The number of ransomware attacks in 2025 has almost doubled compared to last year, with US organizations and SMBs as the primary targets
The latest data compiled byNordStellar, a threat exposure management platform, reveals that the number of ransomware incidents has almost doubled compared to last year. In January-June of 2025, 4,198 ransomware cases were exposed on the dark web, highli
“We’re only halfway into the year, but the number of ransomware attacks has already doubled, signifying that these attacks remain effective and profitable enough for cybercriminals to ramp up their efforts,” says Vakaris Noreika, a cybersecurity expert at NordStellar. “Some factors that could contribute to the growth in ransomware attacks include the rise in ransomware-as-a-service (RaaS), expanded attack surfaces from remote or hybrid work models, and economic uncertainty that could encourage more people to seek illegal income and turn to cybercrime.”
Main targets in 2025 Q2
In April-June 2025, 1,758 ransomware cases were exposed on the dark web, a 19% increase compared to the same period in 2024 (1,483 cases). Of the 1,205 ransomware incidents traced to specific victim countries, US businesses took the most brutal hit, accounting for 49% of cases (596 incidents). Germany holds the second spot with 84 cases, followed by Canada (74), the United Kingdom (40), and Spain (37).
“Not only is the US home to many profitable businesses, but the companies also have a higher profile. As a result, they’re more likely to give into ransomware demands to reduce the impact of the reputational damage resulting from an attack”, says Noreika. “Strict regulations are also a significant factor to consider — laws on data protection and operational uptime can urge companies to resolve ransomware incidents quickly and not risk the fines or loss of their clients and partners’ trust.”
Ransomware data from April to June 2025 revealed that the manufacturing industry was most affected, with 229 recorded cases. The construction industry came in second with 97 cases, followed closely by information technology (88 incidents).
The data also revealed that small and medium-sized businesses (SMBs) were the prime target for ransomware in 2025 Q2. Organizations with 51–200 employees and revenues between $5 million and $25 million faced the most ransomware attacks.
“The victim profile mirrors the data from 2025 Q1 – SMBs and companies in the manufacturing industry remain the prime targets. This is a significant cause for concern because bad actors continue successfully exploiting preventable security vulnerabilities,” says Noreika.
He explains that companies in the manufacturing industry face challenges enforcing and centralizing security across all geographically dispersed locations and often rely on outdated and unpatched systems. SMBs, like manufacturing companies, often rely on third-party IT providers and lack comprehensive cybersecurity measures due to limited budgets, exposing them to greater risk.
Who’s responsible?
The ransomware group Qilin was responsible for the most attacks in 2025 Q2, with 214 incidents. Safepay holds the second spot with 201 incidents, followed closely by Akira (200 incidents).
According to Noreika, Safepay is the newest of the three, with NordStellar first detecting their activity in Fall 2024. Their attacks significantly increased in Q2 and spiked in May, with 158 incidents alone.
Building a ransomware-resistant business
Noreika explains that employees are the first line of defense against ransomware. Cybersecurity training on phishing scams, the importance of multi-factor authentication, and password management are essential to minimize the risk of bad actors gaining access to sensitive data or infiltrating the network.
“Aside from raising cybersecurity awareness, companies should also build a comprehensive cybersecurity strategy to detect threats before they escalate. This includes implementing endpoint protection, monitoring the dark web for potential data leaks, and keeping a close eye on the company’s attack surface for unpatched security vulnerabilities,” says Noreika.
To minimize the impact of a potential ransomware incident, Noreika recommends that businesses stay two steps ahead, implement recovery plans, and always back up critical data.
Disclaimer: While the total number of 1,758 ransomware attacks in Q2 2025 is accurate, the figures presented for each category (industry, company size, and country) may be slightly higher. This is because a number of incidents were missing data needed for categorization and thus were omitted.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Posted in Commentary with tags Adobe on July 7, 2025 by itnerd
Over the weekend I worked with a client that specializes in among other things, mergers and acquisitions. And that activity is often confidential. So they tend to be very paranoid about the software that they install on their computers. As part of an audit that they regularly run on their computers, they discovered that Adobe Acrobat had this feature, if you want to call it that, that uploads PDFs to the cloud to process them using AI. That’s not something that you want if you’re this firm.
