Ransomware Threats: Understanding the New Landscape

The Evolution of Cyber Threats

In recent years, state-sponsored hackers were typically categorized as advanced persistent threats (APTs) due to their substantial resources and ongoing malicious activities. However, according to the Dragos Industrial Ransomware Analysis: Q1 2025, ransomware operators have emerged as equally persistent in their cybercrime tactics. The report highlights a significant transformation in the ransomware landscape, emphasizing the tactics, scale, and state-sponsored motivations driving these operations.

Ransomware Tactics

Modern ransomware groups have begun to leverage artificial intelligence (AI) to enhance their malware capabilities. Some are moving away from traditional encryption-based extortion methods, instead threatening to release stolen data if their demands aren’t met. Furthermore, certain groups are zeroing in on endpoint detection and response platforms prior to executing their attacks, using known third-party vulnerabilities to infiltrate networks efficiently.

Newly Emerged Ransomware Groups

The first quarter of 2025 saw at least 12 new ransomware groups establishing their presence within the cybercrime ecosystem, each with its own targeted strategies. Notably, FunkSec stands out as a hybrid ransomware-as-a-service (RaaS) operation that utilizes AI-driven malware, capable of intermittent encryption to elude conventional defense mechanisms. FunkSec has connections to previously established groups such as FSociety and Bjorka, benefitting from the experience of affiliates from these operations.

Another new entrant, Lynx, made headlines for its aggressive tactics in early 2025, reportedly claiming 148 victims. Almost one-third of these targets were from industrial sectors, showcasing the focus of ransomware on critical infrastructure. Their associates have employed advanced techniques in evasion and sophisticated phishing campaigns to widen their impact.

Persistent Threats and Alliances

The ongoing evolution of groups like DragonForce signals the increasing complexity within the ransomware realm. This group is reportedly linked to the “Five Families” alliance of ransomware organizations, allowing for resource sharing and collaborations that amplify their reach and effectiveness. Aggressive actors continue to target zero-day vulnerabilities alongside widely used file-sharing software, which remains a common entry point for ransomware attacks.

One noteworthy vulnerability within the Common Log File System has been exploited for privilege escalation and gaining unauthorized network access. The Clop ransomware gang has taken advantage of the Cleo MFT file-sharing platform vulnerability since late 2024, claiming over 300 victims, including 154 from the industrial sector.

The Shift Toward Data Exposure

Increasingly, ransomware groups are prioritizing data exposure over traditional encryption techniques as a means of extortion. Groups such as Hunters International, which appears to have transitioned to World Leaks, and Clop, focus solely on exfiltrating data rather than encrypting systems. This shift highlights the changing landscape of ransomware, where psychological manipulation plays a key role in extorting organizations. These tactics complicate response strategies, particularly in industrial settings where data breaches can significantly impair operations and damage reputations.

Global Impact and Victim Statistics

In examining the geographical distribution of ransomware attacks, Australia and New Zealand accounted for about 2% of global ransomware activity in the first quarter of 2025, with 13 organizations targeted. While this indicates a growing threat, the bulk of activity remains concentrated in other regions, particularly the United States, which faced 413 incidents—more than half of the worldwide total. Europe followed with 135 incidents, while industries like manufacturing were among the most heavily hit.

In Asia, 78 incidents were recorded; South America saw 54, and the Middle East reported 11. Sadly, Africa appears to be underreported, with only three incidents noted, one of which affected the South African Weather Service.

Most Targeted Industries

Manufacturing continues to lead the list of targeted sectors, with transportation, communications, and industrial control systems closely following. Within the manufacturing sector, construction, food and beverage, as well as consumer goods and equipment, were particularly susceptible. Attacks in this sector surged from 424 incidents in Q4 2024 to 480 in the first quarter of 2025.

Interestingly, activity among the LockBit gang has dramatically decreased in early 2025, with only seven reported attacks. In contrast, the Clop gang has surged ahead with 154 incidents, followed by Akira with 83, RansomHub with 82, and Lynx with 48.

Strengthening Cyber Defenses

In light of these evolving threats, organizations are urged to enhance their cybersecurity measures. The recommendations from Dragos emphasize the necessity of implementing robust multifactor authentication (MFA), vigilant monitoring of critical network points, secure offline backups, and improved protocols for remote access management. Additionally, training programs, regular network architecture reviews, and the deployment of AI-driven detection solutions are crucial for countering sophisticated threats such as AI-generated phishing schemes and encryption-less extortion attempts.

With the growing complexity of ransomware operations, a proactive and informed approach is key to safeguarding against these threats in today’s digital landscape.