Over the past six months, ransomware activity across the U.S. has surged, up 49% compared to the same period last year. The groups behind the most damage? Qilin, SafePay, and Akira.

These are Ransomware-as-a-Service (RaaS) groups. They license out their tools to affiliates, making it easy for low-skill attackers to launch high-impact campaigns. Their targets aren’t massive corporations. They’re going after small and mid-sized businesses (SMBs).

Who's Getting Targeted

Most victims are organizations with limited resources and underpowered IT teams:

• Construction and engineering firms

• Small manufacturers

• Regional IT providers

• Healthcare systems

• Local governments

In the first half of 2025, there were 4,198 reported ransomware cases in the U.S. Nearly half affected businesses directly. One survey found 72% of U.S. organizations experienced a ransomware incident in the past year. The average recovery cost was $4.5 million.

What's Happening in Michigan

Michigan has seen its own wave of attacks. One of the most significant incidents involved McLaren Health Care, a large medical system in the state. The breach affected more than 740,000 individuals, exposing sensitive patient and staff data, including Social Security numbers and medical records.

Outside of healthcare, local businesses in manufacturing and tech have seen an increase in phishing and credential theft attempts. These are two of the most common ways ransomware groups gain initial access.

Some organizations in the state have started to implement stronger defenses:

• Multi-factor authentication

• Offline backups

• Basic endpoint detection

• Phishing awareness training

Still, many remain vulnerable. RaaS operators see that as opportunity.

WRAVEN's Perspective

We’re tracking Qilin, SafePay, and Akira through our internal WATCHTOWER dashboard. These groups continue to evolve rapidly, adapting to new defenses and using double extortion tactics to pressure victims into paying.

Security is no longer optional. Small targets are still targets.

If your organization has weak backups, exposed services, or reused passwords, you're on the list.

Want WRAVEN to take a look?

If you’re part of a local business, nonprofit, or organization and want a second set of eyes on your cybersecurity posture, we’re happy to help. WRAVEN works with small teams to assess risk, offer practical guidance, and strengthen defenses: free of charge.

We also welcome sponsorships, project collaboration, and speaking opportunities.

Get in touch: [email protected]

Or learn more at wraven.org

Let’s keep Michigan a little harder to breach.

Sources

• Cyfirma Weekly Threat Report, July 11, 2025

• Sophos State of Ransomware 2025

• The Guardian – Ransomware Surge Report

• ITPro – Top Ransomware Groups of 2025

• Wikipedia – Salt Typhoon

• HIPAA Journal – McLaren Health Care Breach

• CISA.gov – Ransomware Resources

Join WRAVEN | Learn More