Here’s the setting in question:
Just reading what this option does makes it clear that if you want your PDFs to stay confidential, this box must be unchecked. For bonus points, you should also uncheck “Show AI query bar on document” and “Show AI summary Bar on top of the document”. But the fact is that these options are on by default. My advice would be that all Adobe Acrobat users should check these options and take whatever action they deem that are required to ensure their privacy.
This is a huge reminder that you should never trust the default settings of any application. Especially related to AI. Because you never know what an application might have changed via an software update or something like that.
Some of my colleagues who sell products and other items beyond their knowledge have been struggling with ordering products from Ingram Micro who is the one of the biggest if not the biggest computer distributor around. They have had an outage for a few days now which has led to rumours of them being pwned by hackers.
I guess that we can confirm that Ingram Micro has been pwned:
In a brief Sunday morning announcement, Ingram Micro has confirmed that they suffered a ransomware attack.
“Ingram Micro recently identified ransomware on certain of its internal systems,” reads Ingram Micro’s statement.
“Promptly after learning of the issue, the Company took steps to secure the relevant environment, including proactively taking certain systems offline and implementing other mitigation measures. The Company also launched an investigation with the assistance of leading cybersecurity experts and notified law enforcement.”
“Ingram Micro is working diligently to restore the affected systems so that it can process and ship orders, and the Company apologizes for any disruption this issue is causing its customers, vendor partners, and others.”
Bleeping Computer has seen the ransom note and it appears that Ingram Micro has been pwned by SafePay ransomware. That’s not good as Ingram Micro is faced with a very stark choice of paying up to maybe get its systems back online quickly. I say that because there’s no guarantee that a threat actor will keep their word. Or somehow fighting through this to get their systems back online. However long that takes. In either case, computer resellers, MSP’s, consultants and others are likely going to go to Ingram Micro’s number one competitor TD Synnex instead. And some of them may never come back.
Sucks to be Ingram Micro right now. I guess they should have tried harder to keep the bad guys out.
UPDATE: I have several comments related to this.
Rebecca Moody, Head of Data Research at Comparitech:
“SafePay is renowned for both encrypting systems and stealing data, so if ransom demands aren’t met, it’s likely we’ll see Ingram Micro popping up on SafePay’s data leak site in the coming days/weeks. Over the last couple of months, SafePay has stolen an average of 111 GB of data from each victim, which can lead to significant breaches. A prime example is Marlboro-Chesterfield Pathology, P.C., which was targeted by SafePay in January 2025 with the group allegedly stealing 30 GB of data. The healthcare company subsequently issued data breach notifications to nearly 236,000 people.”
“To date, we’ve tracked 238 attacks via SafePay with 32 of these being confirmed by the entity involved. Other tech companies targeted by the group include Microlise (UK) and Conduent (US). Both of these attacks also caused widespread disruption to services.”
Erich Kron, Security Awareness Advocate at KnowBe4:
“Organizations such as Ingram Micro work on a very tight schedule, moving inventory quickly in and out of its warehouses, and coordinating its operations really closely across warehouses and corporate headquarters. Ransomware attacks such as this that involve encryption can devastate an organization with such well-coordinated operations. The fact that this was launched on July 3rd, at the start of the U.S. Independence Day holiday is probably no coincidence. Many times, attackers will delay the attack until a holiday, because they know that response times are going to be slower as employees are away celebrating or traveling. This is a common tactic and should be considered, along with recall and contact procedures, around any holidays. There is a good chance the attackers have been in the network and laying low for days or weeks already.”
“Typically, attackers also steal a copy of as much data as they can to use as leverage in the ransom negotiation phase. This means employees or customers may have personal information at risk of being dumped on the dark web.”
