Global Ransomware Attacks Show Surprising Decline in April 2025

Ransomware attacks worldwide dropped significantly in April 2025, with 479 reported incidents marking a substantial decrease from previous months, according to new research from Comparitech. This decline mirrors a similar pattern observed in April 2024, suggesting a possible seasonal trend in cyber criminal activity.

The unexpected downturn comes amid high-profile attacks on major corporations, highlighting the evolving nature of understanding modern ransomware threats and attacks.

Key Factors Behind the Decline

The dramatic decrease appears largely attributed to the sudden inactivity of RansomHub, previously the most prolific ransomware group, which went dark after March 31, 2025. This development marked a significant shift in the cybercrime landscape, as attack numbers fell from 973 in February and 713 in March.

Qilin emerged as April's most active ransomware group, claiming 67 attacks – up from 45 in March. Security researchers suggest former RansomHub affiliates may have migrated to Qilin, explaining the group's increased activity. Organizations must implement effective ransomware response strategies to protect against these evolving threats.

Impact Across Sectors

Despite fewer overall attacks, April witnessed some of 2025's most significant incidents, including major breaches at UK retailer Marks & Spencer and US healthcare provider DaVita. The attacks demonstrated criminals' continued focus on high-value targets, particularly affecting small and medium businesses vulnerable to ransomware.

Sector-Specific Analysis

Of the 479 documented attacks:

• Business sector bore the brunt with 417 incidents
• Government entities faced 25 attacks
• Healthcare organizations experienced 22 breaches
• Educational institutions reported 14 incidents

Attack Verification Status

Only 39 attacks were officially confirmed, with the remaining 440 still under investigation or unverified.

For additional insights into global ransomware trends, visit the CISA StopRansomware resource center.

The pattern of reduced activity in April, observed for the second consecutive year, provides organizations an opportunity to strengthen their cybersecurity infrastructure. However, the persistence of high-impact attacks demonstrates that reduced frequency doesn't necessarily mean reduced risk.