Researchers from Comparitech documented a drop in ransomware incidents in April 2025, amid the disappearance of RansomHub, a prominent ransomware group, from the cyber landscape. According to the cybersecurity research company, the total number of attacks recorded in the month was 479. This represents a significant decrease compared to the preceding months of the year which saw 530 attacks in January, 973 in February, and 713 in March.
Despite the overall reduction in attacks, April witnessed some major ransomware incidents. UK retail chain Marks & Spencer was targeted by Scattered Spider, while US-based kidney dialysis company DaVita faced a severe ransomware attack.
The analysis showed that government agencies continued to be frequent targets, with ransomware attacks in this sector remaining relatively high. A notable incident involved the Oregon Department of Environmental Quality, which was targeted by ransomware group Rhysida. The attackers demanded a $2.7m ransom, which the agency confirmed it refused to pay.
Healthcare organisations also saw an increase in confirmed ransomware incidents, with six cases reported in April compared to five in March. These attacks were distributed across different countries.
Businesses accounted for majority of confirmed incidents
Key findings for April 2025 include 479 total attacks, of which 39 were confirmed. Among these confirmed attacks, 21 targeted businesses, nine impacted government entities, six affected healthcare companies, and three were on educational institutions.
Of the 440 unconfirmed attacks, the majority (396) were directed at businesses.
The most active ransomware groups in April were Qilin with 67 attacks, Akira with 62, Play with 50, Lynx with 32, and NightSpire with 22. Akira reported the highest number of confirmed attacks at three. Its victims included Toppan Next Tech, Italian food manufacturer Asolo Dolce, and US tech company Hitachi Vantara.
Qilin, NightSpire, Silent, and Sarcoma followed Akira with two confirmed attacks each.
RansomHub’s absence from the scene in April, with no new victims listed on its data leak site, has sparked speculation that its affiliates may have transitioned to groups such as Qilin.
Comparitech classifies an attack as ‘confirmed’ when the affected organisation publicly discloses the ransomware incident or acknowledges a cyberattack that aligns with a ransomware group’s claim. If the organisation does not acknowledge the attack, it is labelled as ‘unconfirmed’.
Read more: Ransomware payments drop 35% in 2024 amid law enforcement crackdowns
