Ransomware groups
In 2025, the ransomware landscape remains one of the most dynamic and destructive threat vectors in the cybersecurity world. As attacks increase in both frequency and sophistication, organizations must not only strengthen their defenses but also understand the tactics and motivations of the malicious groups behind these digital extortion operations. The number of active groups is now estimated to exceed 85 distinct actors.
Top 20 ransomware groups we encountered most frequently in 2025
General trends and differentiated behaviors
Encryption and technologies
Many modern groups use ransomware written in Rust or Go, enabling them to operate across multiple platforms and complex infrastructures.Ransom demands
While some groups demand ransoms of several million dollars, others adjust their demands based on the size, sector, and criticality of the targeted data. ThreatDown by Malwarebytes Sophisticated operations such as those carried out by Qilin or Cl0p tend to target organizations with substantial budgets, justifying higher ransom demands.Negotiation styles
Accelerated publication of stolen data has become a common tactic to increase pressure on victims. Some groups also facilitate negotiations through automated portals or via affiliates specialized in ransom negotiations.Do not pay the ransom!
- No guarantee of data recovery Paying does not guarantee that cybercriminals will provide a decryption key, nor that it will work properly. Many victims pay and recover nothing or only part of their data.
- Encouragement of criminal activity Payment directly finances criminal groups, enabling them to improve their tools and launch new attacks against other victims.
- Risk of repeat attacks An organization that pays is often identified as a “good target” and may be attacked again, sometimes by the same group.
- Legal and regulatory exposure In some countries, paying a ransom may violate the law (for example, if the group is linked to sanctioned entities), exposing the victim to legal penalties.
- Data leakage or resale despite payment Even if data is decrypted, nothing prevents attackers from retaining, reselling, or publishing the stolen data.
- Reputational damage Payment can harm the image of a company or institution, especially if the information becomes public.
- Viable alternatives often exist
-
- Restore from backups
-
- Use free decryption tools (for certain known strains), though they are often outdated
- Contact our experts if your backups are encrypted or deleted
We can help you regardless of which ransomware group encrypted your data.
How to deal with a ransomware attack
Faced with the growing threat of ransomware, companies need to rely on multidisciplinary expertise. The combination of data recovery, IT and cybersecurity skills is essential to successfully carry out decryption operations and restore compromised systems.
Follow the recommended immediate measures
Switch off all media containing backups, disconnect servers from the Internet.
Check the integrity of backups to restore data
Back up encrypted data on an external disk or NAS (prioritize backups and virtual machines) DO NOT RESET the system: reinstalling servers prevents data recovery. These backups can be used for data recovery and digital forensics.
Keep all evidence of the attack – don’t delete any files, and document early indicators of compromise (IOCs).
Report the crime to the appropriate authorities, police or gendarmerie.
A quick call to one of our data recovery consultants can save a lot of headaches and increase the chances of restoring your data.
How we recover and restore data encrypted by ransomware
Computer systems are composed of multiple complex layers, making them vulnerable to rapid and sophisticated attacks by cybercriminals.
We use proprietary software to implement four data recovery techniques: decryption, recovery of deleted data, reverse engineering of encryption algorithms and repair of damaged files.
They’ve broken into your system, we find the flaw in their actions.
For security reasons, we voluntarily limit the disclosure of detailed information about our specific tools.
Our process
Files are received in a totally secure way.
We assess the level of damage caused by the ransomware.
We process your files using proprietary technologies.
Validate file integrity with our Diagview tool
How fast do you need your data?
We offer flexible service packages to meet your unique needs and budgetary considerations.
- On-call processing
- 365/24
- Dedicated team
- Average 1 to 3 working days
- within working hours
- 1 dedicated engineer
- Average 3-7 working days
- Within working hours
- 1 shared engineer
- Average 7 to 14 working days
Two main backup recovery modes:
in the lab or remotely
Our 10 Gb/s access allows us to be very responsive and fast during exchanges, in the event of remote retrieval. Security is our top priority: we use the SFTP protocol exclusively for transfers. File integrity is checked on arrival, so you can be sure of 100% identical files.
This type of recovery is becoming increasingly common in our business. The advantage is that there's no need to physically transport the machines or disks, so there are logistical savings and no risk of damage in transit. There are no customs issues to consider... Your server can remain online if services are running on it.
The majority of our rescues still take place in our laboratories. The main advantage: we have more recovery options with physical servers than with downloaded files. Laboratory recovery is indispensable in cases of deletion where data has actually been deleted.
Request a free consultation
Leading experts at your service 24/7/365 If you suspect a data loss or network breach, or are looking for ways to test and improve your cybersecurity, our team can help.
FAQ
Frequently asked questions
In the face of cyberattacks, this FAQ has been designed to give you clear, concise answers to the most frequently asked questions about ransomware and how we can help. From prevention to data recovery after an attack, find out how to react, recover your data and strengthen your digital defense…
Immediately contact our emergency hotline (24/7/365)
- If you suspect a ransomware attack, contact the emergency experts immediately at the following numbers: +336 08 68 94 98 or +331 84 604 112
- The on-call team will respond as quickly as possible, usually within 2 hours.
- Discuss priority needs and affected technologies.
Reception, Cloning and Diagnostics
- The team will immediately start cloning the affected disks using a secure procedure.
- A rapid analysis will be carried out to determine the extent of the damage.
- The team will provide an estimate of the chances of successful recovery.
Data Recovery
- Affected files will be extracted from servers or NAS systems.
- A complete list of recovered files will be compiled.
- The customer will validate the recovered files.
- The recovered data will be securely returned to the customer.
It's essential to act quickly in the event of a ransomware attack to maximize the chances of successful recovery.
Our offer is based on several criteria:
Capacity: volume of data to be processed (capacity of storage media, number of files, etc.).
Technologies: file system, operating system, virtualization system, backup software...
Reactivity: two levels of service (on-call or emergency)
Our cost is generally between two and ten times less than the ransom cost.
Network isolation: As soon as a computer appears infected, immediately disconnect it from the network and any external storage to prevent the ransomware from spreading.
Identifying the infection: Use tools like ID Ransomware or No More Ransom to determine the type of ransomware and understand how it spreads.
Caution when intervening: Avoid any hasty action on servers, such as reformatting or using antivirus software, which could compromise data recovery.
Backup management :
- stop automatic backups: this prevents data being overwritten by corrupted files.
- Safe handling of backups: Use only safe, isolated machines to check your backups, and avoid restoring to an infected server.
- Reaction to sabotaged backups: If your backups have been altered in the attack, stop all affected hardware to prevent further damage.
Get help from data recovery experts:
- If your backups are failing, a specialized data recovery lab may be a viable solution. The aim is not necessarily to decrypt infected files, but to find usable data from the various storage sources. Each case of attack is unique and requires an audit of the storage systems.
By following these steps, you'll maximize your chances of effectively managing a ransomware attack and recovering your data.
- Evaluate impacted data: If storage systems are infected, it's crucial to list and evaluate lost data. You need to determine the type of files, the criticality of the data, the services and users most affected, and the storage location.
- Call in a specialized lab: A data recovery lab may be able to recover files from servers or backups attacked by ransomware.
The chances of recovery may vary depending on the nature of the ransomware, the actions taken immediately after the attack, and the expertise of the data recovery lab consulted. Beware, however, that poor prior handling can reduce the average recovery success rate by 28%.
A specialised service from Recoveo
Our other areas of expertise
We have over 20 years’ experience in data recovery. Call on the French leader, our expertise allows us to provide you with a high level response.
Backup
Virtual Machine Recovery
Database recovery
Remote