Top 10 Ransomware Groups and the 15 Most Frequently Targeted Countries

Top 10 Ransomware Groups 

Ransomware attacks have escalated into a major cybersecurity threat, with groups employing advanced tactics to extort organizations globally. This survey note examines the top ten ransomware groups—LockBit, RansomHub, PLAY (PlayCrypt), Hunters International, Akira, Cl0p, BianLian, BlackSuit, Meow, and 8Base—as identified in recent data up to early 2025. It covers their modus operandi (MO), reputations, sizes compared to legitimate companies, extortion methods, and notable attack cases, drawing from a comprehensive set of sources to provide a detailed overview.

Background and Context

The ransomware landscape is dynamic, with groups evolving their tactics to evade detection and maximize profits. The list provided reflects the state as of early 2025, with sources including reports from The Hacker News, Wikipedia, and cybersecurity firms like BlackFog and Bitdefender. These groups primarily operate through ransomware-as-a-service (RaaS) models, using double extortion (encrypting data and threatening leaks) and targeting industries like healthcare, finance, and government.

1. LockBit

Modus Operandi: LockBit, emerging in 2019 and linked to Russian-language forums, operates as a RaaS group, responsible for 44% of global ransomware incidents in early 2023 [4]. They gain initial access via vulnerable RDP servers, phishing, and compromised credentials, using tools like Mimikatz for credential gathering and disabling security measures. Their malware, written in C, C++, and .NET, encrypts data with AES and RSA, appending a “.lockbit” extension, and employs StealBit for data exfiltration. They target industries like healthcare and education, considering data privacy laws.

Reputation: Research suggests LockBit has a poor reputation for keeping promises, with evidence showing they retained stolen data even after ransom payments, as discovered during a 2024 law enforcement takedown. An exception was their apology to Toronto’s Hospital for Sick Children in 2022, but this is not typical.

Size Compared to Legitimate Companies: LockBit’s operations are extensive, with over 1,700 attacks in the U.S. between January 2020 and May 2023, extorting $91 million, and law enforcement seizing 2,200 BTC (~$112 million) in 2024. However, compared to Amazon, with revenues over $500 billion in 2022, LockBit’s financial scale is minuscule. Their affiliate network, at least 188, is also dwarfed by Amazon’s global workforce.

Extortion Methods: LockBit uses double extortion, encrypting data and threatening leaks, with innovative tactics like sponsoring technical writing contests and offering bug bounties up to $1 million.

Notable Attack Cases: High-profile targets include Accenture (2021), Thales (twice in 2022), Pendragon PLC ($60 million demand), Corbeil Essonnes Hospital ($10 million demand), Continental, Royal Mail (2023), Boeing, ICBC U.S. subsidiary, Fulton County, Georgia (2024), London Drugs ($25 million demand), and University Hospital Center, Zagreb (2024).

2. RansomHub

Modus Operandi: Emerging in early 2024 from Knight ransomware, RansomHub operates as RaaS, using Golang and C++ malware supporting multiple platforms. They exploit vulnerabilities like ZeroLogon, use remote access tools (Atera, Splashtop, NetScan), and stop services like IIS before encryption, employing double extortion with data exfiltration.

Reputation: Their reputation for keeping promises is unclear, but their payment structure—paying affiliates 90% of ransoms first—suggests trust-building efforts within the cybercrime community. However, victim trust is likely low, given their aggressive tactics.

Size Compared to Legitimate Companies: By June 2024, RansomHub was responsible for 21% of published attacks, claiming 45 victims between February and April 2024, with significant U.S. presence. Their scale is small compared to Amazon, with their financial impact likely in the tens of millions, far below Amazon’s revenue.

Extortion Methods: Double extortion, encrypting systems and threatening to leak or sell data on dark web auction sites.

Notable Attack Cases: Change Healthcare (February 2024, stealing 4 TB of data), Christie’s Auction House (April 2024, affecting 500,000 clients), and UnitedHealth Group via Change Healthcare, causing healthcare disruptions.

