Persistent Increase in Ransomware Attacks Raises Global Security Concerns

 

It was concluded that in the first five weeks of 2025, there was a significant increase in ransomware attacks targeted at the United States, marking a nearly 150% increase compared to the first five weeks of 2024. Based on a series of high-profile incidents in which certain organisations decided to pay ransoms to avoid detection, cybercriminals have inadvertently increased their interest in the U.S. and made the country a more attractive target for cybercriminals. 

Consequently, this factor is largely responsible for the increase in ransomware activity in the last few months, as successful ransom payments have likely incentivized other ransomware attacks. In the past year, despite fluctuations in the most active ransomware groups and specific timeframes, the frequency of ransomware incidents in the United States has substantially increased. There has been a significant rise in ransomware incidents since the fall of 2024, and a steady increase has continued into the new year. Security firm NCC Group reports 590 new ransomware victims in January, a 3% increase from the previous month, which already set a record for that period. 

The threat intelligence company Cyble has also identified 518 new victims in January, and this number has increased to 599 within the past 27 days. Approximately two-thirds of the attacks were conducted against organizations located in the United States. Additionally, other cybersecurity monitoring organizations have noted a rise in ransomware incidents over the past two months. The difference in victim counts between cybersecurity firms may be attributed to the difference in methodologies, in particular whether victims of previously compromised cybersecurity systems who have just been revealed should be classified as new victims. 

However, despite these discrepancies, industry experts all agree that ransomware activity has increased in recent months. There are several notable ransomware groups responsible for driving this increase, among which RansomHub, Play, and Akira stand out as prominent threat actors. As a result of their increased activity, organizations across the globe are facing increasing cybersecurity challenges as a result of their increased activities. There is still a persistent threat of ransomware, however, individual ransomware groups emerge and dissipate frequently. 

Some of these groups, such as Black Basta, are now in decline or are nearing obsolescence, while others are suffering disruption due to law enforcement intervention, as LockBit appears to be the case. Groups that suffer from internal conflict, often driven by financial disputes, are prone to collapse. For instance, Alphv, also known as BlackCat, was notorious for conducting an exit scam 12 months ago, retaining the entire $22 million ransom paid by UnitedHealth Group following the Change Healthcare hack, rather than sharing it with the affiliate that carried out the scam. 

Although some ransomware groups have disbanded at the end of last year, the landscape of ransomware continues to be highly dynamic, with new actors continuously emerging. In many instances, these "new" actors are not merely rebranded entities, but individuals already entrenched in the cybercrime ecosystem himself. A significant percentage of these attacks are the result of affiliates, threat actors who work with several ransomware operations. Regardless of which specific group name they operate under, affiliations are responsible for a significant portion of these attacks, according to cybersecurity firm BlackFog. In 2024, 48 new ransomware groups surfaced. 

There are four victims mentioned publicly on RunSomeWare's data leak sites, whereas Linkc only has one victim posted on its data leak site, as reported by threat intelligence firm Cyble. It is unclear how long these emerging groups will survive in this business. In December 2024, Anubis, a Russian-speaking ransomware group that first became active, appears to be the work of former ransomware affiliates, as indicated by the sophistication of its tactics. 

Kela reports that Anubis maintains a presence on cybercrime forums like RAMP and XSS, which reinforces its network within the cybercriminal underground by ensuring it maintains its visibility on these forums. In addition to offering a range of illicit services, this group also operates a traditional ransomware-as-a-service model, where affiliates are rewarded with 80% of the ransom money collected from victims they infect. 

As well as targeting Windows, Linux, network-attached storage (NAS), and ESXi environments, Anubis' ransomware can also be used to spread the virus. In addition, the group maintains a data leak blog based on Tor, where so far only a few people have been listed. The Anubis ransomware operation offers two distinct services in addition to conventional ransomware. In the first case, participants receive 60% of the revenue extorted from victims using stolen data, based on the data-ransom-as-a-service model. If the stolen data are unpublished, have been obtained within the past six months, and considered valuable enough for public exposure, they are eligible for this program. By releasing a press release and notifying local data privacy regulators about the breach, Anubis claims to amplify pressure on victims. 

