After a period of calm, security experts are now reporting a sharp increase in ransomware attacks. Compared to February 2024, attacks in February 2025 increased by 126 percent. Germany is among the top five countries attacked.
February 2025 was a record month, according to experts at Bitdefender Labs. For their analysis as part of the monthly Bitdefender Threat Debrief, Bitdefender experts evaluated data breach websites on the dark web – dedicated leak sites (DLS) – operated by over 70 ransomware gangs, as well as information from publicly available sources (OSINT).
126 percent increase in ransomware attacks
🔎 The top 10 countries most attacked by ransomware (Image: Bitdefender).
Compared to 425 victims in February 2024, the number rose to 2025 in February 962 – an increase of 126 percent. A primary reason for this increase is increasingly opportunistic, automated scans of known vulnerabilities. These are then followed by manually executed attacks, often after several weeks of preparation.
597 of the documented attacks found their victims in the USA. Germany ranks fourth with 27 affected companies – behind number two Canada (58 attacks) and Great Britain (36), and ahead of France with 16 attacks.
The reason for these rising numbers lies in a shift in attacker strategy, which, according to Martin Zugec, Technical Solutions Director at Bitdefender, "still surprises many: Instead of focusing on individual companies or industries, some ransomware groups are becoming increasingly opportunistic, targeting newly discovered software vulnerabilities in edge network devices."
Targeted attacks on vulnerabilities
Regardless of whether they are financially motivated or state-supported hacker groups, the actors focus on vulnerabilities:
- who have a high CVSS risk score;
- that allow hackers to gain remote control over a system;
- concerning software accessible via the Internet; and
- for which an exploit developer or other malicious actor has already published a Proof of Concept (PoC).
To gain initial access through a vulnerability, attackers often launch scans within 24 hours, searching for vulnerable systems. The subsequent manual hack, often disguised from the hackers using living-off-the-land techniques, takes longer. Ransomware attacks therefore typically occur with a delay of weeks or months.
Clop (CI0p) group strikes
The Clop (CI0p) group, which was the most active in February and was responsible for 335 of 962 attacks, demonstrates this pattern. It exploited the vulnerabilities CVE-9,8-2024 and CVE-50623-2024 in the file transfer software Cleo, each rated 55956. The vulnerabilities were disclosed in October and December 2024, respectively. Three months later, the hackers' laborious manual work is bearing delayed fruit.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de