Sunday, May 25, 2025
HomeCyber AttackRansomware Actors Ramp Up Attacks Organizations with Emerging Extortion Trends

Ransomware Actors Ramp Up Attacks Organizations with Emerging Extortion Trends

Published on

SIEM as a Service

Follow Us on Google News

Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86% of incidents causing significant business disruptions such as operational downtime and reputational damage.

Cybercriminals are adopting increasingly sophisticated and deceptive strategies to maximize the impact of their attacks and coerce organizations into paying hefty ransoms.

A notable trend includes threat actors falsely claiming data breaches, often using outdated or fabricated information to pressure victims.

- Advertisement - Google News

For instance, in March 2025, scammers impersonating the BianLian ransomware group sent physical threatening letters to executives, alleging imminent data leaks despite no evidence of a breach.

Ransomware Actors
High-level chain of events in the attack

Similarly, a group posing as a rebranded Babuk targeted over 60 victims with recycled data from past campaigns, attempting to re-extort payments through fear tactics.

These deceptive practices highlight the psychological warfare ransomware actors employ to exploit organizational vulnerabilities beyond mere technical breaches.

Nation-State Collaboration and Advanced Tooling

A disturbing development in the ransomware landscape is the collaboration between nation-state actors and ransomware groups, blurring the lines between cybercrime and geopolitical agendas.

Unit 42 identified North Korean state-sponsored group Jumpy Pisces, linked to the Reconnaissance General Bureau, working as an initial access broker or affiliate with Fiddling Scorpius, which deploys Play ransomware, in an incident documented in October 2024.

Subsequent reports in March 2025 also noted the North Korean hacking group Moonstone Sleet deploying Qilin ransomware payloads.

This convergence signals a new era of hybrid threats where state-backed resources amplify ransomware campaigns.

Ransomware Actors
Envelope for fake BianLian ransom note.

Additionally, attackers are leveraging advanced tools like “EDR killers” to disable endpoint security sensors, a tactic rapidly adopted by affiliates to evade detection and encrypt data en masse.

In one case, Unit 42 thwarted an attempt to bypass Cortex XDR, gaining insights into the attacker’s toolkit and methods.

Beyond Windows, ransomware now targets diverse systems, including Linux, hypervisors (ESXi), macOS, and cloud environments, with groups like Bling Libra exploiting misconfigurations to infiltrate virtualized infrastructure.

Insider threats, particularly from North Korean IT workers using fake identities to secure remote employment, further compound risks, as these infiltrators steal proprietary data and extort companies by threatening leaks.

Global Impact and Industry Vulnerabilities

Unit 42’s tracking of public ransomware leak site data from January to March 2025 reveals RansomHub as the most active, with 254 reported compromises, followed by CL0P and Akira.

The United States bears the brunt of attacks, accounting for 822 incidents, far surpassing Canada and the UK.

Industry-wise, manufacturing remains the most targeted sector, likely due to outdated software and the high cost of downtime, while healthcare, despite high-profile incidents in 2024, ranks fifth.

These statistics, though incomplete due to underreporting, underscore the opportunistic nature of ransomware, with threat actors prioritizing financial gain over specific targets.

As attackers expand their reach across systems and collaborate with state actors, organizations must bolster defenses with robust network security and proactive ransomware readiness assessments to mitigate these evolving extortion trends.

Find this News Interesting! Follow us on Google NewsLinkedIn, & X to Get Instant Updates!

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to...

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code...

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager...