Ransomware Attack Levels Remain High as Major Change Looms
Summary:
March 2025 marked significant shifts within the ransomware ecosystem. The potential downfall of RansomHub, the dominant group of 2024, following their data leak site being taken offline and claims of a takeover of their infrastructure by their rival DragonForce, signals a potentially major restructuring of the ransomware landscape. While overall ransomware attack numbers decreased from February's record highs, they remained elevated, well above the previous highs of a 5-year chart of ransomware attacks by month from 2021 to 2025.
RansomHub retook the spot of the most active group in March 2025, which it retained for the majority of last year, followed by Akira, Qilin, SafePay, and Fog, while CL0P's activity sharply declined. The United States continued to be the primary target, although Germany saw a notable surge in attacks, largely attributed to SafePay Ransomware. The emergence of new ransomware groups, including Arkana Security, Secp0, and SKIRA TEAM, alongside the continued activity of recently emerged groups like Weyhro and Frag, underscores the persistent updates to the threat landscape. These new groups demonstrated varying tactics, targeting diverse sectors and countries. A new ransomware operation, Arkana Security, announced its arrival on the scene with a significant claim: they purported that they successfully breached a U.S. Internet Service Provider. To support their claim, the group released alleged samples of customer data and infrastructure-level access on their data leak site. The cybercriminal community is fiercely competitive, as evidenced by the banning of one of SKIRA TEAM’s advertisers from BreachForums.
Security Officer Comments:
The events of March 2025 illustrate a dynamic picture of the evolving ransomware threat environment. The potential disruption at the top of the leaderboard caused by RansomHub's possible demise and DragonForce's alleged takeover of their infrastructure could lead to significant changes in how Ransomware-as-a-Service (RaaS) operations are conducted. DragonForce's rumored white-label approach, allowing affiliates to launch attacks with their own branding, might empower affiliates and diversify attack methodologies, potentially complicating defense efforts. Cl0p’s notable dropoff after becoming February’s leader in attack volume is worth investigating further, especially amidst the announcement of a new CrushFTP vulnerability under active exploitation. Cl0p has been known to exploit FTP software flaws in the past, with the Cleo zero-day, CVE-2024-55956, being the most recent documented occurrence.
Despite a slight dip from February's peak, the persistently high ransomware attack volume is notable, suggesting that even without the attack volume from the top-performing groups, the overall threat level remains substantial due to competition-driven affiliate programs. The geographical target shift, with Germany experiencing a notable increase in attack volume, emphasizes that ransomware is a global issue requiring vigilance across all regions despite a landslide majority of attacks still targeting US organizations. The continuous emergence of new ransomware groups, each with their own tactics and targets, coupled with an increase in affiliate programs, further complicates the defensive landscape and threat attribution. The Cyble-detailed actions of groups like Arkana Security and Secp0 highlight the sophistication and potential impact of these attacks, even from emerging groups, underscoring the need for proactive threat intelligence and the reduction of internet-exposed resources. Ultimately, the findings reinforce the fundamental importance of adhering to established cybersecurity best practices as the most effective defense against the persistent threat of ransomware.
Suggested Corrections:
Cyble Recommendations:
Leading threat groups come and go, but consistent application of good security practices is key for building organizational resilience and limiting the impact of attacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint, and cloud monitoring.
General Ransomware Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://cyble.com/blog/ransomware-attack-levels-remain-high-as-major-change-looms/
March 2025 marked significant shifts within the ransomware ecosystem. The potential downfall of RansomHub, the dominant group of 2024, following their data leak site being taken offline and claims of a takeover of their infrastructure by their rival DragonForce, signals a potentially major restructuring of the ransomware landscape. While overall ransomware attack numbers decreased from February's record highs, they remained elevated, well above the previous highs of a 5-year chart of ransomware attacks by month from 2021 to 2025.
