Ransomware Groups Innovate with Supply Chain Attacks and Credential Harvesting
Ransomware operators are increasingly leveraging supply chain attacks and credential harvesting to expand their reach and maximize profits. Notable groups such as Qilin, Akira, Sinobi, INC Ransom, and Play have been identified as leading actors, with the Clop group repeatedly exploiting zero-day vulnerabilities in widely used software, including managed file transfer solutions and Oracle E-Business Suite, to compromise multiple organizations simultaneously. The volume of ransomware victims listed on data leak sites surged by one-third from September to October, according to Cyble, highlighting the persistent threat posed by these actors.
Despite a decrease in total ransom payments from $1.25 billion in 2023 to $814 million in 2024, ransomware groups are actively innovating to reverse this trend, including launching new affiliate programs and refining their attack techniques. However, some operations have suffered from sloppy coding, occasionally resulting in unrecoverable data. The continued evolution of ransomware tactics underscores the need for organizations to strengthen defenses against both direct and supply chain threats, as well as to monitor for credential harvesting activities that may precede future attacks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers note Obscura ransomware causes unrecoverable data loss
Analysis found that the Obscura ransomware strain was poorly coded, sometimes leaving victims unable to recover data even after paying a ransom.
Attackers use SonicWall SSL VPN credential harvesting for later intrusions
Ransomware operators increasingly harvested credentials from edge devices, especially SonicWall SSL VPNs, to enable follow-on ransomware attacks against compromised organizations.
Scattered Lapsus$ Hunters launches ShinySp1d3r and affiliate model
A newer ransomware actor, Scattered Lapsus$ Hunters, emerged with its own ransomware variant called ShinySp1d3r and an affiliate program, reflecting a move toward in-house tooling and profit retention.
Clop exploits Oracle E-Business Suite zero-days for data theft
The Clop ransomware group exploited zero-day vulnerabilities in Oracle E-Business Suite in a supply-chain-style campaign to steal data at scale from victim organizations.
Chainalysis reports ransomware payments fell in 2024
Chainalysis tracked ransomware payments dropping from $1.25 billion in 2023 to $814 million in 2024, indicating reduced victim payments despite continued ransomware activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Tactics and Defenses in 2025
Ransomware remains one of the most significant threats to organizations worldwide, with attackers continuously evolving their tactics to maximize impact and profits. Recent analysis highlights that the most successful ransomware groups leverage automation, customization, and advanced tooling, with groups like Qilin and LockBit 5.0 leading the market by using data leak sites to pressure victims into paying ransoms. The ransomware-as-a-service (RaaS) model has further lowered the barrier to entry for cybercriminals, enabling a wider range of actors to participate in attacks. Double extortion tactics, where data is both encrypted and exfiltrated for additional leverage, are now commonplace, and the underground economy supporting ransomware is thriving, with infostealers playing a critical role in supplying credentials for initial access. Defending against ransomware requires a multi-layered approach, including the deployment of open-source platforms like Wazuh for detection and response, as well as a focus on securing credentials and monitoring for infostealer activity. The proliferation of infostealers has transformed cybercrime, enabling attackers to bypass multi-factor authentication and facilitate lateral movement within networks. Organizations are urged to improve visibility across assets, implement robust access controls, and stay vigilant against phishing and other common ransomware delivery vectors. The ongoing evolution of ransomware and its supporting ecosystem underscores the need for continuous adaptation of security strategies and technologies.
Mar 21, 2026
Ransomware Recovery Challenges and the Shift to Targeted Attacks
Ransomware attacks continue to pose a significant threat to organizations, with recent surveys indicating that paying the ransom does not guarantee successful data recovery. According to Hiscox’s Cyber Readiness Report, only 60% of companies that paid a ransom were able to recover all or part of their data, while 40% lost their data despite payment. The technical sophistication of ransomware operators varies, with established groups more likely to provide functional decryptors, but many victims still face flawed encryption or unresponsive attackers. Additionally, the frequency of ransomware incidents has surged, with reports showing a near tripling of cases year-over-year in early 2025, and a majority of victims experiencing data theft even after paying ransoms. The ransomware landscape has evolved from high-volume, opportunistic attacks to a "big game hunting" model, where adversaries selectively target organizations with the most to lose and the greatest ability to pay. New criminal syndicates such as Spoiled Scorpius (RansomHub) and Howling Scorpius (Akira) are conducting sophisticated, long-term campaigns against high-value targets, often employing multi-extortion tactics that combine data encryption with threats of public exposure. This strategic shift has transformed ransomware from a purely IT issue into a critical business continuity threat, requiring organizations to adopt new defensive strategies and prepare for more calculated, high-impact attacks.
Apr 21, 2026
Ransomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
May 11, 2026