3. PLAY (PlayCrypt)

Modus Operandi: Emerging in 2022, PLAY is suspected of Russian links, targeting government and corporate sectors with double extortion. They encrypt data with a “.play” extension, gaining access through service providers and stealing sensitive data, similar to Hive and Nokoyawa techniques.

Reputation: Information on promise-keeping is scarce, but their continued operation suggests credibility within the cybercrime community, though victim trust is likely low.

Size Compared to Legitimate Companies: Targets multiple countries (U.S., Brazil, Argentina, Germany, Belgium, Switzerland), attacking entities like Neue Zürcher Zeitung, suggesting a well-organized group, but no specific size metrics. Compared to Amazon, their scale is small.

Extortion Methods: Double extortion, encrypting and threatening to leak data.

Notable Attack Cases: Argentine Judiciary of Córdoba (2022), Neue Zürcher Zeitung and CH-Media (March 2023), Valais community, Swiss Federal Administration IT provider (May/June 2023), and Rackspace (U.S., 2023).

4. Hunters International

Modus Operandi: Emerging in late 2023, inheriting Hive code, Hunters International uses social engineering, phishing, and RDP exploitation for initial access. They escalate privileges, evade defenses, and use Rust-based ransomware for encryption, employing double extortion with data exfiltration.

Reputation: No specific details on promise-keeping, but embedding encryption keys suggests intent to provide decryption, though trust is likely low.

Size Compared to Legitimate Companies: Compromised 285 victims across 30 countries, targeting healthcare, finance, education, and manufacturing. Their scale is small compared to Amazon, with financial impact likely in the tens of millions.

Extortion Methods: Double extortion, encrypting and threatening to leak data.

Notable Attack Cases: Industrial and Commercial Bank of China (ICBC) London branch (September 2024, stealing 5.2 million files).

5. Akira

Modus Operandi: Starting in March 2023, Akira exploits vulnerabilities in remote access tools (e.g., CVE-2024-37085, CVE-2024-40711), using IP scanners and Adfind for reconnaissance. They drop executables for Windows and Linux, create registry keys for persistence, and use double extortion, encrypting with extensions like .akira.

Reputation: Claims to negotiate reasonably and provide decryptors, but no confirmation on promise-keeping, suggesting potential trust issues.

Size Compared to Legitimate Companies: Over 300 attacks in 2024, amassing $42 million in ransoms, targeting Western organizations, primarily U.S.. Compared to Amazon, their scale is small, with financial impact far below Amazon’s revenue.

Extortion Methods: Double extortion, encrypting and threatening to leak data via a command-line interface on their leak site.

Notable Attack Cases: No specific cases listed, but targets include manufacturing, finance, education in U.S., Canada, UK, Germany.

6. Cl0p

Modus Operandi: Active since 2019, linked to TA505, Cl0p uses digitally signed payloads and exploits software vulnerabilities, notably Cleo’s products in 2024, for supply chain attacks. They employ double extortion, encrypting and stealing data.

Reputation: Notorious for high-profile attacks, active until at least January 2022, with 60 attacks in January 2025, suggesting a persistent threat.

Size Compared to Legitimate Companies: Ranked second most active in January 2025, no specific size metrics, but likely small compared to Amazon.

Extortion Methods: Double extortion, publishing stolen data on Data Leak Site if ransoms unpaid.

Notable Attack Cases: Exploited Cleo’s vulnerabilities, affecting around ten victims in 2024.

7. BianLian

Modus Operandi: Initially double-extortion, shifted to data exfiltration after January 2023 due to a decryption tool, using compromised RDP credentials and MITRE ATT&CK techniques. They target systems globally, with 60% in the U.S..

Reputation: Financially motivated, adapted to countermeasures, collaborating with groups like White Rabbit and Mario, suggesting growing sophistication

Size Compared to Legitimate Companies: No specific size details, but global reach indicates a well-organized group, small compared to Amazon.

Extortion Methods: Shifted from double-extortion to data exfiltration-based, selling data on black market.

