Ransomware Never Dies, It Multiplies
â–¼ Summary
– Ransomware attacks reached a record high of 4,737 claimed incidents in 2025, despite major criminal groups like LockBit and RansomHub collapsing.
– The ransomware ecosystem proved resilient as affiliates quickly shifted to other groups like Akira and Qilin, maintaining overall attack volumes.
– Extortion methods expanded significantly, with data-theft-only attacks (no encryption) increasing total incidents by 23% to 6,182 in 2025.
– Social engineering became a primary access method, with attackers using impersonation and cloud app abuse to breach systems without malware.
– Attack chains relied heavily on shared techniques like “living off the land” and older espionage tooling, complicating detection and enabling quick adaptation.
The persistent threat of ransomware continues to evolve, with attack volumes reaching new heights in 2025 despite significant law enforcement actions against major criminal groups. A comprehensive study reveals that the disruption caused by takedowns is often temporary, as the underlying criminal ecosystem rapidly adapts. The total number of extortion incidents, including both traditional encryption attacks and newer data-theft campaigns, surged to over 6,100 last year. This represents a substantial increase and underscores a dangerous expansion in cybercriminal tactics.
Even with the high-profile collapses of groups like LockBit and RansomHub, overall activity hit a record. Attackers claimed responsibility for 4,737 ransomware incidents in 2025, the highest annual figure in the dataset. The disappearance of a leading group like RansomHub caused only a brief dip in April; its affiliates simply migrated to other operations, and attack levels recovered within weeks. This fluid movement of criminal talent between different ransomware services ensures the threat landscape remains volatile and resilient.
The leadership board among ransomware gangs saw a significant reshuffle. With former giants out of the picture, other groups rose to prominence. Akira and Qilin each accounted for 16% of all claimed attacks during the year. They were followed by Inc and Safepay, while a new player called DragonForce emerged to claim a 5% share. This constant churn demonstrates how criminal affiliates and their tools circulate freely, maintaining pressure on organizations worldwide.
Perhaps the most alarming trend is the rise of encryptionless extortion. In these campaigns, attackers bypass ransomware deployment entirely. Instead, they focus on stealing sensitive data and then threatening to publish it unless a payment is made. When these incidents are combined with traditional ransomware, the total extortion count jumps to 6,182 for 2025, a 23% increase from the previous year. Groups like Snakefly, behind the Cl0p operation, have pioneered this approach by exploiting widespread software vulnerabilities to steal data from hundreds of organizations at once.
Gaining initial access to corporate networks has also seen a shift in methodology. There has been a marked increase in social engineering attacks targeting cloud platforms and identity systems. Criminal collectives have successfully used phone-based impersonation, credential harvesting, and the manipulation of OAuth workflows to trick employees. In many cases, staff were fooled into authorizing malicious applications or sharing authentication codes, believing they were interacting with legitimate IT support. This method reduces the attackers’ reliance on malware and makes detection much harder in cloud-heavy environments.
Analysis of newer ransomware strains has uncovered disturbing links to state-sponsored espionage tools. A strain tracked as Warlock, which appeared in mid-2025, exploited a zero-day flaw and used sophisticated delivery mechanisms. Its toolset, including signed drivers and custom frameworks, has previously been associated with Chinese cyber espionage activity. Some of its payloads even appear to be modified code from leaked LockBit ransomware. This blurring of lines suggests that ransomware deployment is sometimes used to support broader strategic or financial objectives within long-running intrusion campaigns.
Throughout these attacks, the techniques used by ransomware actors remain largely consistent and rely on common system tools. Attack chains heavily feature “living-off-the-land” tactics, using built-in administrative utilities like PowerShell for discovery and movement within a network. Remote management software and credential dumping tools are also staples. Malware is typically deployed only in the final stages, just before data is stolen or encrypted. This reliance on legitimate software makes it challenging for defenders to distinguish malicious activity from normal administrative work, allowing attackers to pivot quickly if one method is blocked.
(Source: HelpNet Security)
