The first quarter of 2025 has broken all ransomware records, with more victims to be found on data leak sites than ever before. The Clop group dominated February, mainly by exploiting a vulnerability in Cleo managed file transfer solutions.
This is evident from ReliaQuest’s Threat Spotlight report for Q1 2025. The findings are alarming. Ransomware groups are still breaking records and refining their tactics. Organizations appear unable to keep up with these developments. This is evident from a 23 percent increase in ransomware activity compared to the last quarter of 2024.
Clop sets the tone
Among cybercrime groups, the Clop group is currently the leading group, just as LockBit and Conti were previously. Conti has been active for some time and was a prominent threat in 2023. Now there appears to be a revival. After only 26 victims in all of 2024, the group managed to hit 389 organizations in February 2025 alone. That represents an increase of 1,400 percent. Clop was responsible for 35 percent of all victims mentioned on data leak sites in February.
This wave of attacks was the result of the exploitation of zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo managed file transfer solutions. This attack strategy is already known and was used in December for the Cleo attacks that Clop carried out at the time.
WK Kellogg, known for its breakfast cereals, also fell victim to the wave of attacks that continued until the beginning of this year. As previously reported, the personal details of employees were leaked after Clop gained access to the Cleo servers that the company used for file transfer.
Retail under attack, Europe feels the heat
Although production and professional services have traditionally been the main targets for ransomware, the rise of the retail sector as a victim was striking, according to ReliaQuest. The Clop campaign was responsible for 46 percent of all retail companies appearing on data leak sites, causing this sector to rise from sixth to fourth place compared to Q4 2024.
The reason for this is that many retail companies use Cleo for e-commerce transactions, order management and supplier coordination. The impact is serious: financial losses, recovery costs, fines, reputational damage and damaged trust from customers and partners. Once the Cleo dust has settled, experts expect attackers to return to their traditional targets. It is therefore a sign of opportunistic actions, in which the simplest targets suffer massively.
In addition to Clop, the quarter also saw a sharp increase in activity from the Medusa group (35 percent increase) and FunkSec. The latter group uses AI to develop malware and claimed 152 victims this quarter, compared to 82 in the previous quarter. In the coming years, we may see these parties take over from Clop, should the latter fall victim to police intervention or internal struggles. It wouldn’t be the first time.
Black Basta’s internal communications leaked
That ransomware groups are fallible has once again been proven. An interesting development in February 2025 was, for example, the leaking of internal chat logs of the Black Basta group. An analysis by ReliaQuest revealed connections between this group and messages on cybercriminal forums that show how the group uses underground marketplaces to acquire tools, exploits and services. There are plenty of such marketplaces, even if they are taken offline repeatedly.
This professionalization of ransomware groups is a worrying trend, but also a familiar one. However, this is still a rapid development. According to recent research, some cybercriminals even hire pentesters to test their ransomware for vulnerabilities before deploying it. This shows how ransomware is increasingly becoming a business model with professional development methods.
What can organizations do?
The report emphasizes the importance of proactive security management. Organizations are advised to conduct ransomware exercises with realistic attack simulations, make regular backups with immutable storage and control and limit access to sensitive systems by external parties.
The attackers’ revenue model will remain intact regardless. For example, it is known that 61 percent of the organizations affected pay a ransom after a ransomware attack. The average cost of cyber incidents for organizations is approximately 4.9 million euros, making prevention essential.
Outlook for 2025
For the rest of 2025, ReliaQuest expects ransomware groups to split into smaller, more flexible entities to avoid detection. This pattern is already visible in groups such as Eldorado, which have rebranded as BlackLock and later as Mamona R.I.P.
In addition, the geopolitical situation, with nation states changing their attitudes towards each other (see the reaction to President Trump’s tariff walls and his less harsh stance towards Russia), could reshape the ransomware landscape. Historically, strained relations have enabled cybercriminals in Russia to operate with tacit government approval.
What is clear is that organizations must prepare for a future in which ransomware will continue to operate opportunistically, but will also become more professional. For the retail sector, the wake-up call from the Cleo attacks has already come.