Redazione RHC : 21 September 2025 09:13
Qilin continues to lead the way among all active crypto attack groups, significantly lagging behind its competitors in the number of reported incidents. According to a recent Cyble report, the group attacked 104 organizations in August alone, while its closest rival, Akira, only affected 56 victims. Nonetheless, new actors have emerged, whose rapid activity could dramatically shift the balance of power in the ransomware landscape in the near future.
The total number of attacks recorded in August reached 467, marking the fourth consecutive month of such growth. of incidents. The peak recorded in February remains unsurpassed. Particularly alarming is the growing trend of attacks on software supply chains: such incidents are becoming increasingly common, and the consequences of such intrusions can be widespread.
After the sharp decline in RansomHub activity in early April, Qilin has managed to significantly strengthen its position: since then, the group has reported attacking 398 targets, 70% more than Akira in the same period.According to Cyble, Qilin has successfully recruited many former partners and participants in the RansomHub infrastructure, offering them attractive conditions and opportunities. As a result, Qilin controls over 18% of all attacks from April to August, while Akira’s share is limited to 10.7%.
However, the real news in recent months has been the meteoric rise of the Sinobi group, which emerged just two months ago and has already become the third-largest cybercriminal in terms of attacks. Of the 41 declared targets, the vast majority are located in the United States. Cyble researchers highlight similarities between the technical infrastructure and leaked data of Sinobi and other active groups, particularly Lynx and INC Ransom. Nonetheless, all three continue to operate independently, casting doubt on the rebranding hypothesis and instead suggesting internal cooperation.
It’s worth noting that Sinobi has reported only one new incident since August 24. This could indicate a change in tactics or the reaching of an organizational limit: a sharp rise often follows an equally rapid decline.
No less noteworthy is the emergence of another newcomer: The Gentlemen. Since the beginning of September, it has claimed responsibility for more than 30 attacks, and if its momentum continues, its market share could be comparable to that of the current leaders by the end of the month.
The increased activity of LockBit, previously considered the largest ransomware group, is raising tensions. The launch of a new version of the tool, LockBit 5.0, indicates an attempt to regain lost influence and reassert its dominant position. The campaign’s success will only be evident after September, but growing competition between veterans and new players is already evident.
In its conclusion, Cyble emphasizes that the constant evolution of groups and modifications to their software solutions remain the main threat to corporate infrastructure and security services. The impact of such attacks affects not only the financial sector, but also critical infrastructure, supply chains, business processes, and corporate operating models.
Maintaining maximum readiness and constant monitoring are the only effective measures in an increasingly aggressive cybercriminal environment. dynamic.
Redazione