Ransomware gangs go whale hunting with Fortune 500 companies

Last updated: 11 April 2025
Ransomware
Image by Cybernews

Cybernews has been watching, and the numbers speak for themselves. Ransomware gangs are cranking up the heat with attacks that are nearly doubling the victim count.

Ransomware didn’t slow down in 2025. It evolved, got nastier, and picked its victims with chilling precision.

Using our in-house surveillance tool, Ransomlooker, Cybernews analysts stalked the global ransomware scene through Q1, digging into every hit, every leak, and every bragging post by cybercriminals hungry for attention and crypto.

ADVERTISEMENT

From Fortune 500 takedowns to small businesses caught in the crossfire, we traced who got hit, how bad it was, and which crews were behind the chaos.

The data paints a brutal picture – but keep in mind that it’s only the tip of the iceberg. The real number of attacks is probably much higher, with some victims not even knowing they’ve been breached.

Key ransomware metrics in 2025

In just three months of this year, ransomware crews have clocked 2,028 known victims, more than double the 1,005 hits we saw in Q1 2024.

That’s a 101.8% explosion in attacks, proving that despite high-profile takedowns, international crackdowns, and breathless headlines about arrests, the ransomware machine is not slowing down. If anything, it’s getting smarter, faster, and a whole lot meaner.

The number of active ransomware gangs also spiked, with 65 groups operating in the first quarter – up from 47 in the same period last year. Fourteen of them were brand new or rebranded because that’s how this game works: kill one gang and another two rise from the ashes.

Ransomware landscape 2025 Q1

Who are the key players in the ransomware league?

ADVERTISEMENT

Cl0p, the notorious Russian-linked gang, topped the ransomware charts with the highest activity. Known for the infamous MOVEit and Fortra GoAnywhere hacks, it came out swinging with 360 victims, stealing the crown from longtime heavyweight LockBit, who fell hard from 219 hits in Q1 2024 to just 23 this quarter. That’s a drop from #1 to #21. No one stays on top for long in this brutal ecosystem.

The top 3 ransomware gangs:

  • Cl0p
  • Akira
  • RansomHub

Hot on Cl0p’s heels is Akira, which racked up 205 victims, a 220% increase from Q1 last year. This gang is still relatively fresh, surfacing in mid-2023, but it’s clear they’ve hit their stride, targeting manufacturing, retail, and other high-value sectors.

Sharing the third-place spotlight is RansomHub. This is a new player that first appeared in 2024 but is quickly climbing the ranks with 205 claimed victims. If they keep this pace, expect them to top the charts by the end of year.

And while other familiar names such as Babuk, Lynx, Qilin, and Funksec didn’t dominate the headlines, they kept grinding, launching steady attacks across industries.

Among the newcomers, Nightspire made an immediate impact with 17 victims, showing how easy it still is for new players to spin up operations and go live.

Which sectors does ransomware target the most?

Ransomware gangs aren’t switching up their targets too much in 2025 – they’re doubling down. According to Ransomlooker, manufacturing and industrial operations once again took the brunt of the hits in Q1.

These sectors run on tight margins and tighter timelines, so even a brief system hiccup can bleed millions. That kind of pressure makes them prime bait for extortion.

ADVERTISEMENT

Right behind was the consumer and retail services sector – basically, the frontlines of global commerce. With endless customer data, payment info, and supply chain connections up for grabs, it’s an all-you-can-eat buffet for threat actors looking to cash in fast.

Tech and IT firms climbed to third, up from fifth last year. And it’s no mystery why. These companies are holding high-value digital assets and are gatekeepers to precious data. Hit the right node, and you’re not just shutting down a company – you’re freezing entire networks.

The most targeted sectors:

  • Manufacturing and industrial sector
  • Consumer and retail services sector
  • Technology and IT sector
  • Transportation and logistics sector
  • Business service

Transportation and logistics muscled into the top five for the first time in years. This jump reflects attackers’ growing interest in disrupting the global movement of goods and services. As planes, ports, and delivery ops go full tech, ransomware crews are lining up to pull the plug and watch the world stall.

