Darkweb

May 2025 Deep Web and Dark Web Trends Report

  • Jun 10 2025
May 2025 Deep Web and Dark Web Trends Report

Disclaimer

 

This trend report on the deep web and dark web of May 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for accuracy.

 

 

Key Issue
 

 

1)     Ransomware

 

 

1. Overview
 

 

In May 2025, the ransomware ecosystem saw a major shift in leadership and the rise of a new group. The most active group in 2024, RansomHub, officially ceased their activities after their infrastructure went down in April. Following this, SafePay emerged as the most active ransomware group in May by publicly disclosing their attacks on about 58 victims.

 

Overall, ransomware groups posted information on about 384 victims to their dedicated leak sites (DLS) over the course of May. Qilin, Play, Akira, and NightSpire followed SafePay in terms of the number of victims they disclosed, and emerging groups like DevMan also showed notable activities.

 

It is worth noting that Stormous claimed to have targeted the German automotive giant *** Group, but the *** group refuted the claim by stating that they found no evidence of unauthorized access in their internal investigation.

 

New ransomware groups such as DATACARRY, Dire Wolf, and J Group emerged and began their activities by claiming attacks on 8 countries, 6 organizations, and 9 companies, respectively. Concerns were raised about the increasing trend of copycat attacks after the source code of VanHelsing ransomware was leaked for free on a dark web forum.

 

In terms of attack techniques, the Play ransomware group exploited the Windows CLFS zero-day (CVE-2025-29824) in their attacks. There was also a trend of advanced attack techniques, such as the use of a new EDR bypass technique called Bring Your Own Installer in ransomware attacks. In addition, there was an accelerating trend of tactics shifting from data encryption to data exfiltration and subsequent extortion.

2. Trends Among Major Ransomware Groups

 

 

  • SafePay

 

 

SafePay, which first appeared in the fall of 2024, emerged as the most active group in May by publicly disclosing the damage to about 58 victim companies. The group mainly targeted the U.S. and Germany, with a particular focus on healthcare and educational institutions. Unlike other groups, SafePay does not operate on a Ransomware-as-a-Service (RaaS) model and instead directly manages their attacks. They are capable of rapidly encrypting data within 24 hours of initial access by exploiting VPN and RDP vulnerabilities.

 

 

  • Qilin

 

 

In May, they ranked 2nd by disclosing about 54 victims. The group continuously targeted auto parts manufacturers such as *** Parts and B*** Inc., showing a combination of threats from state-sponsored groups due to their connection with North Korea.

 

 

  • Play

 

 

An attack leveraging the Windows CLFS zero-day vulnerability (CVE-2025-29824) has drawn attention. The threat actor targeted four companies in the United States and Canada, as well as *** Links Co. Ltd. in Japan, demonstrating their ability to utilize zero-day exploits.

 

 

  • DevMan

 

 

An emerging group that claims to have infiltrated 13 victims. They encrypted all systems and NAS devices in the Thailand *** attack and used the extension “.devman1”. They have established partnerships through multiple RaaS services with Qilin, DragonForce, RansomHub, and others.

 

 

  • DragonForce

 

 

This group was the most notable ransomware group in May. They launched a series of attacks on the UK retail industry, claiming to have paralyzed the online ordering system of M*** and stolen the data of 20 million members from C***. H*** was also targeted in this attack, but they managed to minimize the damage through a swift response. After the suspension of RansomHub, DragonForce absorbed many of their partners and expanded their influence in the ransomware ecosystem.

 

 

  • RansomHub

 

The most active ransomware group in 2024, but they officially announced their cessation of activities in April. It is assumed that internal conflicts and disputes with affiliates were the causes, and some members were observed to have moved to Qilin.

 

  • Stormous

 

 

Through its recent renewal, DLS changed its design and abandoned its previous principle of only operating at certain times. It also posted a large amount of information on hotel and resort victims, revealing its attack nature. The group claimed to have attacked *** Group, a German car manufacturer, but has not provided any breach evidence to support this claim.
 

(3) Damage Trends by Industry

 

  • Retail Industry

 

 

The retail industry suffered the biggest blow in May due to DragonForce’s attacks on UK retail stores. M***, C***, and H*** were affected, marking the beginning of the intensified targeted attacks on the retail industry.

 

※ For more information, please refer to the attachment.

Tags:
Previous Post

Next Post