It is the second offering of Anubis that targets initial access brokers, who facilitate cyber intrusions by selling credentials to compromised networks to gain access to them. Under Anubis' model, the IABs become eligible for 50% of all ransoms demanded by victims whose credentials they have supplied. A specific set of eligibility criteria applies, including being a citizen of the United States, Canada, Europe, or Australia, not having been targeted by another ransomware group within the last 12 months, and not being employed by the government, the educational system, or any non-profit organization. 

Ransomware groups are long collaborating with initial access brokers and have often paid a premium for exclusive access to compromised networks, but the healthcare industry remains a viable target. Cybercrime brokers are increasingly becoming increasingly reliant on each other, and this indicates that their role is growing within the cybercrime economy. According to a recent report by CrowdStrike, access broker activity is expected to grow by almost 50% in 2024, as cybercriminals continue to look for ways of infiltrating high-value targets in an increasingly swift and stealthy manner. 

Despite the persistence of ransomware, it is important to remember that individual ransomware groups emerge and dissipate regularly. Several groups, such as Black Basta, appear to have declined over the years or are on the verge of obsolescence, whereas others, such as LockBit, seem to be facing disruptions because of law enforcement interventions. As it seems with LockBit, these groups collapse in the face of internal conflicts, often caused by financial disagreements. Alphv, also known as BlackCat, is one example that exemplifies an exit scam that was carried out 12 months ago. 

According to reports, Alphv kept the entire $22 million ransom paid by UnitedHealth Group to resolve the Change Healthcare breach, instead of sharing it with the affiliate that perpetrated the attack. It is important to note that while some groups have disbanded, the ransomware landscape still remains a highly dynamic place, with new actors constantly emerging on the scene. The so-called "new" groups are usually nothing more than rebranded entities that already have a place in the cybercrime ecosystem. 

These so-called "new" groups include individuals already well versed in the criminality ecosystem. Affiliates - threats actors who collaborate with multiple ransomware operations - are responsible for a significant portion of these attacks, regardless of who they use as their operating name. In 2024, 48 new ransomware groups were discovered, according to cybersecurity firm BlackFog. RunSomeWares claims to have identified four victims on their data leak site which has been compiled by Linkc, while only one victim has been identified by RunSomeWares, according to threat intelligence firm Cyble. However, the long term viability of these emerging groups is uncertain. 

As indicated by the sophistication of the attacks of Anubis, a Russian-speaking ransomware group that became active by December 2024, its tactics were likely developed by former ransomware affiliates. Anubis maintained a visible presence, according to threat intelligence firm Kela, on cybercrime forums such as RAMP and XSS, thereby enhancing its connections within the black market for cybercrime. The group offers a range of illicit services to its customers. There are two main models of ransomware-as-a-service (RaaS) that the organization uses, in which affiliates receive 80% of any ransom payments that are collected from victims that are infected by the group. 

The ransomware of Anubis is capable of attacking Windows, Linux, network-attached storage (NAS), and ESXi environments, as well. Furthermore, the group maintains a Tor-based blog that leaks data, but so far, it has only listed a few victims that have been affected. It advertises two distinctive services in addition to conventional ransomware. The first is a model called data-ransom-as-a-service (DraaS), in which participants receive 60% of all the revenue extorted from victims by using stolen data. 

To qualify, the stolen data must not have been published, must have been obtained within the last six months, and should be considered valuable enough to be published. In its second offering, Anubis claims that publicizing the data breach and notifying local data privacy regulators will increase pressure on victims. The offering targets initial access brokers (IABs) who facilitate cyber intrusions by selling access credentials to compromised networks. Under Anubis' model, it will award half of the ransom obtained from victims who provide their access credentials to the IAB, which will be used to secure a ransom. 

It is important to note, however, that there are some eligibility requirements for this program. The victim must reside in the United States, Canada, Europe, or Australia, and not have been targeted by another ransomware group in the past 12 months. The victim must also not be a government or educational employee. It is, however, still very possible to target the healthcare industry. 

A long history of ransomware groups collaborating with initial access brokers has shown that these brokers often pay a premium for exclusive access to compromised networks. Their increasing dependence on these brokers indicates that their role within the cybercrime economy is growing. According to a recent report published by CrowdStrike, access broker activity increased by nearly 50% in 2024 compared to the previous year, as cybercriminals continued to search for faster and stealthier methods of infiltrating high-value targets as they continued to grow.