approximately 19 percent of all R&DE incidents targeted entities in the manufacturing industry during Q2 2025, a slight decrease from the approximately 21 percent observed during Q1 2025.
The five most active R&DE collectives ZeroFox observed during Q2 2025 were almost certainly Qilin, Play, Akira, SafePay, and INC Ransom. This is a notably different picture from the first quarter of 2025; only two of those same five collectives appear on both lists (Qilin and Akira).

Tags: tlp:clear, dark web, threat actor