Executive Summary
Unit 42 continuously observes the cyberthreat landscape, focusing on extortion and ransomware trends. Ransomware attackers are adapting their methods to enhance their attack efficiency and increase the likelihood of organizations complying with ransom demands. Our 2025 Unit 42 Global Incident Response Report indicated that 86% of incidents resulted in business interruptions, which included operational downtime and reputational harm.
This analysis highlights qualitative insights based on incident response cases and general threat landscape observations, such as:
- Threat actors making unverified breach claims.
- Collaboration between nation-state actors and ransomware groups.
- Utilization of tools to disable endpoint security mechanisms.
- Expanded attack surfaces, including cloud systems.
- Insider threats leading to extortion.
Insights into publicly available reports of ransomware breaches on threat actor leak sites include:
- Most active ransomware leak sites.
- Monthly activity levels.
- Geographical activity distributions.
- Industries most affected by ransomware incidents.
Palo Alto Networks provides enhanced protection against ransomware threats via our Network Security solutions and Cortex product lines. Unit 42 also offers resources for organizations to proactively enhance their ransomware preparedness through the Ransomware Readiness Assessment.
Incident Response Trends: Ransomware and Extortion Insights
Each year, Unit 42 responds to a multitude of ransomware and extortion cases. With organizations becoming increasingly adept at cybersecurity, early-stage attack detection has increased. This has led to a surge of investigations that halt at network intrusion, in advance of attackers achieving their broader objectives. Nevertheless, numerous successful ransomware and extortion attacks persist, with adversaries adopting more aggressive tactics to attract attention and secure higher payments. For more in-depth analysis, please refer to our 2025 Global Incident Response Report.
Key observations from recent ransomware and extortion campaigns are as follows:
Attackers Are Deceptive
Unit 42 has identified various extortion campaigns where adversaries inflated data leak threats—often leveraging outdated or fictitious data—to pressure victims into payouts. In a March 2025 incident, scammers sent threatening letters to executives, impersonating known ransomware groups poised to release sensitive data, despite lacking any substantiating evidence of a breach.
Collaborations Between Nation-State and Ransomware Groups
In October 2024, Unit 42 observed a nation-state actor collaborating with a ransomware group. We identified Jumpy Pisces, a state-sponsored entity from North Korea, as significantly involved in a ransomware incident. This marked a novel trend reflecting their use of existing ransomware infrastructures, potentially serving as an initial access broker. Furthermore, in March 2025, another North Korean group reportedly deployed ransomware payloads in selected attacks, further indicating a partnership between nation-state actors and cybercriminals.
As ransomware evolves, so too does the diversity of targeted systems. Cybercriminals are increasingly focusing on critical applications and servers, including those hosted in virtualized environments and cloud infrastructures.
Reported Ransomware Breaches: Charts and Statistics
Unit 42 tracks public reports of ransomware breaches featured on threat actors’ leak sites. Data collated from January to March 2025 showcases the ransomware groups that made the most public claims of compromises, alongside insights based on monthly activity, geographical distribution, and impacted industries. However, these reports may not fully reflect the complete scope of ransomware incidents, as the data is strictly vetted according to established analytic standards.
During this timeframe, RansomHub emerged as the most active ransomware group on leak sites, according to our data. Although RansomHub had significant activity throughout early 2025, we project a decline in operations due to emerging operational challenges they faced.
Understanding seasonal fluctuations in ransomware activity is critical for accurate analysis. Comparing quarterly data with the same quarter from previous years helps account for cyclical influences. Recent data reveals a similar pattern of activity from January to March in both 2024 and 2025, emphasizing the need for contextual analysis.
Our findings indicate that while the United States remains the country with the highest number of ransomware incidents, this doesn’t fully illustrate the global ramifications of these events, as they can have repercussions across multiple countries where organizations operate.
Conclusion
Unit 42 remains vigilant in monitoring ransomware threats through incident response analysis, dark web leak site observation, and various telemetry sources. Given the evolving nature of ransomware threats, including partnerships with nation-state actors, organizations must adopt a comprehensive defense-in-depth strategy. Maintaining robust backup systems is essential, but awareness of diverse pressures ransomware actors might employ is equally crucial. For a closer look at recent ransomware trends, please refer to our 2025 Global Incident Response Report.
Palo Alto Networks offers robust ransomware protection through advanced Network Security solutions and the Cortex product line. For organizations needing assistance or suspecting a compromise, contact the Unit 42 Incident Response team for immediate support.
