Ransomware Thrives in Shook-Up Criminal Underworld

Attacks Tied to SafePay, Qlin, Play and Akira Surge; Scattered Spider Returns Mathew J. Schwartz (euroinfosec) • June 18, 2025

It's shake-up season in the ransomware world as old brands have disappeared, forcing an affiliate diaspora and perverse innovation from a criminal underworld in flux.

See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility

Threat intelligence firm Cyble said in a Wednesday report that 40% of hacking incidents that came to light in April and May involved ransomware or a supply-chain attack (see: Supply Chain Attacks Really Are Surging).

Of the 401 victims claimed in May, 64 were traced to ransomware groups SafePay, Qlin, Play and Akira. Half of these attacks were against U.S. organizations, followed by nearly two dozen each in Germany and Canada, and about a dozen each in Spain, the U.K., Italy and Brazil.

Such measurements are imperfect since ransomware groups don ...