Threat Research

September 2025 Threat Trend Report on Ransomware

Ahnlab
September 2025 Threat Trend Report on Ransomware

September 2025 saw a surge in ransomware activity led by the Qilin group, notably targeting asset management companies in Korea, alongside the appearance of several new ransomware groups. The AhnLab TIP/ATIP-derived statistics cover top affected countries, industries, top ransomware groups, and three-year detection trends. #Qilin #AhnLab

Keypoints

  • Qilin group dominated ransomware activity in September 2025 with concentrated attacks on asset management companies in South Korea.
  • Report statistics derive from AhnLab diagnosis criteria and Dedicated Leak Sites (DLS) data collected by the ATIP infrastructure.
  • Available statistics include top 10 affected countries, industries affected, top 10 ransomware groups over three years, and three-year detection trends.
  • ASEC blog provides only the three-year trend for “Ransomware Detections and Statistics”; other statistics are available in AhnLab TIP reports.
  • New ransomware groups emerged in September 2025, contributing to an overall increase in ransomware incidents.
  • Report highlights industry- and region-specific ransomware damage and evolving threat trends.

MITRE Techniques

  • [T1490] Impact – Ransomware groups encrypted systems and published data on Dedicated Leak Sites (DLS) to pressure victims: ‘ransomware damage by industry and region’ and ‘Dedicated Leak Sites (DLS) of the ransomware groups’.
  • [T1486] Data Encrypted for Impact – Qilin group’s concentrated attacks against asset management companies indicate encryption of files to disrupt operations: ‘concentrated attacks against asset management companies in Korea’.
  • [T1592] Gather Victim Identity Information – Use of DLS and counting affected companies suggests collection and public exposure of victim identities: ‘information provided on the Dedicated Leak Sites (DLS) of the ransomware groups’.

Indicators of Compromise

  • [Affected Organization] targeted sector context – asset management companies in Korea (victim set reported by ATIP/AhnLab).
  • [Threat Actor] group names – Qilin, Kill Security, INC RANSOM (primary groups cited in trends).
  • [Data Source] reporting sources – Dedicated Leak Sites (DLS) and AhnLab TIP/ASEC statistics (used to enumerate affected companies and sample counts).

Read more: https://asec.ahnlab.com/en/90688/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint