The threat groups Qilin and Akira together conducted about one-quarter of the 402 ransomware attacks tracked by Trustwave SpiderLabs in September, with the manufacturing and technology sectors receiving the brunt of these efforts.
This information was derived from a new SpiderLabs ransomware tracking tool that gathers information from a variety of open intelligence sources and our own proprietary research. This unique combination of open source and in-house research provides new insights into ransomware attack trends, the threat groups involved and their primary targets.
The information provided here is the first in what will be a series of monthly, quarterly, and yearly reports that go beyond the headlines of the latest ransomware attacks and place them and the perpetrators in a deeper context.
For September 2025, SpiderLabs recorded 402 ransomware attacks worldwide, compared with the 415 the team tracked in September 2024. The timing of the attacks tended to take place earlier during the work week, with Sept. 4, 9, 16, and 22 being peak attack days, with strikes numbering between 21 and 30.
The US was the most targeted country in September, being hit 215 times, followed by Germany, 22, and Canada, 20. An additional number of attacks could not be connected to a specific victim nation.
The threat group Qilin dominated attacks in September 2025, with Akira taking second place. Both groups dramatically increased their number of attacks, displacing two well-established adversary groups, Ransomhub and Play.
Qilin has been the most aggressive threat group since May, being the top attacker each month except for July, when Incransom tied Qilin at the top of the leaderboard.
Qilin is one of the many actors practicing double-extortion ransomware, where payment is demanded for a decryptor and for a guarantee not to release the stolen data. Akira is speculated to have ties to the now-defunct Conti ransomware group.
Top Threat Groups for September:
Figure 1: Top Threat Groups for September.
Top Vertical Sectors Targeted:
Figure 2: Top Vertical Sectors Targeted.
In addition to the year-over-year numbers, the SpiderLabs’ data over the last five months has technology and manufacturing trading being the most targeted sectors, with manufacturing leading in August, June, and May. The data also noted that the percentage of attacks for first and second place stayed registered between 11% and 12%, much like in September.
The chart below tracks the overall trend of the most active threat groups and sectors under attack so far in 2025. In total, SpiderLabs has tracked 5,301 ransomware attacks, up from 4,012 in 2024.
Figure 3: 2025 Ransomware Attacks to Date.
Trustwave, A LevelBlue Company, offers a number of services and solutions to help organizations defend themselves against ransomware and recover if successfully attacked.
Trustwave’s Ransomware Preparedness service, unlike many offerings in the market today, doesn’t focus on singular aspects of a client’s security defense but looks at all critical lines of defense, using detailed insights and aggregated information to provide clients with security and business leaders.
The service provides detailed assessments of the organization’s overall preparedness, an understanding of its existing capabilities to identify, respond to, and recover from a ransomware incident, and identification of the gaps, opportunities, and inherent risks it faces.
In addition, Trustwave can help with the basic mitigations all organizations should implement, including: