Ransomware Decline: RansomHub’s Tech Glitch Brings Unexpected Breather in April

Ransomware attacks took a nosedive in April, thanks to RansomHub’s infrastructure taking a vacation without telling anyone. Comparitech logged fewer attacks, while Qilin suspiciously gained momentum. Perhaps RansomHub affiliates packed their bags and joined Qilin’s party. Meanwhile, other ransomware groups kept up the mischief.

3P
Published: May 5, 2025 8:20 amAdded: May 5, 2025 at 1:57 amAssembled by: The Editor
Pro Dashboard

Hot Take:

Ransomware has taken a chill pill! April saw a dramatic drop in ransomware attacks, but don’t pop the champagne just yet. It’s not that the cybercriminals suddenly found inner peace or took up yoga. No, they just ran into some technical difficulties. RansomHub’s infrastructure took a nosedive, but worry not, Qilin is here to fill in the void. Who knew ransomware gangs had such a strong sense of continuity? In the world of cybercrime, when one door closes, another one opens, and it’s usually to someone else’s data.

Key Points:

  • Ransomware attacks dropped to 479 in April from previous months.
  • RansomHub’s infrastructure issues contributed to the decline.
  • Qilin emerged as the leading ransomware group in April.
  • Notable attacks included incidents on Marks & Spencer and Oregon DEQ.
  • Government, healthcare, and education sectors were key targets.

RansomHub Takes a Siesta

April brought a breath of fresh air for cybersecurity pros, as ransomware attacks went on a bit of a vacation. Comparitech, ever the diligent cyber detective, noted a substantial decline in attacks with only 479 incidents. This was a stark contrast to the bustling cybercrime scenes of previous months, which were more packed than a cybersecurity conference’s free snack table. The drop is thanks in no small part to RansomHub’s unexpected “tech timeout” on March 31. It seems the gang suffered an infrastructure outage, which is a polite way of saying they hit the cyber equivalent of a flat tire.

Qilin to the Rescue

But fear not, cybercriminals are nothing if not resourceful. Enter Qilin, the new kid on the block who quickly took up the ransomware mantle. The gang’s admin, Haise, was seen hawking a new ransomware version and some lovely DDoS extortion features, like a true salesperson of the dark web. Comparitech even reported a rise in Qilin’s activity in April, with attacks jumping from 45 to 67. Looks like Qilin is the new ransomware star, ready to shine bright in the dark, gloomy skies of cyber extortion.

RansomHub’s Quiet Month

With RansomHub’s infrastructure in shambles, their April was quieter than a library during finals week. They listed exactly zero new victims on their data leak site, which has to be some kind of record for them. Just a month prior, they were one of the most active groups with 62 claimed attacks, according to an NCC Group report. It’s almost as if the cyber gods decided to grant the world a temporary reprieve from RansomHub’s antics. But if history is any guide, they won’t stay down for long.

High-Profile Hits

Despite the overall decline, April wasn’t without its blockbuster ransomware hits. Scattered Spider, the group behind notorious attacks on MGM International and Caesars Entertainment in 2023, added UK retailer Marks & Spencer to their portfolio of unfortunate victims. Meanwhile, German recycling manufacturer Eu-Rec GmbH was hit by SafePay, leading to insolvency—a dark twist on the “reduce, reuse, recycle” mantra. And in a classic case of “no thanks, we won’t pay,” the Oregon Department of Environmental Quality refused a $2.7 million ransom demand from Rhysida, who claimed to have stolen over 2.5TB of data.

Target Practice: Government, Healthcare, and Education

As usual, certain sectors were the darlings of ransomware attacks. Government entities, healthcare organizations, and educational institutions were all popular targets, with 24, 22, and 14 attacks respectively. It’s almost as if the cybercriminals have a special affinity for organizations that are already busy saving lives or shaping the future. Meanwhile, the remaining 425 attacks were categorized as being on “businesses,” proving that crime doesn’t discriminate, as long as there’s data to be ransomed.

So, while the ransomware landscape may have taken a temporary dip, don’t let your guard down just yet. The cybercriminals are still out there, plotting their next move, and as long as there’s data to be held hostage, they’ll be ready to pounce. Keep those firewalls strong, and your passwords even stronger!

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?