Notable Attack Cases: Targeted Singapore-based travel and construction companies (September 2023), PT Smartfren Telecom (Indonesia), TELNET Redes Inteligentes (Spain).

8. BlackSuit

Modus Operandi: Identified in May 2023, believed a Royal spin-off, exploits single-factor VPNs, uses spear-phishing, and employs AES encryption with intermittent techniques. They target Linux and Windows, using tools like Advanced IP Scanner and PsExec.

Reputation: Highly skilled, maintains negotiation commitments, enhancing credibility, but trust with victims is likely low.

Size Compared to Legitimate Companies: Breached 95 organizations, mostly SMEs, with 88% under 1,000 employees, small compared to Amazon.

Extortion Methods: Double extortion, demanding high ransoms (> $2 million average), publishing data if unpaid.

Notable Attack Cases: CDK Global (June 2024, causing IT shutdowns), Kansas City, Kansas (June 2024, publishing police files).

9. Meow

Modus Operandi: First identified in August 2022, based on Conti ransomware, uses RDP vulnerabilities, phishing, and deceptive ads. Initially encrypted files with “.MEOW” extension, shifted to data exfiltration after a 2023 decryption tool.

Reputation: Notorious, targeted high-value industries, resurfaced in 2024 as second most dangerous, adapting to countermeasures.

Size Compared to Legitimate Companies: No specific size details, but well-organized, small compared to Amazon.

Extortion Methods: Initially encryption, now data exfiltration and black market sales, demanding up to $44,000 for data.

Notable Attack Cases: Advantage Certified Development Corporation (2022, $24,000 demand), resurgence in 2024 with data sales.

10. 8Base

Modus Operandi: Active since spring 2022, uses double extortion, encrypting systems and stealing data, with law enforcement confiscating their showcase site. Specific tactics not detailed, but targets various industries.

Reputation: Claimed over 450 victims, high-profile like Volkswagen (disputed), drawing international attention.

Size Compared to Legitimate Companies: No specific size metrics, but 450+ victims suggest a large operation, small compared to Amazon.

• Extortion Methods: Double extortion, threatening to publish data.
• Notable Attack Cases: Belgian commune of Heron (January 2025), approximately 30 attacks in France, claimed Volkswagen attack (disputed, last autumn).

Comparative Analysis

These groups represent a significant cybersecurity challenge, with evolving tactics and global impacts. While their operations are sophisticated, their sizes and financial scales are dwarfed by legitimate entities, emphasizing the need for robust defenses. This analysis provides a comprehensive view as of early 2025, reflecting the dynamic nature of the ransomware threat landscape.

Factors Contributing to Ransomware Group Success

This analysis examines the factors contributing to the success of top ransomware groups, such as LockBit, RansomHub, PLAY (PlayCrypt), Hunters International, Akira, Cl0p, BianLian, BlackSuit, Meow, and 8Base, as identified in recent data up to early 2025. Success is measured by their ability to conduct numerous attacks, extort significant ransoms, and maintain operations despite law enforcement efforts. The current time is 10:10 AM WIB on Saturday, May 03, 2025, and this report reflects the state of the ransomware landscape based on available information from cybersecurity sources and scientific studies.

Background and Context

Ransomware groups primarily operate through advanced malware that encrypts victim data, demanding payment for decryption, often supplemented by double or triple extortion tactics (stealing and threatening to leak data). Their financial success, with groups like LockBit extorting $500 million and Akira $42 million, underscores their effectiveness. However, their success is driven by a combination of strategic, technological, and operational factors, which this report explores in detail.

Detailed Analysis of Success Factors

Adoption of the Ransomware-as-a-Service (RaaS) Model

Research suggests that the RaaS model is a cornerstone of ransomware group success, allowing them to scale operations by recruiting affiliates. For instance, LockBit operates as RaaS, enabling other malicious actors to use their software for a fee, significantly expanding their reach. RansomHub, emerging in 2024, pays affiliates 90% of ransom payments, attracting more partners and increasing attack volume. This model lowers the barrier to entry for cybercriminals, as seen with Lynx and Medusa, enabling rapid growth and global impact. The scalability is evident in LockBit’s responsibility for 44% of global ransomware incidents in early 2023, highlighting how RaaS amplifies their success.

