In an age of digital escalation, cybercriminals are no longer just casting wide nets—they’re sharpening scalpels. And as ransomware hits a global record in Q1 2025, India has emerged as one of the top five nations under siege, trailing only the U.S., Germany, Canada, and the UK, according to Check Point Research.
The numbers are staggering: a 126% year-over-year surge in attacks, with 2,289 publicly named victims across 74 active ransomware groups—the most ever in a single quarter.
But this is no longer just about encrypted files and decryption keys. The ransomware business model has evolved into something more sophisticated—and more sinister. Welcome to the new era of data theft, extortion, and psychological warfare.
Rise of the New Titans
Leading the charge this quarter is Cl0p, responsible for 392 attacks. Its tactics? Exploiting zero-day vulnerabilities in Cleo file transfer tools and bypassing encryption altogether. Why lock files when you can steal and blackmail? Notably, 83% of Cl0p’s victims are in North America, but their strategic focus is clear: 33% hit were from the Consumer Goods & Services sector, highlighting an intent to cripple supply chains.
Then comes RansomHub, a phoenix rising from the ashes of LockBit, which collapsed after a global takedown. By aggressively recruiting affiliates and offering lucrative profit shares, RansomHub has absorbed much of LockBit’s dark market clout, chalking up 228 victims in just one quarter.
Yet not all numbers are what they seem. Babuk-Bjorka and FunkSec—with 167 and over 170 claimed victims, respectively—have been accused of inflating their victim lists with recycled or fake claims. It’s a tactic designed to inflate reputations, lure new affiliates, and pressure actual targets into paying. Alarmingly, FunkSec is suspected of deploying AI-generated malware, drastically reducing the technical bar for attackers and blurring the lines between hacktivism and organized cybercrime.
India’s Place in the Crosshairs
India’s inclusion in the top five isn’t accidental. With its rapid digitalization, sprawling infrastructure, and a blend of global enterprises and small businesses, it’s a tempting target. While the report doesn’t break down India-specific actors, its ranking suggests ransomware groups are strategically selecting victims based on their likelihood to pay, legal complexity, and geopolitical noise levels.
This surgical precision is reflected globally. In Germany, ransomware group Safepay accounted for 17.5% of local incidents—far above its global average. In the UK, Medusa’s fivefold increase signals similar regional targeting.
The New Currency: Reputation
Even as disclosures soar, actual ransomware payments dropped by 35%, according to Chainalysis. What does this mean? Either victims are refusing to pay—or some victims might not be real.
Ransomware has become more about reputation destruction than data destruction. Leak sites, once reliable indicators of attack scale, now serve as propaganda platforms. With groups faking incidents or weaponizing public data, the signal-to-noise ratio has never been worse for defenders.
“The 126% spike in ransomware is more than just a number—it’s a signal,” warns Sergey Shykevich, Threat Intelligence Group Manager at Check Point Software. “AI tools, fake victim claims, and regionally tailored tactics mean organizations must move beyond reactive defenses and adopt prevention-first, intelligence-led security.”
Looking Forward: Defense in the Age of Deception
The cyber threat landscape is no longer flat—it’s layered, dynamic, and designed to deceive. Traditional responses won’t cut it. Organizations, especially in countries like India ascending the target list, must invest in real-time threat intelligence, simulate breach scenarios, and rethink their crisis communication strategies.
