Cyble’s H1 2025 report shows a sharp rise in ransomware, supply chain attacks, and more sophisticated hacktivism, with CL0P, Akira, and Qilin driving a large share of incidents. North America, especially the United States, remained the main target, while industrial and critical infrastructure sectors faced increasingly coordinated threats. #CL0P #Akira #Qilin #MOVEit #GoAnywhereMFT #NHS #ZPentest #DarkEngine #Sector16
Keypoints
- Annual cybersecurity threat landscape reports typically begin with an executive summary that highlights the most important trends, followed by key statistics that quantify attack volume, geographic distribution, and sector impact.
- These reports usually include sections on top threat actors, weaponized vulnerabilities, regional threat analysis, emerging groups, supply chain incidents, and hacktivism, ending with a conclusion that ties the findings together and outlines the broader implications.
- In H1 2025, ransomware incidents rose 54% year over year to 3,201 total attacks, showing a significant escalation in both volume and operational pressure on victims.
- February was the most active month with 848 attacks, driven largely by CL0P’s aggressive activity, indicating how a single actor can heavily influence quarterly trends.
- North America remained the primary target region, accounting for 65% of attacks, while the United States alone saw 1,814 incidents, or 57% of the global total.
- Construction and Professional Services were the most targeted sectors globally, reflecting continued attacker interest in industries with broad business disruption potential and sensitive operational data.
- CL0P, Akira, and Qilin were responsible for 34% of all ransomware attacks, underscoring a market concentration around a few highly capable and persistent groups.
- CL0P’s use of zero-day exploitation against enterprise file transfer tools such as MOVEit and GoAnywhere MFT highlights the growing value of exploiting trusted software supply chains and externally facing business platforms.
- The report identified 63 zero-days weaponized in H1 2025, with Microsoft accounting for 19, followed by Apple, Ivanti, Google, and VMware, showing continued abuse of widely deployed enterprise software.
- Regional analysis shows the U.S. led all countries, while APAC saw Taiwan, Singapore, India, and Japan as top targets, and Europe experienced 663 attacks, with Germany and the U.K. hit hardest.
- Akira was especially active in Europe and North America, while Qilin showed broad activity across the U.S., Europe, and Asia, including a major incident involving the UK’s NHS.
- ANZ ransomware attacks doubled year over year to 64 incidents, and the Middle East and Africa saw targeted campaigns against the UAE and South Africa, with sectors such as IT, construction, and energy affected.
- Several new ransomware groups emerged in the period, including Dire Wolf, DATACARRY, Silent Team, Gunra, and “J,” signaling continued fragmentation and innovation in the ransomware ecosystem.
- Software supply chain attacks increased 30%, with 105 incidents documented in H1 2025 and a rising monthly average, demonstrating that attackers are increasingly leveraging trusted vendors to reach downstream victims.
- IT, technology, and telecommunications organizations were the most common supply chain targets, and attacks against these providers created exposure for finance, government, healthcare, and other downstream sectors.
- Notable supply chain incidents involved groups such as Everest, Akira, Hellcat, DragonForce, VanHelsing, Crypto24, Killsec, and Medusa, showing that supply chain abuse is now a common tactic across multiple threat actors.
- Hacktivism became more advanced in 2025, moving beyond DDoS toward ransomware-style disruption and attacks on industrial control systems, especially in energy, transportation, and utilities.
- Russia-linked groups Z-Pentest, Sector 16, and Dark Engine conducted coordinated ICS attacks, with Z-Pentest alone tied to 38 incidents in Q2 2025, highlighting a dangerous convergence of hacktivism and critical infrastructure threats.
- The report’s recurring themes are the dominance of a few major ransomware operators, the increasing exploitation of zero-days and supply chain trust, and the growing strategic focus on high-impact sectors and infrastructure.
- Overall, the landscape reflects a shift toward larger-scale, more professionalized, and more disruptive operations, requiring stronger patching, threat intelligence, vendor risk management, and resilience planning.
Source: Awesome Annual Security Reports - The reports in this collection are limited to content which does not require a paid subscription, membership, or service contract. (https://github.com/jacobdjwilson/awesome-annual-security-reports/)