Use of Double or Triple Extortion Tactics

It seems likely that the use of double or triple extortion tactics significantly boosts success by increasing pressure on victims. Groups like Akira, Cl0p, and RansomHub not only encrypt data but also exfiltrate it, threatening to publish it on leak sites unless ransoms are paid. This dual approach enhances coercion, with LockBit’s strategy of threatening data exposure adding to their $91 million in U.S. extortions between 2020 and 2023. Triple extortion, involving additional threats like DDoS attacks, further escalates pressure, as seen with Vice Society, making payment more likely.

Targeting High-Value Sectors

The evidence leans toward targeting high-value sectors like healthcare, finance, and government as a key success factor. These industries, where downtime or data leaks can cause significant damage, are more likely to pay. LockBit targets healthcare and education, considering data privacy laws, while RansomHub hit Change Healthcare in February 2024, stealing 4 TB of data. Hunters International compromised 285 victims across 30 countries, focusing on finance and manufacturing, and Akira’s over 300 attacks in 2024 targeted Western organizations, primarily U.S., demonstrating how sector-specific targeting maximizes ransom potential.

Exploiting Vulnerabilities

It appears that exploiting vulnerabilities is crucial for initial access and attack success. Groups like Akira exploit recent vulnerabilities such as CVE-2024-40711 in Veeam Backup & Replication, while RansomHub uses ZeroLogon, and Fog targets unpatched systems. LockBit gains access via vulnerable RDP servers and zero-day exploits, using tools like Mimikatz for credential harvesting. This strategy leverages widespread systemic weaknesses, making attacks more likely to succeed against a broad range of victims.

Sophisticated Malware and Attack Techniques

Research indicates that sophisticated malware and attack techniques enhance success by making detection and mitigation difficult. LockBit uses fast encryption techniques, encrypting only the first few kilobytes of files, and employs StealBit for automated data exfiltration. Akira drops executables for Windows and Linux, creating registry keys for persistence, while RansomHub uses Golang and C++ malware supporting multiple platforms. These advanced methods ensure effective encryption and evasion, increasing the likelihood of payment.

Operational Efficiency

Operational efficiency, executing attacks quickly to minimize detection, is another factor. SafePay can deploy ransomware in less than 24 hours, far quicker than the industry average, and Fog has attack cycles as short as two hours. LockBit emphasizes speed, using PowerShell scripts and Cobalt Strike for lateral movement, while Hunters International uses Rust-based ransomware for rapid encryption. This efficiency, detailed in various reports, reduces the window for victim response, enhancing success rates.

Innovation and Adaptability

Innovation and adaptability are vital, with groups evolving tactics to stay ahead of defenses. LockBit introduced bug bounties for LockBit 3.0 and developed LockBit-NG-Dev, potentially LockBit 4.0, showing resilience after 2024 disruptions. RansomHub, evolving from Knight ransomware, and BianLian, shifting to data exfiltration-only after a decryption tool, demonstrate adaptability. This continuous evolution ensures they remain effective against new security measures.

Strong Affiliate Programs

Strong affiliate programs attract skilled hackers, expanding operational capacity. LockBit recruits affiliates, hires network access brokers, and sponsors underground technical writing contests, fostering innovation. RansomHub’s 90/10 ransom split and strict agreements attract affiliates from collapsed groups like ALPHV, while Medusa and Lynx leverage RaaS to recruit partners. This strategy, detailed in cybersecurity reports, enhances their ability to conduct widespread attacks.

Financial Motivation

Financial motivation drives optimization for maximum gain, often with large ransom demands. LockBit’s focus on profitability, demanding $91 million in the U.S., and Akira’s $42 million in 2024, show how profit-driven operations enhance success. Groups prioritize high-value targets, with BlackSuit demanding over $2 million on average, ensuring significant returns, as noted in various analyses.

