The global ransomware landscape underwent one of its biggest shifts in recent years during the three months ended June 2025, with a new report detailing massive disruption of the world’s most feared cybercrime groups.
For the uninitiated, a ransomware attack is a type of malware that prevents or limits users from accessing their system by either locking the system’s screen or blocking files until a ransom is paid.
The Q2 Ransomware Security Report by software technologies research firm Check Point indicates that a series of law enforcement crackdowns, tougher regulations on ransom payments, and declining profitability forced several of the world’s dominant cybercrime syndicates into retreat.
While global enforcement may deter large outfits, experts warn that this shift opens the door for smaller groups – often harder to trace – to exploit emerging markets with weaker defences.
For Kenya, this creates a double-edged environment; a reprieve from big-brand attacks, but enhanced risk from smaller, less visible groups keen to exploit local systems.
The country’s ongoing digital transformation that’s powering a range of services – from mobile money to digital health and government systems – is inadvertently creating an expansive attack surface as attackers exploit outdated software, misconfigurations, and unsecured hardware devices.
Between April and June 2025, Kenya recorded a staggering 4.6 billion cyber threat incidents to mark an 84 percent jump from the preceding quarter’s 2.5 billion detections, with the increase signalling escalating vulnerabilities in systems across sectors.
“The global disruption buys some time, but the next generation of ransomware groups is already looking for new markets. And with Kenya’s digital economy growing rapidly, the country may be in their sights sooner than expected,” says software developer Ayub Kimani.
Check Point warns that while the crackdown on the prominent ransomware actors might seem successful, the vice is far from defeated.
Instead, it says, the attacks are fragmenting into smaller groups that are experimenting with new tactics, including Artificial Intelligence (AI)-powered extortion.
“This does not mean that the threat has disappeared. Instead, the ecosystem is fragmenting. Established groups are adapting to the ecosystem shifts with new extortion techniques, AI-powered tools, and are aggressively recruiting affiliates,” reads the report.
“Meanwhile, others have moved away from encryption to adopting stealthier, data exfiltration-only models to avoid scrutiny.”
The far-reaching quarter two disruption of attacker networks followed a global enforcement campaign in May that dismantled more than 300 servers, shut down 650 malicious domains, and issued warrants for 20 suspects.
Regulators in several markets also tightened restrictions on ransom payments, further denting the profitability of attacks.
As a result, the number of victims published on ransomware ‘leak sites’ fell to 1,607 in the quarter to June, down from 2,289 in the previous quarter, although still above the 1,270 cases reported in the same period last year.
Leak sites are websites within the dark web used by ransomware groups, hackers, and other malicious actors to leak stolen data and conduct ransom negotiations with victims.
Healthcare remained one of the most vulnerable sectors, ahead of business services, financial services, manufacturing, and construction, where attacks were broadly distributed during the quarter under review.
Attackers were also found to have accelerated the integration of AI tools into their activities, with a set of notorious groups being discovered to be offering AI-powered negotiation support to their affiliates.
These tools, the report notes, are used to automate victim communication, tailor ransom demands based on responses, and even generate psychological profiles of executives.
Earlier in July this year, the Communications Authority of Kenya (CA) revealed that healthcare sector institutions within the country were bearing the worst brunt, with data at the time showing that the average ransom demand exceeded $5.2 million (about Sh671.8 million at current conversion rates) per incident.
According to the CA, the healthcare sector experienced a 95 percent jump in ransomware incidents during the three months ended December 2024 after they grew from 20 to 39 cases in October alone.
The CA data showed that other sectors like manufacturing and finance also faced significant threats, with incidents in the former rising 37.9 percent compared to the preceding quarter.
“Ransomware groups have increasingly adopted sophisticated data exfiltration methods, utilising tools like Azure Storage Explorer to transfer large volumes of sensitive data to cloud storage before encryption,” said the CA at the time.
“This trend emphasises the dual threat of data theft and operational disruption.”
