Intensified Cyberattacks and Ransomware Trends
According to Unit 42’s 2025 Global Incident Response Report, ransomware attacks are becoming increasingly aggressive, with 86% of cases leading to major disruptions in business operations, including downtime and damage to reputation.
Cybercriminals are enhancing their tactics, employing more sophisticated and misleading strategies to escalate the impact of their attacks and compel organizations to pay substantial ransoms.
Deceptive Data Breach Claims
A concerning trend involves threat actors who falsely assert data breaches, often relying on outdated information or fabricating details to pressure victims into compliance. For example, in March 2025, scammers posing as the BianLian ransomware group sent intimidating letters to executives, claiming imminent data leaks without any proof of a breach.
Similarly, a group masquerading as a rebranded version of Babuk targeted over 60 victims with recycled information from past campaigns, attempting to extort payments through fear tactics. These deceptive methods illustrate the psychological warfare ransomware actors use to exploit not just technical vulnerabilities but also organizational weaknesses.
Nation-State Involvement and Advanced Techniques
Another alarming development is the collaboration between nation-state actors and ransomware groups, merging cybercrime with geopolitical objectives. Unit 42 identified the North Korean state-sponsored group Jumpy Pisces, linked to the Reconnaissance General Bureau, acting as an initial access broker for Fiddling Scorpius, known for deploying Play ransomware in a documented incident from October 2024.
Reports from March 2025 also revealed the North Korean hacking group Moonstone Sleet deploying Qilin ransomware, highlighting a new phase of hybrid threats where state-sponsored resources enhance ransomware campaigns. Furthermore, attackers are utilizing advanced tools like “EDR killers” to disable endpoint security systems, a strategy increasingly adopted to avoid detection and encrypt data en masse.
Diverse Targeting and Insider Threats
Ransomware attacks are now targeting a variety of systems, including Linux, macOS, hypervisors (ESXi), and cloud environments, with groups like Bling Libra exploiting security misconfigurations in virtualized infrastructure. Additionally, insider threats are on the rise, especially from North Korean IT workers using false identities to gain remote jobs, leading to the theft of sensitive data and extortion attempts through leak threats.
Impact on Global Industries
Unit 42’s analysis of public ransomware leak data from January to March 2025 reveals that RansomHub is the most active site, with 254 reported compromises; CL0P and Akira follow closely. The United States experiences the highest volume of attacks, accounting for 822 incidents, significantly more than Canada and the UK. Manufacturing remains the sector most at risk, likely due to outdated software and the substantial cost of operational downtime, while healthcare ranks fifth despite several high-profile incidents in 2024.
While the statistics may be incomplete due to underreporting, they underscore the opportunistic nature of ransomware, with attackers prioritizing financial gain over specific targets. As ransomware actors extend their reach across multiple systems and form alliances with state criminals, organizations must strengthen their security measures and prepare proactively for ransomware-related threats to mitigate evolving extortion tactics.
