LevelBlue Completes Acquisition of Trustwave to Form the World's Largest Pure-Play MSSP.  Learn More

Request a Demo

LevelBlue Completes Acquisition of Trustwave to Form the World's Largest Pure-Play MSSP.  Learn More

Submit RFP
Request a Demo
Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

View All Trustwave Services
Solutions
BY INDUSTRY
BY REGULATION
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Operational Technology
End-to-end OT security
Microsoft Security
Unlock the full power of Microsoft Security
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
We reduce cyber risk and fortify organizations
Awards and Accolades
Recognition by analysts and media outlets
Trustwave SpiderLabs Team
Global researchers, ethical hackers, and responders
Trustwave Fusion Security Operations Platform
Unprecedented security visibility and control
Trustwave Security Colony
Access to cybersecurity threat protection resources
Partners
Microsoft Security
Unlock the full power of Microsoft Security
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Register
Login
Resources
BLOGS
UPCOMING
MEDIA & ASSETS
NOTICES
HELP

SpiderLabs Ransomware Tracker Update September 2025: Qilin, Akira Top Ransomware Attackers

2 Minute Read

The threat groups Qilin and Akira together conducted about one-quarter of the 402 ransomware attacks tracked by Trustwave SpiderLabs in September, with the manufacturing and technology sectors receiving the brunt of these efforts.

This information was derived from a new SpiderLabs ransomware tracking tool that gathers information from a variety of open intelligence sources and our own proprietary research. This unique combination of open source and in-house research provides new insights into ransomware attack trends, the threat groups involved and their primary targets.

The information provided here is the first in what will be a series of monthly, quarterly, and yearly reports that go beyond the headlines of the latest ransomware attacks and place them and the perpetrators in a deeper context.

 

September Attack Figures

For September 2025, SpiderLabs recorded 402 ransomware attacks worldwide, compared with the 415 the team tracked in September 2024. The timing of the attacks tended to take place earlier during the work week, with Sept. 4, 9, 16, and 22 being peak attack days, with strikes numbering between 21 and 30. 

The US was the most targeted country in September, being hit 215 times, followed by Germany, 22, and Canada, 20. An additional number of attacks could not be connected to a specific victim nation.

Dedicated to hunting and eradicating the world’s most challenging threats.

SpiderLabs

Top 5 Threat Groups

The threat group Qilin dominated attacks in September 2025, with Akira taking second place. Both groups dramatically increased their number of attacks, displacing two well-established adversary groups, Ransomhub and Play.

Qilin has been the most aggressive threat group since May, being the top attacker each month except for July, when Incransom tied Qilin at the top of the leaderboard.

Qilin is one of the many actors practicing double-extortion ransomware, where payment is demanded for a decryptor and for a guarantee not to release the stolen data. Akira is speculated to have ties to the now-defunct Conti ransomware group.

Top Threat Groups for September:

Top Threat Groups for September-1
Figure 1: Top Threat Groups for September.

 

Top Vertical Sectors Targeted:

Top Vertical Sectors Targeted
 Figure 2: Top Vertical Sectors Targeted.

In addition to the year-over-year numbers, the SpiderLabs’ data over the last five months has technology and manufacturing trading being the most targeted sectors, with manufacturing leading in August, June, and May. The data also noted that the percentage of attacks for first and second place stayed registered between 11% and 12%, much like in September.

 

Year-to-Date Totals

The chart below tracks the overall trend of the most active threat groups and sectors under attack so far in 2025. In total, SpiderLabs has tracked 5,301 ransomware attacks, up from 4,012 in 2024.

2025 Ransomware Attacks to Date
Figure 3: 2025 Ransomware Attacks to Date.

 

Defending Against Ransomware

Trustwave, A LevelBlue Company, offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.

Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide clients with security and business leaders. 

The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.

In addition, Trustwave can help with the basic mitigations all organizations should implement, including:

  • Enhance cybersecurity hygiene and patch management
  • Implement robust backup and recovery plans
  • Employee training and awareness
  • Multi-Factor Authentication (MFA) and strong credential management
  • Incident response planning

ABOUT TRUSTWAVE

Trustwave, A LevelBlue Company, is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.

News Vulnerabilities Data Breach Security Research DFIR

Latest Intelligence

SpiderLabs Ransomware Tracker Update November 2025: Qlin, Cl0p, and Akira Vie for Top Attacker
Defining and Defending Against a Zero Day Attack
From Compliance to Covert Ops: Demystifying the Offensive Security Landscape

Discover how our specialists can tailor a security program to fit the needs of
your organization.

Request a Demo