The business services sector also made its debut in the fifth spot. This is another attractive target, as business services are often the middlemen. Hit them, and you’ve got a backdoor into the whole supply chain.

One surprise twist is that the healthcare sector didn’t make the top five this time. But don’t celebrate just yet – while attacks dropped slightly, it’s still very much in the danger zone. And when hospitals are on the line, even a minor breach can be life-threatening. The sector still remained within the top 10 targeted sectors.

Which companies do ransomware gangs target?

Ransomware gangs aren’t wasting time on small fish anymore – in Q1 2025, they went straight for the whales. The top 10 victim companies alone hauled in a combined $329.8 billion in annual revenue, nearly two-thirds of what all ransomware victims made in 2024.

If threat actors demanded just 1% from each, they’d be staring down a potential $3.3 billion payday, not even counting the chaos caused by downtime and reputational fallout.

ADVERTISEMENT

The biggest ransomware targets:

  • Sam’s Club - $84.3 billion
  • HCA Healthcare - $69.6 billion
  • Pinduoduo - $53.955 billion
  • HP - $53.3 billion
  • Nippon Steel - $59 billion
  • Sodexo - $26.14 billion
  • Leonardo - $18.45 billion
  • Assa Abloy - $13.35 billion
  • MinebeaMitsumi - $9.81 billion
  • Marelli - $105.69 million

Big names caught in the crosshairs included HCA Healthcare ($69.6B), Nippon Steel ($59B), and HP ($53.3B), alongside global giants like Pinduoduo, Sodexo, Sam’s Club, Leonardo, Assa Abloy, Marelli, and MinebeaMitsumi. These aren’t just high-revenue corporations – they’re essential cogs in everything from defense and manufacturing to healthcare and retail. And that’s the point. Hitting them isn’t just profitable – it’s disruptive on a global scale.

Compared to the same period last year, the financial profile of victims has skyrocketed – up 61% from a combined $204.2 billion to $329.8 billion this year. The message is loud and clear: ransomware gangs are scaling up, trading shotgun-style sprees for sniper-precision attacks on the world’s corporate powerhouses. Fewer hits, bigger paydays.

Which countries are targeted by ransomware the most?

This isn’t just about who's rich – it’s about who’s online. Ransomware gangs are scaling up and spreading globally. They are no longer sticking to North America and Western Europe but attacking less prepared developing economies as well.

Geographically, the US once again wore the bullseye in Q1 2025, clocking in 783 ransomware victims and holding its spot at the top of the hit list for the fourth year straight. With its sprawling digital infrastructure and fat wallets, threat actors know that American companies are more likely to cough up the cash.

The most targeted countries:

  • United States
  • Canada
  • United Kingdom
  • Germany
  • Italy
  • France
  • India
  • Australia
  • Brazil
  • Mexico

Trailing behind were Canada and the UK, with 95 and 60 victims, respectively – proof that even nations with solid cybersecurity still bleed when targeted. These high-tech, high-stakes countries remain prime real estate for extortion campaigns aimed at critical services and juicy payout potential.

ADVERTISEMENT

Germany, Italy, France, and India kept their unlucky seats in the upper ranks, each logging between 20 and 32 victims. Meanwhile, Australia, Brazil, and Mexico rounded out the top 10.

Share
Post
Share
Share
Share
More from Cybernews
This week in AI: OpenAI’s o3, Anthropic’s agentic Research, and a few updates from Chinese vendors
Critical security flaw affects Asus AiCloud routers, urgent update required
Roblox allegedly made over $120K ripping off viral Charlie XCX “Apple Dance” creator
Critics call Florida bill aiming to protect minors a threat to encryption
Ethereum phishing scam victims warned in Operation Avalanche
“Vote for me” scam turns into chain reaction of stolen Facebook, X accounts
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked