IT Brief UK - Technology news for CIOs & IT decision-makers
United Kingdom
Guides
#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things
Search
Story image
#
Malware
#
Ransomware
#
Advanced Persistent Threat Protection

2025 Ransomware: Business as Usual, Business is Booming

Yesterday
By Chris Boyd, Lead Threat Researcher, Rapid7

Getting an edge on your adversaries involves understanding their behaviours and their mindset, and to provide a picture of the year thus far, Rapid7 Labs looked at internal and publicly-available ransomware data for Q1 2025. We have added our own insights and provided advice on what organisations can do to reduce their attack surface against ransomware.

The data highlights that businesses can't take their foot off the gas when it comes to proactively tackling ransomware. Established threat actors and relative newcomers are taking an "if it ain't broke, don't fix it" approach, shunning unpredictability for proven revenue generation techniques. And, in almost all cases, the name of the game is data exfiltration and blackmail via leak site posts.

The heavy hitters of the ransomware landscape are a mixture of new and familiar faces, largely leaning into the affiliate model or announcing partnerships with well-known groups for a visibility boost. There were 80 active groups in Q1, 16 of them new since January 1. There are also 13 groups that were active in Q4, 2024, but have thus far been silent in 2025.

New ransomware groups active since the start of 2025 include (but are not limited to): Ailock, Belsen Group, CrazyHunter, Cs-137, D0Glun, GD LockerSec, Linkc, NightSpire, Ox Thief, Run Some Wares, SECP0, Sonshi, and VanHelsing.

The most prolific ransomware groups for Q1 2025, ranked by the number of posts on their dedicated leak sites, are Cl0p and RansomHub by a considerable margin. Along with these two groups, several others are disrupting businesses of varying sizes and industries and are ones to watch. This includes Anubis, Lynx, Qilin.

Popular targets in Q1:

  • Manufacturing, business services, healthcare, and construction were the top industries under siege by a variety of established and newly emerging threat actors. Of the 618 leak site posts we reviewed containing victims' industry information, 22% were manufacturing organisations. Business services was a distant second at 11%, followed by healthcare services and construction, both at 10%.
  • Top regional targets included traditional favourites such as the U.S., Canada, the UK, Germany, and Australia, as well as a fair share of victims in Taiwan, Singapore, and Japan. We also saw an increase of victims in Colombia and Thailand.

Some of the notable trends included:

  • Reinvested ransoms

The Black Basta chat leaks that occurred in February provided an insightful look into not only the group's infighting, but also its inner workings. And while the group's activity stopped dead in its tracks (the last leak site post was on January 11, 2025), we would be remiss if we didn't give mention to a significant trend we have suspected was happening, but were only able to verify with these chat logs: Ransomware groups are reinvesting the ransoms they're paid to purchase zero days.

Within the Black Basta chat logs, we observed that on November 23, 2023, the group was offered a zero-day exploit targeting Ivanti Connect Secure for their purchase. The exploit came with an asking price of US$200,000, and is described by the seller as an unauthenticated RCE exploit, leveraging an unknown memory corruption vulnerability.

Separate from the Ivanti discussion, we observed that Black Basta did indeed buy a Juniper firewall exploit. This followed a comparison between a public, authenticated remote code execution (RCE) exploit (which only gives user-mode access) and the purchased one that provides full root access.

  • Repackaged offerings

Several groups are making a name for themselves by simply dragging out the classics. Most recently, a supposedly resurrected Babuk ransomware group was not all it seemed, with old data taken from RansomHub, FunkSec and LockBit repurposed as their own. Rapid7 analysis highlights the challenges of groups reforming or collaborating under new identities, such as "Babuk 2.0" just being LockBit 3.0 / LockBit Black with a different name applied.

Elsewhere, FunkSec is not above repurposing old leak data, and LockBit was found to be posting a mixture of old data and faked attacks after global arrests of suspected LockBit developers and affiliates. Visibly weakened by the trilateral law enforcement action, what was left of LockBit turned to fakery as a way of making it seem as though things were still business as usual.