Global Reach

Operating on a global scale, targeting organizations worldwide, maximizes opportunities. LockBit attacks the U.S., India, and Brazil, while RansomHub and Hunters International have victims in 30+ countries. This global reach diversifies their attack portfolio, increasing the number of potential victims and enhancing success.

The success of top ransomware groups is driven by a combination of strategic business models (RaaS), coercive tactics (double/triple extortion), targeted sector focus, technological sophistication, and operational adaptability. These factors enable them to conduct effective attacks, extort significant sums, and maintain operations despite challenges. This analysis, based on recent reports from The Hacker News, Wikipedia, SosRansomware, and scientific journals, reflects the state as of early 2025, emphasizing the dynamic nature of the ransomware threat landscape.

Challenges Faced by Top Ransomware Groups Despite Financial Success

This survey note examines the challenges faced by the top ten ransomware groups—LockBit, RansomHub, PLAY (PlayCrypt), Hunters International, Akira, Cl0p, BianLian, BlackSuit, Meow, and 8Base—as identified in recent data up to early 2025, despite their financial success. Financial success is evident from their ability to extort significant sums, such as LockBit’s estimated $500 million total and Akira’s $42 million in 2024. However, these groups operate in a high-risk environment with multiple obstacles that threaten their sustainability and profitability. This analysis draws from recent cybersecurity reports, news articles, and industry insights to provide a comprehensive overview.

Background and Context

Ransomware groups primarily operate through ransomware-as-a-service (RaaS) models, using double extortion tactics to encrypt data and threaten leaks. Their financial success is measured by ransom payments, often in cryptocurrency, but their operations are fraught with challenges that could undermine their activities. The current time is 10:04 AM WIB on Saturday, May 03, 2025, and this analysis reflects the state of the ransomware landscape as of early 2025, based on available data.

Detailed Analysis of Challenges

Law Enforcement Pressure

One of the most significant challenges is the increased pressure from law enforcement agencies worldwide. For instance, LockBit faced a major disruption in February 2024 through Operation Cronos, where the National Crime Agency, in collaboration with Europol, seized control of its dark web sites, arrested individuals in Ukraine, Poland, and the United States, and obtained decryption keys to help victims recover. This operation also led to the seizure of over $112 million in unspent Bitcoin addresses and the release of a free decryptor for LockBit 3.0 on No More Ransom. Further actions in 2024 included charges and sanctions against Dmitry Khoroshev, identified as LockBit’s administrator, and the extradition of Rostislav Panev to the United States in 2025 for his alleged involvement. These actions highlight the constant threat of arrests, infrastructure seizures, and legal repercussions, forcing groups to adapt quickly and operate under heightened risk.

This challenge extends to other groups, with reports indicating a flurry of law enforcement actions in Q4 2024, including arrests linked to LockBit and seizures of malware-as-a-service platforms like Redline and Meta Infostealer, which indirectly affect the ransomware ecosystem. The FBI’s 2024 Internet Crime Report and Cisco Talos noted that LockBit’s disruption boosted rival groups like Akira and RansomHub, suggesting that law enforcement actions create a ripple effect, challenging all groups to maintain operational stability.

Decreasing Payment Rates

Another critical challenge is the decreasing willingness of victims to pay ransoms, impacting the groups’ revenue streams. Recent data from Chainalysis indicates a 35.82% year-over-year decrease in total ransom payments in 2024, driven by increased law enforcement actions, improved international collaboration, and a growing refusal by victims to pay. For example, Cyberint’s findings on RansomHub showed only 11.2% of victims paid the ransom, highlighting the difficulty in monetizing attacks. This trend is supported by Sophos’ “State of Ransomware 2024” report, which, while noting a 500% increase in average ransom payments from $400,000 in 2023 to $2 million in 2024, also indicated a slight reduction in attack rates (59% in 2024 vs. 66% in 2023), suggesting fewer successful extortions. The discrepancy between total payments decreasing and average payments increasing suggests groups are targeting larger organizations, but overall, the lower payment rate poses a financial challenge.

