Recent Ransomware Threats Targeting Organizations and Critical Sectors
Several new ransomware groups and campaigns have emerged, demonstrating increased sophistication and targeting a range of organizations globally. The SafePay group has established itself as a major threat by operating as a centralized, closed ransomware operation, eschewing the typical Ransomware-as-a-Service (RaaS) model. SafePay employs double extortion tactics, exfiltrating sensitive data before encrypting systems, and leverages rapid attack chains that often move from initial access to full encryption within 24 hours. Their methods include exploiting compromised credentials, misconfigured firewalls, and deploying backdoors for persistence, with a focus on operational security to avoid law enforcement detection.
Other notable threats include the CrazyHunter ransomware, which has aggressively targeted healthcare organizations in Taiwan using advanced evasion techniques and multi-stage attacks that exploit Active Directory and propagate via Group Policy Objects. Meanwhile, the Ransomhouse group, operated by Jolly Scorpius, has upgraded its capabilities with a dual-key encryption system and automated attacks on VMware ESXi hypervisors, particularly focusing on German enterprises. These campaigns highlight a trend toward more targeted, technically advanced ransomware operations that prioritize both data theft and rapid system disruption, posing significant risks to critical infrastructure and sensitive industries.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Trellix-tracked CrazyHunter campaign is publicly analyzed
Public reporting described CrazyHunter as a mature Go-based ransomware operation with structured ransom negotiations, anonymous infrastructure, and hybrid ChaCha20-ECIES encryption. The analysis emphasized its focus on healthcare and the operational maturity observed by Trellix Threat Intelligence analysts.
Report describes Jolly Scorpius upgrade of Ransomhouse platform
A CSO Online report said Jolly Scorpius had significantly upgraded its Ransomhouse platform with dual-key encryption and automated attacks against VMware ESXi environments using the 'MrAgent' tool. German companies in manufacturing, aerospace, and production were identified as primary targets.
Researchers detail SafePay's tactics, encryption, and kill switch
Analysis published by Picus Security described SafePay's initial access methods, defense evasion, hybrid encryption, data exfiltration tooling, and a kill switch that halts execution on systems using Cyrillic keyboard layouts. The report highlighted the group's strict OPSEC and centralized structure as distinguishing features.
CrazyHunter compromises at least six healthcare organizations in Taiwan
CrazyHunter ransomware targeted healthcare organizations in Taiwan, compromising at least six institutions. The campaign used advanced evasion and propagation techniques, including Active Directory abuse, SharpGPOAbuse, and a vulnerable Zemana driver to disable security tools.
SafePay ransomware group emerges as a centralized operation
SafePay emerged in late 2024 as a new ransomware group operating as a centralized, closed organization rather than a typical RaaS model. The group adopted double extortion tactics and rapid intrusion-to-encryption workflows, often completing attacks within 24 hours.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Inside SafePay: Analyzing the New Centralized Ransomware Group
picussecurity.com
Open sourceNeue Ransomware-Bedrohung zielt auf deutsche Unternehmen
csoonline.com
Open sourceCrazyHunter Ransomware Attacking Healthcare Sector with Advanced Evasion Techniques
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware Recovery Challenges and the Shift to Targeted Attacks
Ransomware attacks continue to pose a significant threat to organizations, with recent surveys indicating that paying the ransom does not guarantee successful data recovery. According to Hiscox’s Cyber Readiness Report, only 60% of companies that paid a ransom were able to recover all or part of their data, while 40% lost their data despite payment. The technical sophistication of ransomware operators varies, with established groups more likely to provide functional decryptors, but many victims still face flawed encryption or unresponsive attackers. Additionally, the frequency of ransomware incidents has surged, with reports showing a near tripling of cases year-over-year in early 2025, and a majority of victims experiencing data theft even after paying ransoms. The ransomware landscape has evolved from high-volume, opportunistic attacks to a "big game hunting" model, where adversaries selectively target organizations with the most to lose and the greatest ability to pay. New criminal syndicates such as Spoiled Scorpius (RansomHub) and Howling Scorpius (Akira) are conducting sophisticated, long-term campaigns against high-value targets, often employing multi-extortion tactics that combine data encryption with threats of public exposure. This strategic shift has transformed ransomware from a purely IT issue into a critical business continuity threat, requiring organizations to adopt new defensive strategies and prepare for more calculated, high-impact attacks.
Apr 21, 2026
Recent Ransomware and Malware Campaigns Targeting Organizations and Individuals
A surge in sophisticated cyberattacks has been observed, with threat actors employing a variety of tactics to compromise organizations and individuals. Notable incidents include the use of the BYOVD (Bring Your Own Vulnerable Driver) technique to deploy DeadLock ransomware, as well as targeted campaigns leveraging phishing emails with HR-related lures to distribute Remcos RAT malware. Additionally, attackers are exploiting popular movie torrents to spread Agent Tesla via layered PowerShell scripts, and Android users in Spain are being targeted by the DroidLock ransomware, which can hijack devices and demand ransom through full-screen overlays. These campaigns demonstrate a trend toward multi-stage infection chains, abuse of legitimate tools and drivers, and the use of social engineering to increase the likelihood of successful compromise. Other significant developments include the targeting of Canadian organizations by the STAC6565/Gold Blade group using QWCrypt ransomware, and the emergence of new threat actor tactics such as disabling endpoint detection and response (EDR) systems to facilitate ransomware deployment. The threat landscape is further complicated by the activities of groups like Scattered Lapsus$ Hunters, who use social engineering and typosquatted domains to compromise Zendesk users, and the exposure of internal dynamics within ransomware groups like BlackBasta, revealing operational stress and internal mistrust. These incidents underscore the evolving nature of cyber threats, the blending of espionage and financial motives, and the increasing sophistication of both technical and social attack vectors.
Mar 21, 2026
Ransomware Groups Innovate with Supply Chain Attacks and Credential Harvesting
Ransomware operators are increasingly leveraging supply chain attacks and credential harvesting to expand their reach and maximize profits. Notable groups such as Qilin, Akira, Sinobi, INC Ransom, and Play have been identified as leading actors, with the Clop group repeatedly exploiting zero-day vulnerabilities in widely used software, including managed file transfer solutions and Oracle E-Business Suite, to compromise multiple organizations simultaneously. The volume of ransomware victims listed on data leak sites surged by one-third from September to October, according to Cyble, highlighting the persistent threat posed by these actors. Despite a decrease in total ransom payments from $1.25 billion in 2023 to $814 million in 2024, ransomware groups are actively innovating to reverse this trend, including launching new affiliate programs and refining their attack techniques. However, some operations have suffered from sloppy coding, occasionally resulting in unrecoverable data. The continued evolution of ransomware tactics underscores the need for organizations to strengthen defenses against both direct and supply chain threats, as well as to monitor for credential harvesting activities that may precede future attacks.
Mar 21, 2026