“Because ransomware is so effective in highly coordinated and regulated industries, such as manufacturing, medical, or government entities, these sorts of attacks can demand a significant ransom from the victims. Organizations in these industries should be very conscious of the ransomware threat, and should employ a comprehensive human risk management plan, as a majority of ransomware is spread through social engineering attacks, or human error such as using poor passwords. In addition, organizations should have regularly tested incident response and continuity of operations plans in place, and should employ data leakage prevention controls.”
UPDATE #2: Here’s a comment from Chris Hauk, Consumer Privacy Champion at Pixel Privacy:
“With the toppling of LockBit and ALPHV, this has opened up “opportunities” for upstart ransomware groups like SafePay. The group first gained fame with an early high-profile SafePay ransomware attack on UK telematics business Microlise, with SafePay claiming to have stolen 1.2 terabytes of data and demanding payment in less than 24 hours. However, little remains known about the group.”
“The reports I’ve seen indicate the group moves quickly, with fast encryption times, seeing attacks typically move from system breach to deployment in less than 24 hours.”
“Organizations can protect against SafePay and similar types of ransomware attacks by placing strict access controls on their systems, strong authentication like multi-factor authentication, monitoring for newly discovered vulnerabilities, and implementing secure VPN connections to provide remote access.”
Following up on this story on Rogers deciding to sunset their 3G network, I have news that TELUS and Bell who have now started to make it public what their plans to sunset their 3G networks are. In the case of Bell, their 3G FAQ was updated to say this:
So the way I read this, Bell is effectively confirming that it is shutting down 3G service in Manitoba at the end of the year. No other province is mentioned. TELUS has a FAQ specific to Manitoba that says the following:
So the way I read this, if you’re living in the middle of nowhere, 3G service is gone at the end of the year. But those who live in cities will still have 3G service for a little longer. It is interesting that TELUS has made that distinction. It’s also interesting that neither carrier has served up a timeline for the rest of Canada.
As for my advice, it remains the same as what I said about Rogers announcement about their 3G shutdown. Which is that I encourage you to reach out to your friends, parents, grandparents, etc. who might have a 3G phone and help them to make the jump to 4G and a more modern phone if required before they get dinged for not getting off a network that is going away soon. I say that because a lot of seniors and those on low or fixed incomes are still on 3G phones. And they may not be aware of these changes. Thus you’d be doing them a big favor.
Website Planet has analyzed the true impact of Google’s AI Overviews on websites and on Google itself, and determined who’s benefiting, who’s losing out, and what it means for the future of search.Key findings:
AI Overviews now appear on 31% of Google search pages; in our test, 39 out of 100 searches showed an AI summary.
Informational sites saw average traffic gains of +241% (with some up 1,933%), but also the steepest drops (down to -76%).
Google’s search revenue jumped 10% year-over-year after AI Overviews rolled out; cost-per-click rose for 87% of industries.
The Business Digital Index (BDI), created by Cybernews, evaluated the cybersecurity postures of 75 European Union government institutions and found that 67% received a D or F rating — placing them in high-risk or critical-risk categories.
The BDI also revealed that every institution in the study had experienced at least one data breach. Email spoofing vulnerabilities were found across all C-rated institutions and in 96% of D- and F-rated ones.
In addition, 46% of F-rated institutions had suffered a recent breach, and 85% of employees in the lowest-rated organizations were reusing passwords that had already been exposed in previous leaks — a major red flag for security hygiene.
Key research takeaways:
The average cybersecurity score across EU governmental institutions was 71/100, classifying them as high-risk based on BDI methodology.
67% of EU governmental institutions received a D or F score. 32% received a D score, and 35% received an F, while 33% were rated C. No institutions scored A or B.
All 75 evaluated institutions had experienced at least one data breach, and 46% of F-rated organizations had suffered recent data breaches.
85% of employees in F-rated institutions reused breached passwords, while the figure stood at 71% for D-rated and 8% for C-rated organizations.
SSL/TLS configuration issues were present in 100% of F- and C-rated institutions, and 92% of D-rated ones — leaving systems open to data interception and man-in-the-middle attacks.
System hosting vulnerabilities affected 92% of D- and F-rated institutions and all C-rated ones, increasing the risk of unauthorized access.
