Ransomware Groups Innovate with Supply Chain Attacks and Credential Harvesting
Ransomware operators are increasingly leveraging supply chain attacks and credential harvesting to expand their reach and maximize profits. Notable groups such as Qilin, Akira, Sinobi, INC Ransom, and Play have been identified as leading actors, with the Clop group repeatedly exploiting zero-day vulnerabilities in widely used software, including managed file transfer solutions and Oracle E-Business Suite, to compromise multiple organizations simultaneously. The volume of ransomware victims listed on data leak sites surged by one-third from September to October, according to Cyble, highlighting the persistent threat posed by these actors.
Despite a decrease in total ransom payments from $1.25 billion in 2023 to $814 million in 2024, ransomware groups are actively innovating to reverse this trend, including launching new affiliate programs and refining their attack techniques. However, some operations have suffered from sloppy coding, occasionally resulting in unrecoverable data. The continued evolution of ransomware tactics underscores the need for organizations to strengthen defenses against both direct and supply chain threats, as well as to monitor for credential harvesting activities that may precede future attacks.
Sources
Related Stories
Ransomware Tactics and Defenses in 2025
Ransomware remains one of the most significant threats to organizations worldwide, with attackers continuously evolving their tactics to maximize impact and profits. Recent analysis highlights that the most successful ransomware groups leverage automation, customization, and advanced tooling, with groups like Qilin and LockBit 5.0 leading the market by using data leak sites to pressure victims into paying ransoms. The ransomware-as-a-service (RaaS) model has further lowered the barrier to entry for cybercriminals, enabling a wider range of actors to participate in attacks. Double extortion tactics, where data is both encrypted and exfiltrated for additional leverage, are now commonplace, and the underground economy supporting ransomware is thriving, with infostealers playing a critical role in supplying credentials for initial access. Defending against ransomware requires a multi-layered approach, including the deployment of open-source platforms like Wazuh for detection and response, as well as a focus on securing credentials and monitoring for infostealer activity. The proliferation of infostealers has transformed cybercrime, enabling attackers to bypass multi-factor authentication and facilitate lateral movement within networks. Organizations are urged to improve visibility across assets, implement robust access controls, and stay vigilant against phishing and other common ransomware delivery vectors. The ongoing evolution of ransomware and its supporting ecosystem underscores the need for continuous adaptation of security strategies and technologies.
4 months agoRansomware Recovery Challenges and the Shift to Targeted Attacks
Ransomware attacks continue to pose a significant threat to organizations, with recent surveys indicating that paying the ransom does not guarantee successful data recovery. According to Hiscox’s Cyber Readiness Report, only 60% of companies that paid a ransom were able to recover all or part of their data, while 40% lost their data despite payment. The technical sophistication of ransomware operators varies, with established groups more likely to provide functional decryptors, but many victims still face flawed encryption or unresponsive attackers. Additionally, the frequency of ransomware incidents has surged, with reports showing a near tripling of cases year-over-year in early 2025, and a majority of victims experiencing data theft even after paying ransoms. The ransomware landscape has evolved from high-volume, opportunistic attacks to a "big game hunting" model, where adversaries selectively target organizations with the most to lose and the greatest ability to pay. New criminal syndicates such as Spoiled Scorpius (RansomHub) and Howling Scorpius (Akira) are conducting sophisticated, long-term campaigns against high-value targets, often employing multi-extortion tactics that combine data encryption with threats of public exposure. This strategic shift has transformed ransomware from a purely IT issue into a critical business continuity threat, requiring organizations to adopt new defensive strategies and prepare for more calculated, high-impact attacks.
4 months agoRansomware Surge and Ecosystem Fragmentation in 2025
Ransomware attacks in 2025 have escalated both in volume and sophistication, with a 34%-50% increase in incidents compared to the previous year and over 4,700 confirmed attacks globally between January and September. The ransomware ecosystem has become highly fragmented following law enforcement actions against major groups like LockBit and ALPHV/BlackCat, resulting in the emergence of 45 new groups and a record 85 active extortion operations. Attackers have adopted advanced tactics such as double and triple extortion, AI-driven phishing, and exploitation of cloud and operational technology, with critical infrastructure sectors—manufacturing, healthcare, energy, transportation, and finance—bearing the brunt of these attacks. Despite the surge in attacks, ransom payment rates have dropped to historic lows, forcing threat actors to adapt their business models and extortion strategies. The operational landscape has also been shaped by shifting alliances and rebranding efforts among ransomware groups. Notably, the alleged alliance between Qilin, DragonForce, and LockBit has not led to a consolidation of power but rather continued the trend of ecosystem fragmentation. Analysis of data leak site activity post-alliance announcement shows no significant operational recovery for LockBit, despite renewed branding and the release of a new malware version. These developments underscore the resilience and adaptability of ransomware actors, as well as the ongoing challenges faced by defenders in tracking and mitigating the impact of increasingly decentralized and sophisticated ransomware operations.
2 months ago