RansomHub retook the spot of the most active group in March 2025, which it retained for the majority of last year, followed by Akira, Qilin, SafePay, and Fog, while CL0P's activity sharply declined. The United States continued to be the primary target, although Germany saw a notable surge in attacks, largely attributed to SafePay Ransomware. The emergence of new ransomware groups, including Arkana Security, Secp0, and SKIRA TEAM, alongside the continued activity of recently emerged groups like Weyhro and Frag, underscores the persistent updates to the threat landscape. These new groups demonstrated varying tactics, targeting diverse sectors and countries. A new ransomware operation, Arkana Security, announced its arrival on the scene with a significant claim: they purported that they successfully breached a U.S. Internet Service Provider. To support their claim, the group released alleged samples of customer data and infrastructure-level access on their data leak site. The cybercriminal community is fiercely competitive, as evidenced by the banning of one of SKIRA TEAM’s advertisers from BreachForums.
Security Officer Comments:
The events of March 2025 illustrate a dynamic picture of the evolving ransomware threat environment. The potential disruption at the top of the leaderboard caused by RansomHub's possible demise and DragonForce's alleged takeover of their infrastructure could lead to significant changes in how Ransomware-as-a-Service (RaaS) operations are conducted. DragonForce's rumored white-label approach, allowing affiliates to launch attacks with their own branding, might empower affiliates and diversify attack methodologies, potentially complicating defense efforts. Cl0p’s notable dropoff after becoming February’s leader in attack volume is worth investigating further, especially amidst the announcement of a new CrushFTP vulnerability under active exploitation. Cl0p has been known to exploit FTP software flaws in the past, with the Cleo zero-day, CVE-2024-55956, being the most recent documented occurrence.
Despite a slight dip from February's peak, the persistently high ransomware attack volume is notable, suggesting that even without the attack volume from the top-performing groups, the overall threat level remains substantial due to competition-driven affiliate programs. The geographical target shift, with Germany experiencing a notable increase in attack volume, emphasizes that ransomware is a global issue requiring vigilance across all regions despite a landslide majority of attacks still targeting US organizations. The continuous emergence of new ransomware groups, each with their own tactics and targets, coupled with an increase in affiliate programs, further complicates the defensive landscape and threat attribution. The Cyble-detailed actions of groups like Arkana Security and Secp0 highlight the sophistication and potential impact of these attacks, even from emerging groups, underscoring the need for proactive threat intelligence and the reduction of internet-exposed resources. Ultimately, the findings reinforce the fundamental importance of adhering to established cybersecurity best practices as the most effective defense against the persistent threat of ransomware.
Suggested Corrections:
Cyble Recommendations:
Leading threat groups come and go, but consistent application of good security practices is key for building organizational resilience and limiting the impact of attacks that do occur. Those basic defensive and cyber hygiene practices include prioritizing vulnerabilities based on risk, protecting web-facing assets, segmenting networks and critical assets, implementing ransomware-resistant backups and Zero Trust principles, proper configuration and secrets protection, hardened endpoints and infrastructure, and network, endpoint, and cloud monitoring.
General Ransomware Suggested Corrections:
Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware in a timely manner. Consider using a centralized patch management system; use a risk-based assessment strategy to drive your patch management program.
Test your incident response plan: There's nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
Check your security team's work: Use a 3rd party pen tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
Segment your networks: There's been a recent shift in ransomware attacks – from stealing data to disrupting operations. It's critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure ICS networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety-critical functions can be maintained during a cyber incident.
Train employees: Email remains the most vulnerable attack vector for organizations. Users should be trained on how to avoid and spot phishing emails. Multi-factor authentication can help prevent malicious access to sensitive services.
Implement multi-factor authentication (MFA): External-facing assets that leverage single-factor authentication (SFA) are highly susceptible to brute-forcing attacks, password spraying, or unauthorized remote access using valid (stolen) credentials. Implementing MFA enhances security and adds an extra layer of protection.
Link(s):
https://cyble.com/blog/ransomware-attack-levels-remain-high-as-major-change-looms/