96% of D- and F-rated organizations had domains vulnerable to email spoofing, compared to 100% of C-rated institutions.
Exposed corporate credentials were found in 96% of F-rated and 83% of D-rated institutions, but only 12% of C-rated ones.
The Safety Detectives recently tested how often Google tracks users online (even when using privacy tools) across four countries. The key findings are:
In some US tests, Google trackers were present on 100% of websites visited.
Google Analytics appeared on 53% of pages with Google Search, versus just 17% with DuckDuckGo in privacy-focused countries.
Wikipedia and TikTok triggered almost zero Google tracking, while YouTube/product searches triggered multiple trackers.
KnowBe4, the world-renowned cybersecurity platform that comprehensively addresses human risk management, is shining a spotlight on the critical role social engineering plays in the global surge of ransomware attacks. As part of Ransomware Awareness Month in July, KnowBe4 is encouraging organizations to reflect on how human risk contributes to ransomware exposure with five essential strategies to strengthen their human layer defenses.
This call to action comes as KnowBe4’s research highlights a concerning 57.7% increase in ransomware payloads delivered through phishing attacks between November 1, 2024, and February 15, 2025, compared to the preceding three months. Commonly considered the most common initial access vector for ransomware into an organization, this alarming trend underscores phishing’s pivotal role in the rise of ransomware incidents.
As the volume and fallout of successful ransomware attacks increase in 2025, KnowBe4 shares five top tips for organizations to strengthen their human defenses:
Tailor Cybersecurity Training by Role: Offer timely, role-specific personalized training that directly addresses the unique threats and responsibilities of different departments, helping to dramatically reduce employee behaviors often exploited by ransomware attackers.
Run Realistic Phishing Simulations: Regularly conduct real-world phishing simulations that mimic current threat tactics to build employees’ critical thinking skills and instinctive resistance against ransomware delivery methods.
Promote a No-Blame Reporting Culture: Foster an environment where employees feel safe and empowered to immediately report any suspicious emails or activities, even if they have made a mistake, enabling faster ransomware containment and incident response.
Keep Ransomware Awareness Front and Center: Implement continuous awareness campaigns through ongoing reminders, visuals, and regular communication to reinforce vigilance and ensure ransomware threats remain top-of-mind for the entire workforce.
Utilize Advanced Anti-Phishing Technology: Support employees with advanced anti-phishing technology that employs AI and machine learning to detect and neutralize sophisticated phishing attacks, including zero-day threats carrying ransomware payloads, before they ever reach an employee’s inbox.
Hammerspace has announced the appointment of Jeff Lebold as Vice President of the Asia Pacific (APAC) region. A veteran technology leader with nearly three decades of experience, Lebold will spearhead Hammerspace’s aggressive growth and customer momentum throughout one of the world’s fastest-growing markets for AI and data infrastructure.
Lebold brings deep expertise in sales, market development, systems engineering and marketing. He most recently served as Vice President of Sales for Asia-Pacific Enterprise Customers at Impinj, where he consistently delivered strong revenue growth. Previously, during his 22-year tenure at Quantum Corporation, he drove strategic expansion across a complex seven-country APAC territory, building high-performing cross-cultural teams and driving transformative market success. Fluent in Mandarin, Lebold is known for forging strong partnerships and scaling global operations.
Today’s enterprises face the challenge of optimizing high-performance data access for AI workloads, scaling their infrastructure efficiently, and managing complex, distributed data environments. Hammerspace’s award-winning Data Platform delivers a competitive edge across every dimension of unstructured data: storage, access, movement and deployment. Whether training thousands of GPUs on-premises or in the cloud, deploying large-scale inference or maximizing NVMe performance in local GPU servers, Hammerspace is purpose-built to unleash data performance at scale.
Current open positions at Hammerspace are available on its Careers page.
Posted in Commentary with tags Anker on July 3, 2025 by itnerd
Prime Day is upcoming and here is a curated selection of top offers from Anker Innovations. Deals span up to 50% off across brands including Anker, Eufy, Soundcore, and Nebula, with standout savings on power banks, smart vacuums, projectors, headphones, wearables, and more.
