Ransomware Actors Ramp Up Attacks Organizations with Emerging Extortion Trends

Unit 42’s 2025 Global Incident Response Report, ransomware actors are intensifying their cyberattacks, with 86% of incidents causing significant business disruptions such as operational downtime and reputational damage.

Cybercriminals are adopting increasingly sophisticated and deceptive strategies to maximize the impact of their attacks and coerce organizations into paying hefty ransoms.

A notable trend includes threat actors falsely claiming data breaches, often using outdated or fabricated information to pressure victims.

For instance, in March 2025, scammers impersonating the BianLian ransomware group sent physical threatening letters to executives, alleging imminent data leaks despite no evidence of a breach.

Similarly, a group posing as a rebranded Babuk targeted over 60 victims with recycled data from past campaigns, attempting to re-extort payments through fear tactics.

These deceptive practices highlight the psychological warfare ransomware actors employ to exploit organizational vulnerabilities beyond mere technical breaches.

Nation-State Collaboration and Advanced Tooling

A disturbing development in the ransomware landscape is the collaboration between nation-state actors and ransomware groups, blurring the lines between cybercrime and geopolitical agendas.

Unit 42 identified North Korean state-sponsored group Jumpy Pisces, linked to the Reconnaissance General Bureau, working as an initial access broker or affiliate with Fiddling Scorpius, which deploys Play ransomware, in an incident documented in October 2024.

Subsequent reports in March 2025 also noted the North Korean hacking group Moonstone Sleet deploying Qilin ransomware payloads.

This convergence signals a new era of hybrid threats where state-backed resources amplify ransomware campaigns.

Additionally, attackers are leveraging advanced tools like “EDR killers” to disable endpoint security sensors, a tactic rapidly adopted by affiliates to evade detection and encrypt data en masse.

In one case, Unit 42 thwarted an attempt to bypass Cortex XDR, gaining insights into the attacker’s toolkit and methods.

Beyond Windows, ransomware now targets diverse systems, including Linux, hypervisors (ESXi), macOS, and cloud environments, with groups like Bling Libra exploiting misconfigurations to infiltrate virtualized infrastructure.

Insider threats, particularly from North Korean IT workers using fake identities to secure remote employment, further compound risks, as these infiltrators steal proprietary data and extort companies by threatening leaks.

Global Impact and Industry Vulnerabilities

Unit 42’s tracking of public ransomware leak site data from January to March 2025 reveals RansomHub as the most active, with 254 reported compromises, followed by CL0P and Akira.

The United States bears the brunt of attacks, accounting for 822 incidents, far surpassing Canada and the UK.

Industry-wise, manufacturing remains the most targeted sector, likely due to outdated software and the high cost of downtime, while healthcare, despite high-profile incidents in 2024, ranks fifth.

These statistics, though incomplete due to underreporting, underscore the opportunistic nature of ransomware, with threat actors prioritizing financial gain over specific targets.

As attackers expand their reach across systems and collaborate with state actors, organizations must bolster defenses with robust network security and proactive ransomware readiness assessments to mitigate these evolving extortion trends.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!