Full Report
Ransomware attacks set a single-month record in February that was well above previous highs, according to a Cyble threat intelligence report. The Cyble report measured the number of victims claimed by ransomware groups on their Tor-based data leak sites (DLS), which the groups use as part of their extortion tactics by “naming and shaming” victims and threatening to release data unless ransom demands are paid. While not all ransomware victims are included on DLS sites, Cyble said it’s a useful indicator for analyzing ransomware trends. The record ransomware attacks seen in February 2025 were more than 50% higher than the previous record set two years ago, Cyble said. CL0P Sends Ransomware Attacks to Record Highs Cyble said the previous high for ransomware attacks was set in May 2023, when 544 victims were claimed by ransomware groups. February’s numbers would have eclipsed that record even without the CL0P ransomware group’s 267 victims, but with the CL0P victims, the total number of victims claimed by ransomware groups in February hit 821, far beyond previous highs (image below). [caption id="attachment_101253" align="aligncenter" width="550"] Ransomware victims by month 2021-2025 (Cyble)[/caption] CL0P has now claimed 386 victims from its exploitation of Cleo MFT vulnerabilities, Cyble said. The high number of victim claims made CL0P the most active ransomware group for the month, followed by RansomHub and Akira (chart below). [caption id="attachment_101255" align="aligncenter" width="550"] Most active ransomware groups, February 2025 (Cyble)[/caption] The U.S. far outpaced other nations in ransomware victims, with 10 times more victims than second-place Canada (chart below). [caption id="attachment_101258" align="aligncenter" width="550"] Ransomware attacks by country, February 2025 (Cyble)[/caption] Are Record Ransomware Attacks the Start of a New Trend? While February’s record ransomware victims were well above long-term trends, Cyble questioned whether that surge is the start of a new higher level of ransomware attacks. The threat intelligence company looked at the major ransomware players for clues. Looking at the last four years, LockBit has been well ahead of other ransomware groups, claiming more than 2,700 victims (chart below). However, LockBit has fallen off considerably in the last year after being hit by global law enforcement actions and is in the process of attempting a comeback with LockBit 4.0. [caption id="attachment_101259" align="aligncenter" width="550"] Top ransomware groups 2021-2025 (Cyble)[/caption] CL0P came in a distant second with 901 claimed victims over that four-year period, with Play, RansomHub, Conti and Akira (608 victims) the next most active ransomware groups. Six-year-old CL0P has largely focused on managed file transfer (MFT) vulnerabilities like Cleo and MOVEit, which has tended to make the group’s victims more clustered, with more than 40% of those victims (383) coming just in the last few months. With only 22 additional CL0P victims in the last year, “it would be reasonable to assume that CL0P victim totals will continue to fluctuate over time,” Cyble said. But with RansomHub, Akira, Play and FOG also increasing ransomware activity in recent months, “it’s possible that we’ve entered a higher range of claimed victims by ransomware groups,” the report noted. Cyble said organizations should focus on measures that improve cyber resilience and limit lateral movement, such as patching web-facing vulnerabilities, training employees to recognize phishing attempts, and implementing zero trust, network segmentation and monitoring, and ransomware-resistant backups.
Analysis Summary
# Incident Report: Record Ransomware Attacks in February 2025
## Executive Summary
February 2025 marked a record high for ransomware attacks, according to Cyble analysis, indicating a potential shift towards higher overall victim counts across various threat groups. While established groups like LockBit have seen a decrease due to law enforcement action, newer and established groups like CL0P, RansomHub, Akira, and Play are increasing activity. The primary impact noted is data extortion, with CL0P specifically exploiting Managed File Transfer (MFT) vulnerabilities like MOVEit. Response recommendations center on strong resilience measures, including patching, employee training, Zero Trust implementation, and robust backups.
## Incident Details
- **Discovery Date:** Reporting published on Friday, March 7, 2025, summarizing February activity.
- **Incident Date:** February 2025 (Month analyzed)
- **Affected Organization:** Various organizations globally (No specific organization detailed, analysis aggregated across multiple incidents).
- **Sector:** Unspecified (Industry-agnostic, affecting various sectors).
- **Geography:** Global (Implied by analysis of major threat groups).
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing throughout February 2025.
- **Vector:** Varied, including exploitation of web-facing vulnerabilities (e.g., MFT tools like MOVEit used by CL0P) and phishing attempts (referenced in general recommendations).
- **Details:** Groups like CL0P heavily leveraged vulnerabilities in MFT software, leading to clustered victim profiles (383 victims linked to MFT exploits).
### Lateral Movement
- **Details:** Cyble specifically recommends measures to limit lateral movement, suggesting it is a critical phase utilized by active ransomware groups.
### Data Exfiltration/Impact
- **Details:** The primary impact mechanism discussed is **data extortion**, evidenced by the FBI's warning regarding data extortion scams targeting executives and the general nature of modern ransomware operations.
### Detection & Response
- **How it was discovered:** Analysis compiled by Cyble based on reported victim counts from threat intelligence. Specific organizational incident responses are not detailed.
- **Response actions taken:** No specific organizational response detailed; generalized recommendations provided for mitigation (patching, Zero Trust, backups).
## Attack Methodology
- **Initial Access:** Exploiting web-facing vulnerabilities (e.g., MFT software), phishing (implied).
- **Persistence:** Not detailed.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed.
- **Lateral Movement:** Implied to be a key phase post-access, necessitating segmentation/monitoring.
- **Collection:** Data gathering leading to Data Exfiltration/Extortion.
- **Exfiltration:** Primary goal, leading to extortion demands.
- **Impact:** Data encryption/locking and data extortion.
## Impact Assessment
- **Financial:** Not quantified specifically for February, but LockBit activity suggests historical impact exceeding significant costs (2,700+ victims claimed previously).
- **Data Breach:** Data extortion is the core mechanism, implying sensitive data theft/exposure.
- **Operational:** Implied business disruption due to successful ransomware deployment.
- **Reputational:** Implied reputational damage resulting from high-profile ransomware attacks.
## Indicators of Compromise
*(Note: No concrete IOCs were provided in the context article; indicators listed are contextual based on mentioned threat groups/tactics.)*
- **Network indicators - defanged:** N/A
- **File indicators:** N/A
- **Behavioral indicators:** Successful exploitation of MFT vulnerabilities; evidence of network lateral movement.
## Response Actions
*(No specific organizational response actions were detailed, only generalized organizational recommendations)*
- **Containment measures:** N/A
- **Eradication steps:** N/A
- **Recovery actions:** N/A
## Lessons Learned
- **Key takeaways:** Global law enforcement actions severely impacted major players like LockBit, leading to shifts in threat landscape dominance. Ransomware groups are rapidly adapting or being replaced (RansomHub, Akira, Play, FOG increasing activity).
- **What could have been done better:** Organizations must improve cyber resilience to limit the impact of inevitable breaches.
## Recommendations
- **Prevention measures for similar incidents:**
1. Prioritize patching of web-facing vulnerabilities immediately.
2. Implement Zero Trust architecture.
3. Increase network segmentation to limit lateral movement.
4. Enhance employee training to effectively recognize phishing attempts.
5. Deploy and regularly test ransomware-resistant backups.