The threat groups Qilin and Akira together conducted about one-quarter of the 402 ransomware attacks tracked by Trustwave SpiderLabs in September, with the manufacturing and technology sectors receiving the brunt of these efforts.

This information was derived from a new SpiderLabs ransomware tracking tool that gathers information from a variety of open intelligence sources and our own proprietary research. This unique combination of open source and in-house research provides new insights into ransomware attack trends, the threat groups involved and their primary targets.

The information provided here is the first in what will be a series of monthly, quarterly, and yearly reports that go beyond the headlines of the latest ransomware attacks and place them and the perpetrators in deeper context.

September Attack Figures

For September 2025, SpiderLabs recorded 402 ransomware attacks worldwide, compared with the 415 the team tracked in September 2024. The timing of the attacks tended to take place earlier during the work week with Sept. 4, 9, 16, and 22 being peak attack days, with strikes numbering between 21 and 30.

The US was the most targeted country in September being hit 215 times, followed by Germany, 22, and Canada, 20. An additional number of attacks could not be connected to a specific victim nation.

Top 5 Threat Groups

The threat group Qilin dominated attacks in September 2025 with Akira taking second place. Both groups dramatically increased their number of attacks, displacing two well-established adversary groups, Ransomhub and Play.

Qilin has been the most aggressive threat group since May, being the top attacker each month except for July when Incransom tied Qilin at the top of the leaderboard.

Qilin is one of the many actors practicing double-extortion ransomware where payment is demanded for a decryptor, and for a guarantee to not release the stolen data. Akira is speculated to have ties to the now defunct Conti ransomware group.

Top Threat Groups for September

Top Vertical Sectors Targeted

In addition to the year-over-year numbers, the SpiderLabs’ data over the last five months has technology and manufacturing trading being the most targeted sectors with manufacturing leading in August, June, and May. The data also noted that percentage of attacks for first and second place stayed registered between 11% and 12%, much like in September.

Year-to-Date Totals

The chart below tracks the overall trend of most active threat groups and sectors under attack so far in 2025. In total, SpiderLabs has tracked 5,301 ransomware attacks, up from 4,012 in 2024.

2025 Ransomware Attacks to Date

Defending Against Ransomware

Trustwave, a LevelBlue Company, offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.

Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide client security and business leaders.

The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.

In addition, Trustwave can help with the basic mitigations all organizations should implement including:

• Enhance cybersecurity hygiene and patch management
• Implement robust backup and recovery plans
• Employee training and awareness
• Multi-Factor Authentication (MFA) and strong credential management
• Incident response planning

The content provided herein is for general informational purposes only and should not be construed as legal, regulatory, compliance, or cybersecurity advice. Organizations should consult their own legal, compliance, or cybersecurity professionals regarding specific obligations and risk management strategies. While LevelBlue’s Managed Threat Detection and Response solutions are designed to support threat detection and response at the endpoint level, they are not a substitute for comprehensive network monitoring, vulnerability management, or a full cybersecurity program.