This challenge is exacerbated by victims increasingly involving law enforcement, with over 60% of organizations experiencing less financial loss when reporting, as per a 2023 FBI Internet Crime Survey. Additionally, states enacting laws regulating ransomware payments, with projections of 30% by the end of 2025, further discourage payments, complicating the groups’ ability to generate revenue.

Intense Competition

The ransomware landscape is highly competitive, with the number of active groups jumping 40% from 68 in 2023 to 95 in 2024, and 46 new groups emerging in 2024 alone. This saturation creates a challenge for groups like RansomHub, Meow, and 8Base, which are seeking to make a name for themselves in 2025. The competition leads to turf wars, reduced market share, and the need to constantly innovate to attract affiliates and targets. For instance, after LockBit’s disruption, groups like Akira and RansomHub gained prominence, indicating that established groups face threats from newer entrants. This competition is particularly challenging for newer groups, which must build credibility, enforce strict affiliate agreements, and avoid targeting prohibited entities (e.g., CIS nations, non-profits) to maintain operational viability.

Advancing Cybersecurity Defenses

As organizations improve their cybersecurity measures, ransomware groups face increasing difficulty in executing successful attacks. Reports highlight that groups must continuously innovate to evade detection, with tactics like exploiting ZeroLogon vulnerabilities (RansomHub) or using advanced malware (Akira with CVE-2024-40711). However, advancements in vulnerability scanning, regular patching, and the adoption of Zero-Trust network access models by 30% of organizations by 2024, as per Gartner, make it harder for groups to gain initial access. Additionally, the rise of GenAI in 2025 could lead to more advanced phishing campaigns by attackers, but also better detection by defenders, creating a technological arms race that challenges the groups’ operational efficiency.

Legal and Regulatory Changes

New laws and regulations pose another hurdle, with states projected to increase regulations on ransomware payments, fines, and negotiations to 30% by the end of 2025. These changes can complicate the groups’ operations, especially in laundering cryptocurrency ransoms without attracting attention. For example, the Consolidated Appropriations Act, 2022, required CISA to establish a Joint Ransomware Task Force to improve federal actions against ransomware, potentially leading to more coordinated efforts to disrupt groups. This regulatory environment adds legal risks and operational complexity, particularly for groups with ties to certain jurisdictions facing sanctions or political pressures.

Internal Management Challenges

Operating a criminal organization comes with inherent risks, such as maintaining operational security, managing disputes among members, and ensuring loyalty. For LockBit, The Register reported in November 2023 that the group faced growing internal frustrations due to low ransom payment rates, leading to overhauls in negotiation methods. This indicates challenges in maintaining cohesion and operational efficiency, especially under law enforcement scrutiny. The risk of infiltration by authorities or betrayal by members further complicates internal management, requiring groups to invest in operational security measures, which can strain resources.

Despite their financial success, the top ransomware groups face a complex and high-risk environment. Law enforcement actions, decreasing victim payment rates, intense competition, advancing cybersecurity defenses, legal changes, and internal management issues all pose significant obstacles. These challenges require groups to constantly adapt, innovate, and operate under pressure, potentially threatening their long-term sustainability. This analysis, based on recent reports from Chainalysis, Sophos, and cybersecurity insights, reflects the state as of early 2025, emphasizing the dynamic nature of the ransomware threat landscape.

Top Fifteen Countries with Ransomware Victims

This report examines the top fifteen countries most affected by ransomware victims as of early 2025, based on recent cybersecurity data and trends. Ransomware, a form of malicious software that encrypts data and demands payment, has become a significant global threat, impacting businesses, governments, and critical infrastructure. The analysis draws from multiple sources, including industry reports and statistical analyses, to provide a detailed overview of the geographical distribution of ransomware victims. The current time is 10:58 AM WIB on Saturday, May 03, 2025, and this report reflects the state of the ransomware landscape based on available information.