  • Restructured groups

When ransomware groups go silent, others are there to take their place. Part of this dynamic is a continuously circulating affiliate network that keeps defenders and cybersecurity analysts on their toes. Rebrands aside, Rapid7 observed what appears to be a "changing of the guard" within the Akira ransomware group.

Tactics

Ransomware groups tend to follow a specific pattern: Initial access, reconnaissance, credential theft and lateral movement, exfiltration, and finally encryption. There are divergences, however. Some groups avoid ransomware deployment and file encryption, instead choosing to compromise the network via unsecured VPNs and Remote Desktop Protocol (RDP). From there, they move straight to data exfiltration. This is known as "extortionware."

Other threat actors, notably LockBit, use Living off the Land (LOTL) tactics to infiltrate networks with legitimate tools and management software already in place. As no malware files are deployed, it becomes increasingly difficult to detect these attacks in motion and threat actors can sit undetected for weeks or even months.

RaaS is firmly established as a key tactic for prominent ransomware groups. The ease with which affiliates can buy into a ransomware group of choice and immediately begin attacks ensures a steady flow of profit for the criminals at the top of the food chain.

Double extortion is also a firm favourite. FunkSec made inroads into this realm with ransoms as low as US$10,000, perhaps designed to be more enticing to victims than the often unreachable demands for totals ranging from US$600,000 to a cool million plus.

The deadline to pay a ransom, or just make initial contact with the threat actor, varies greatly between groups. RansomHub has previously handed out ransoms with deadlines ranging between 72 hours and 90 days. Cl0p has been known to apply varying degrees of pressure to encourage targets to get in touch. In December 2024, the group gave uncommunicative victims 48 hours to make contact or risk having their organisation's names disclosed publicly. Other Cl0p notes, such as the one below, reuse the 48-hour tactic but exclude mention of public exposure. Regardless of the tactics used, there's no guarantee files will be unencrypted or stolen documents deleted from leak sites should the victims pay up. These supposed deadlines create a sense of urgency while potentially offering victims little beyond false hope.

Five things you can do now

Unfortunately, there is no escaping the business reality of ransomware; it is a pervasive problem and it impacts every business at some level sooner or later. A solid defence plan can help to lower risk and prevent a disastrous outcome.

There are five things an organisation can do now that will make an immediate impact on reducing your attack surface. This includes taking a fresh look at your multi-factor authentication (MFA), deploying and configuring MFA the right way, continuous patch management, especially for edge devices, holding a ransomware attack simulation, and investigating your attack surface.

Conclusion

Ransomware groups have ushered in 2025 with a clear statement of intent: business as usual, and business is booming. The significant volume of leak posts and the heavy lean toward double extortion would indicate we can expect more of the same as the year unfolds. Additionally, the first glimmer of reportage-style commentary on their victim's alleged failings suggests a bumpy road ahead for organisations to end up in the ransomware spotlight.

Newer groups hungry for publicity and affiliate network building will potentially look to emulate the Anubis approach, and do a little reportage style journalism of their own. Gimmicks sell and grab publicity, and reputational damage from data leaks may well go hand in hand with regulatory embarrassment and bad publicity. If that wasn't bad enough, ransomware groups stand revealed through exposed chat logs as being in the market for purchasing zero days.

Businesses need to do everything they can to minimise the risk of easy network access and data exfiltration. Unfortunately, victims continue to pay the price for poor MFA coverage and inadequate patch management. If there is a brave new world of ransomware to speak of, it largely resembles the old one with a few streamlined tweaks to a very well-oiled machine.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
UK businesses lead in AI adoption, outpacing global peers
SentinelOne tops Frost Radar for endpoint security in 2025
Infosecurity Europe introduces SANS masterclasses 2025
ManageEngine expands AD360 with over 100 new integrations
Study reveals gender gaps in cyber security perceptions
Top stories
Google Threat Intelligence explains China’s evolving cyber tactics
Forrester names Dynatrace top in AIOps platforms for 2025
NFL partners with NetApp to enhance data management
AI success linked to digital overhaul, says Boomi chief
OutSystems to host AI-focused ONE Conference for global experts