Guest Post: The first half of 2025 sees 49% spike in ransomware attacks
Posted in Commentary with tags NordStellar on July 8, 2025 by itnerdThe number of ransomware attacks in 2025 has almost doubled compared to last year, with US organizations and SMBs as the primary targets
The latest data compiled by NordStellar, a threat exposure management platform, reveals that the number of ransomware incidents has almost doubled compared to last year. In January-June of 2025, 4,198 ransomware cases were exposed on the dark web, highli
“We’re only halfway into the year, but the number of ransomware attacks has already doubled, signifying that these attacks remain effective and profitable enough for cybercriminals to ramp up their efforts,” says Vakaris Noreika, a cybersecurity expert at NordStellar. “Some factors that could contribute to the growth in ransomware attacks include the rise in ransomware-as-a-service (RaaS), expanded attack surfaces from remote or hybrid work models, and economic uncertainty that could encourage more people to seek illegal income and turn to cybercrime.”
Main targets in 2025 Q2
In April-June 2025, 1,758 ransomware cases were exposed on the dark web, a 19% increase compared to the same period in 2024 (1,483 cases). Of the 1,205 ransomware incidents traced to specific victim countries, US businesses took the most brutal hit, accounting for 49% of cases (596 incidents). Germany holds the second spot with 84 cases, followed by Canada (74), the United Kingdom (40), and Spain (37).
“Not only is the US home to many profitable businesses, but the companies also have a higher profile. As a result, they’re more likely to give into ransomware demands to reduce the impact of the reputational damage resulting from an attack”, says Noreika. “Strict regulations are also a significant factor to consider — laws on data protection and operational uptime can urge companies to resolve ransomware incidents quickly and not risk the fines or loss of their clients and partners’ trust.”
Ransomware data from April to June 2025 revealed that the manufacturing industry was most affected, with 229 recorded cases. The construction industry came in second with 97 cases, followed closely by information technology (88 incidents).
The data also revealed that small and medium-sized businesses (SMBs) were the prime target for ransomware in 2025 Q2. Organizations with 51–200 employees and revenues between $5 million and $25 million faced the most ransomware attacks.
“The victim profile mirrors the data from 2025 Q1 – SMBs and companies in the manufacturing industry remain the prime targets. This is a significant cause for concern because bad actors continue successfully exploiting preventable security vulnerabilities,” says Noreika.
He explains that companies in the manufacturing industry face challenges enforcing and centralizing security across all geographically dispersed locations and often rely on outdated and unpatched systems. SMBs, like manufacturing companies, often rely on third-party IT providers and lack comprehensive cybersecurity measures due to limited budgets, exposing them to greater risk.
Who’s responsible?
The ransomware group Qilin was responsible for the most attacks in 2025 Q2, with 214 incidents. Safepay holds the second spot with 201 incidents, followed closely by Akira (200 incidents).
According to Noreika, Safepay is the newest of the three, with NordStellar first detecting their activity in Fall 2024. Their attacks significantly increased in Q2 and spiked in May, with 158 incidents alone.
Building a ransomware-resistant business
Noreika explains that employees are the first line of defense against ransomware. Cybersecurity training on phishing scams, the importance of multi-factor authentication, and password management are essential to minimize the risk of bad actors gaining access to sensitive data or infiltrating the network.
“Aside from raising cybersecurity awareness, companies should also build a comprehensive cybersecurity strategy to detect threats before they escalate. This includes implementing endpoint protection, monitoring the dark web for potential data leaks, and keeping a close eye on the company’s attack surface for unpatched security vulnerabilities,” says Noreika.
To minimize the impact of a potential ransomware incident, Noreika recommends that businesses stay two steps ahead, implement recovery plans, and always back up critical data.
Disclaimer: While the total number of 1,758 ransomware attacks in Q2 2025 is accurate, the figures presented for each category (industry, company size, and country) may be slightly higher. This is because a number of incidents were missing data needed for categorization and thus were omitted.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Leave a comment »