ZeroFox Intelligence Assessment - Q3 2025 Ransomware Wrap-up

ZeroFox Intelligence Assessment - Q3 2025 Ransomware Wrap-up

TLP:Clear

Standing Intelligence Requirements

For the most up-to-date list of ZeroFox’s Intelligence Requirements, please visit:

https://cloud.zerofox.com/intelligence/advisories/14956

Link to Download

View the full report here.

Key Findings

• ZeroFox observed at least 1,429 separate ransomware and digital extortion (R&DE) incidents in Q3 2025, a slight increase of nearly 5 percent from Q2 and a drop of approximately 27 percent from the record-breaking 1,961 incidents observed in Q1 2025.
• By Q3 2025, the professional services industry had already experienced at least 510 attacks, surpassing the 462 incidents recorded in all of 2024—a nearly 10.4 percent increase year-over-year, with the pace suggesting up to a 47 percent increase by year end if current trends continue.
• The increased targeting of professional services organizations is likely driven by the industry's substantial growth in recent years, partly due to the need for niche specialized expertise, as well as the digitization of businesses globally. This, in turn, highlights vulnerabilities to the professional services industry and its clients.
• ZeroFox assesses that the five most active R&DE collectives in Q3 2025 were almost certainly Qilin, Akira, INC Ransom, Play, and SafePay. This is notably similar to Q2 2025—wherein the top five was composed of the same collectives—with some minor shifts.