Full Report
A summary of the top ransomware trends from the Talos 2025 Year in Review, with a focus on identity, attacker tactics, and practical defenses.
Analysis Summary
# Tool/Technique: Modern Ransomware Operations (2025 Trends)
## Overview
Based on the Talos 2025 Year in Review, ransomware operations have shifted from "smash-and-grab" tactics to a "blend-in" strategy. Attackers prioritize legitimate access and identity exploitation over infrastructure-based exploits, frequently utilizing "Living off the Land" (LotL) techniques to mimic authorized administrative activity.
## Technical Details
- **Type**: Ransomware-as-a-Service (RaaS) & Extortion Techniques
- **Platform**: Multi-platform (Windows primary focus for LotL tools)
- **Capabilities**: Initial access via identity theft, lateral movement using native tools, double extortion (encryption + data exfiltration), and affiliate absorption.
- **First Seen**: Industry-wide shift noted throughout 2024–2025.
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1566 - Phishing] (Responsible for 40% of initial access)
- [T1078 - Valid Accounts]
- **[TA0008 - Lateral Movement]**
- [T1021.001 - Remote Desktop Protocol]
- [T1570 - Lateral Tool Transfer]
- **[TA0002 - Execution]**
- [T1059.001 - PowerShell]
- [T1569.002 - Service Execution] (PsExec)
- **[TA0010 - Exfiltration]**
- [T1614 - Exfiltration Over Web Service] (Double Extortion)
## Functionality
### Core Capabilities
- **Identity-Centric Access**: Heavily reliant on social engineering and phishing to obtain valid credentials rather than bypassing technical "locks."
- **Living off the Land (LotL)**: Utilizes native Windows utilities (RDP, PowerShell, PsExec) to perform malicious actions under the guise of legitimate administration.
- **Double Extortion**: Primarily championed by groups like Qilin, involving both the encryption of systems and the threat of leaking stolen data.
### Advanced Features
- **Affiliate Absorption**: Prolific groups (Akira, Play) are evolving by recruiting experienced affiliates from disrupted groups like LockBit.
- **Stealthy Persistence**: By using valid accounts, attackers avoid triggering traditional security alerts that look for known malware signatures.
## Indicators of Compromise
- **File Hashes**: *Not specifically listed in the high-level summary; varies by family (Qilin, Akira, Play).*
- **File Names**: `psexec.exe`, `powershell.exe` (When found in unusual paths or executed by unauthorized accounts).
- **Registry Keys**: Look for modifications related to RDP enablement or PowerShell execution policy bypasses.
- **Network Indicators**:
- `[.]onion` (Qilin/Akira/Play data leak sites)
- Unusual RDP traffic patterns from external IPs to internal workstations.
- **Behavioral Indicators**:
- Administrative tools (PsExec) running between workstations rather than from a DC or jump box.
- PowerShell scripts executing encoded commands to facilitate lateral movement.
## Associated Threat Actors
- **Qilin**: Currently the most prolific group; uses a double-extortion model.
- **Akira**: Ranked #2; known for absorbing affiliates and evolving tactics.
- **Play**: Ranked #3; high success rate through adaptive procedures.
- **LockBit**: Significantly declined in activity (dropped to 35th rank) due to law enforcement pressure.
## Detection Methods
- **Signature-based detection**: Monitor for known tools like PsExec or unauthorized PowerShell scripts.
- **Behavioral detection**: Implement anomaly detection for Valid Accounts. Define baselines for "normal" RDP and administrative tool usage.
- **Logging**: Enable enhanced PowerShell logging (Script Block Logging) to identify malicious commands.
## Mitigation Strategies
- **Identity Protection**: Implement Phishing-resistant MFA and conduct regular social engineering training.
- **Asset Management**: Maintain a comprehensive inventory to distinguish between authorized and unauthorized devices/users.
- **Network Segmentation**: Isolate critical manufacturing systems (the most targeted sector) to prevent lateral movement.
- **Hardening**: Disable RDP where not required and restrict the use of PowerShell/PsExec to specific administrative accounts.
- **Readiness**: Conduct ransomware simulations and response testing, specifically during typically "quiet" months like January.
## Related Tools/Techniques
- **RDP (Remote Desktop Protocol)**: The primary mechanism for lateral movement.
- **PsExec**: Used for remote service execution.
- **PowerShell**: Used for script-based automation of the attack chain.