Background and Context

Ransomware attacks have escalated, with groups like LockBit, RansomHub, and Cl0p targeting organizations worldwide. The success of these attacks is often measured by the number of victims, which can include businesses, healthcare providers, and government entities. Data sources such as Sophos’ “State of Ransomware 2024” report, CYFIRMA’s monthly tracking reports, and websites like KonBriefing.com provide insights into victim geography. However, challenges in data collection, such as underreporting and varying methodologies, mean that rankings can be approximate and subject to controversy.

Detailed Analysis of Top Countries

United States

Research suggests the United States is the most affected country, with high victim counts due to its large digital economy and critical infrastructure. CYFIRMA’s February 2025 report lists 591 victims, and March 2025 reports 291, indicating significant targeting. Sophos’ 2024 report shows a 59% attack rate, supporting its top position. Given its economic size, it’s likely the absolute number of victims is highest, though exact figures are debated due to reporting variations.

United Kingdom

It seems likely that the UK is among the top, with CYFIRMA reporting 32 victims in February 2025 and 30 in March, and Sophos noting a 66% attack rate. KonBriefing.com data for early 2025 shows consistent attacks, reinforcing its ranking. Its position as a major economy with extensive digital services makes it a prime target.

France

The evidence leans toward France being highly affected, with Sophos reporting a 74% attack rate in 2024, the highest among surveyed countries. CYFIRMA’s March 2025 report lists 22 victims, and KonBriefing.com data shows 42 attacks by April, suggesting significant impact. Its role in Europe and data-rich sectors likely contribute to its ranking.

Germany

Germany is frequently targeted, with Sophos showing a 64% attack rate and CYFIRMA reporting 25 victims in February and 42 in March 2025. KonBriefing.com data totals 45 attacks by April, indicating a strong presence in Europe. Its industrial and financial sectors are likely key factors.

Canada

Canada appears in CYFIRMA reports with 57 victims in February and 40 in March 2025, suggesting significant targeting. While Sophos data isn’t specific, its proximity to the U.S. and digital economy likely place it high, with KonBriefing.com showing 20 attacks by April.

Italy

Italy’s 68% attack rate in Sophos’ 2024 report and CYFIRMA’s 24 victims in March 2025, with 29 total by April from KonBriefing.com, indicate heavy targeting. Its position in Europe and economic activity likely contribute to its ranking.

Spain

Spain, with a 58% attack rate in Sophos and 6 victims in March 2025 from CYFIRMA, plus KonBriefing.com data showing at least 9 attacks by April, is likely affected. Its digital infrastructure and European location support its position.

Australia

Australia, with a 54% attack rate in Sophos and 5 victims in January 2025 from CYFIRMA, plus KonBriefing.com data showing 5 attacks by April, is among the top. Its developed economy and critical sectors likely contribute.

Brazil

Brazil’s 44% attack rate in Sophos and CYFIRMA’s 13 victims in March 2025, with 17 total by April from KonBriefing.com, suggest significant impact. Its large market and digital growth likely place it high.

India

India, with a 58% attack rate in Sophos and 6 attacks by April from KonBriefing.com, is likely affected. Its vast digital economy and emerging sectors make it a target, with CYFIRMA data supporting its ranking.

South Africa

South Africa’s 69% attack rate in Sophos, the second highest, indicates significant targeting, though CYFIRMA data is limited. Its position in Africa and digital infrastructure likely contribute, with KonBriefing.com showing 1 attack by April.

Austria

Austria’s 68% attack rate in Sophos and CYFIRMA data showing 4 victims in March 2025, with KonBriefing.com at 1 by April, suggest impact. Its European location and economy likely place it high.

Switzerland

Switzerland, with a 64% attack rate in Sophos and 6 victims in February 2025 from CYFIRMA, plus KonBriefing.com showing 6 by April, is likely affected. Its financial sector likely contributes.

Singapore

Singapore’s 58% attack rate in Sophos and 1 attack by April from KonBriefing.com, with CYFIRMA data limited, suggest targeting. Its role as a financial hub likely places it high.

Japan

Japan, with a 51% attack rate in Sophos and 2 attacks by April from KonBriefing.com, is likely affected. Its advanced economy and digital infrastructure support its ranking, though CYFIRMA data is sparse.