Key Takeaways:

• SafePay, Play, and Akira are among the most active ransomware gangs as of mid-2025, alongside returning threats like Clop and LockBit.
• Gangs increasingly use phishing, credential theft, and living-off-the-land techniques to bypass traditional defenses.
• Prevention hinges on a layered strategy: secure backups, MFA, employee training, patch management, network segmentation, and incident response drills.

Ransomware attacks continue to escalate in scale, complexity, and frequency in 2025. As new groups emerge and older gangs resurface under new names, enterprises face a threat landscape that is both dynamic and relentless. The latest threat intelligence shows that ransomware gangs are not only multiplying—they’re evolving their tactics, exploiting vulnerabilities faster, and demanding ransoms in more creative ways, often without even encrypting files.

The Most Active Gangs in 2025

The most active ransomware group as of May 2025 is SafePay, which has quickly gained notoriety after emerging in late 2024. Known for using compromised VPN and RDP credentials, SafePay claimed responsibility for 58 victims in a single month and has attacked nearly 200 organizations in total. Their preferred tactic is double extortion: encrypting data and threatening to leak it unless the ransom is paid.

Other active groups include Play and Akira, both of which have demonstrated adaptability across multiple industries. DevMan is a newer player that appeared recently but is already building momentum. LockBit, a ransomware-as-a-service (RaaS) group that has been active for years, remains a major player despite increased law enforcement scrutiny.

Clop, which gained global attention during the MOVEit data theft campaigns in 2023 and 2024, continues to focus on large-scale data exfiltration rather than encryption. The gang often bypasses traditional ransomware deployment, instead stealing files and threatening public disclosure to extort victims.

Medusa, Vice Society, and Royal are also highly active, targeting sectors like healthcare, education, and legal services. These groups typically exploit unpatched systems or weak credentials, often gaining entry through phishing emails or malicious attachments.

Tactics and Techniques

Most ransomware gangs now use double extortion as a baseline tactic. This means that even if an organization can restore encrypted files from backup, attackers still threaten to publish sensitive data unless paid. Some groups, like Clop, have dropped encryption entirely, relying solely on data theft and extortion.

Other common tactics include:

• Credential theft via phishing and social engineering
• Exploiting unpatched vulnerabilities in VPNs, firewalls, and collaboration software
• Living-off-the-land techniques (using built-in tools like PowerShell and Remote Desktop to avoid detection)
• Use of legitimate remote management tools post-intrusion
• Fast lateral movement across networks using compromised admin accounts

Ransom demands in 2025 have ranged from $250,000 to over $10 million, depending on the victim’s size, data sensitivity, and perceived ability to pay.

How to Stay Safe: Practical Measures

While no organization is immune, several practices can significantly reduce ransomware risk and limit potential damage. Consider hiring a top ranked MSP to handle these items for you:

Regular, segmented, and offline backups

Ensure data is backed up frequently to offline or immutable storage. Test backups regularly to confirm restorability.

Patch management

Apply critical security updates promptly across operating systems, VPNs, firewalls, and third-party applications.

Multi-factor authentication (MFA)

Require MFA for VPN, email, and administrative access. This is one of the simplest ways to reduce the impact of credential compromise.

Network segmentation

Separate critical systems, OT environments, and sensitive databases from general user traffic. This limits lateral movement.

Security monitoring and behavior analytics

Use endpoint detection and response (EDR) and centralized logging to detect unusual behavior early, such as abnormal file transfers or access patterns.

Employee awareness training

Regularly train employees to recognize phishing emails, malicious links, and QR code scams. Simulated phishing exercises help reinforce vigilance.

Incident response planning

Conduct tabletop exercises and technical dry runs to test how your team would respond to a ransomware incident. Ensure legal, IT, and executive leaders are involved.

Enforce least-privilege access

Limit access rights to only those necessary for each role. Use allowlists for applications and restrict access to sensitive systems by default.

Disable unused remote access points

Shut down exposed RDP ports and third-party remote tools that aren’t actively needed. Use a VPN or zero-trust architecture instead.

Prepare for extortion attempts

Know ahead of time how your organization will respond to a ransom demand. Involve legal counsel and coordinate with law enforcement if attacked.

Looking Ahead

The ransomware ecosystem continues to shift, but the core threats remain consistent: stolen credentials, phishing, misconfigured remote access, and unpatched systems. Attackers are opportunistic, often going after low-hanging fruit. Organizations that implement strong hygiene, limit privilege, and plan ahead tend to recover faster and are less likely to pay.

As 2025 unfolds, the most successful defense strategies will come from resilience, not reliance—resilience through layered defenses, tested response plans, and empowered users.

Ransomware isn’t going away, but preparation changes the outcome.