Full Report
New whitepaper reveals record number of attacks as threat landscape evolves with new players and new tactics.
Analysis Summary
# Incident Report: Evolving Ransomware Tactics and Record Extortion Attacks in 2025
## Executive Summary
The year 2025 saw a record number of cyber extortion attempts, marked by the tactical evolution of threat actors who increasingly rely on data theft rather than encryption for leverage. This shift, highlighted by the success of groups like Snakefly (Cl0p), has driven a 23% increase in total extortion attacks compared to the previous year. While large RaaS operations collapsed, new actors expanded rapidly, utilizing legitimate system tools ("living off the land") to minimize detection while exploiting vulnerabilities like zero-days in enterprise software.
## Incident Details
- Discovery Date: Data analyzed throughout 2025, with specific campaign disclosure dates noted (e.g., October 2025 for a Snakefly campaign).
- Incident Date: Primarily associated with activity observed and analyzed throughout the calendar year 2025.
- Affected Organization: Specific victims are not named, but the analysis covers attacks against "multiple major corporations" (ShinyHunters) and users of enterprise software like Oracle EBS.
- Sector: Unspecified across the broad range targeted by ransomware, including large enterprise environments.
- Geography: Global, as implied by the widespread nature of the studied threat actors and tools.
## Timeline of Events
### Initial Access
- Date/Time: Varies across 2025. One noted example: October 2025 (Snakefly campaign).
- Vector: Exploitation of zero-day vulnerabilities in enterprise software (e.g., CVE-2025-61882 in Oracle EBS) or supply chain weaknesses.
- Details: Attackers gain access before organizations are aware of the issue, often without needing traditional malware deployment initially.
### Lateral Movement
- Details: Attackers heavily rely on "living off the land" techniques, primarily utilizing legitimate software already present on the network to move undetected. PowerShell was the most frequently exploited tool (25% of attacks).
### Data Exfiltration/Impact
- Details: In new "encryptionless extortion" attacks, the primary activity is large-scale data exfiltration used purely as leverage for extortion. Tools like Rclone (10%) were noted for facilitating this.
### Detection & Response
- Details: Detection mechanisms struggled against low-signature activity involving dual-use tools. Response efforts are necessitated by the resulting extortion demands, even without encryption payloads.
## Attack Methodology
- Initial Access: Exploitation of zero-day vulnerabilities; exploiting weaknesses in the software supply chain.
- Persistence: Use of dual-use tools such as Remote Access/RMM software (AnyDesk, ScreenConnect, Splashtop) acting as backdoors.
- Privilege Escalation: Not explicitly detailed, but implied through the use of powerful native tools like PowerShell.
- Defense Evasion: Heavy reliance on "Living Off The Land" binaries (LoLBins) like PowerShell to minimize the introduction of novel malware signatures.
- Credential Access: Implied through the use of native OS tools for expanding access (not explicitly detailed).
- Discovery: Use of network scanning tools like NetScan (19% of attacks).
- Lateral Movement: Use of native tools (PowerShell) and administrative utilities like PsExec (22% of attacks).
- Collection: Use of network scanners and remote backup utilities repurposed for data staging/exfiltration (e.g., Rclone).
- Exfiltration: Use of dual-use remote backup utilities (Rclone).
- Impact: Coercion and extortion based on the threat of data leak; encryption optional (for groups using the newer model).
## Impact Assessment
- Financial: Not quantified, but implied significant due to a record number of extortion attempts against large organizations.
- Data Breach: Focus on large-scale data theft as the primary leverage mechanism. Type of data not specified, but implied sensitive business information.
- Operational: Operational disruption is possible if encryption ransomware is used, but the primary modern impact is associated with the pressure of imminent data leaks.
- Reputational: High risk due to public listing and extortion threats associated with ransomware leak sites.
## Indicators of Compromise
(Note: As this report summarizes trends and methodologies rather than a single instance, specific IoCs are generalized based on frequently used tools.)
- Network indicators: Connections to Command and Control infrastructure associated with emerging groups (Akira, Qilin, Safepay, DragonForce).
- File indicators: Potential presence of dual-use tools such as PsExec, NetScan used outside of standard administrative windows.
- Behavioral indicators: Excessive use of PowerShell for administrative tasks, unusual activity from repurposed RMM/Remote Access tools (AnyDesk, ScreenConnect) initiating data transfers to external locations.
## Response Actions
- Containment measures: Focus likely shifted towards identifying and blocking unauthorized use of dual-use administrative tools and securing initial access points (especially software vendors/installations).
- Eradication steps: Removal of unauthorized remote access software and ensuring PowerShell usage adheres to security policies.
- Recovery actions: (Not explicitly detailed, but implied) Restoring systems if encryption was deployed, and managing reputation/legal fallout from data extortion.
- Specific action noted: Immediate patching/mitigation against exploited zero-days (e.g., CVE-2025-61882).
## Lessons Learned
- The landscape has diversified, with new actors rapidly filling voids left by dismantled groups (LockBit, RansomHub).
- Encryption-less extortion proves highly effective, requiring security teams to guard against data theft as the primary threat vector, not just file encryption.
- The reliance on legitimate, dual-use software (LOTL) significantly increases the difficulty of detection, as baseline security tools may ignore native components.
- Supply chain vulnerabilities remain a critical vector for achieving initial, high-impact access.
## Recommendations
- Enhance proactive threat hunting focused specifically on native administrative binary execution (PowerShell, PsExec) to detect volumetric deviations indicative of lateral movement.
- Implement strict governance and monitoring for all Remote Access and RMM software, treating them as high-value targets/backdoors.
- Increase focus on securing the software supply chain and rapidly patching vulnerabilities affecting core enterprise applications, especially zero-days.
- Assume data theft is occurring even if encryption is not deployed, and implement robust Data Loss Prevention (DLP) policies.