New Ransomware Tactics & Tools: An In-Depth Analysis of Emerging Threats

The digital landscape continues to be challenged by the persistent and evolving threat of ransomware. Organizations worldwide face an increasing risk of sophisticated cyberattacks that can disrupt operations, compromise sensitive data, and inflict significant financial and reputational damage. This infographic provides a overview of the emerging ransomware tactics and tools observed in 2024 and early 2025, highlighting the latest techniques employed by threat actors, the evolution of their extortion methods, the industries most heavily targeted, and the defense mechanisms recommended to mitigate these risks.

The ransomware landscape has witnessed a notable surge in activity in the early months of 2025. Data indicates a substantial 87% increase in ransomware attacks reported in February 2025 compared to the preceding month, January. This dramatic rise surpasses the trends observed in both 2023 and 2024, signifying a significant escalation in ransomware operations and a potential shift in the strategies employed by attackers. Furthermore, the number of active ransomware groups experienced a considerable 40% jump from 2023 to 2024, highlighting the expanding ecosystem of threat actors involved in these malicious activities. In 2024 alone, a significant 59% of organizations reported being targeted by ransomware attacks, underscoring the widespread nature of this threat. This upward trajectory of attacks has continued into the beginning of 2025, as evidenced by the increasing number of victims added to ransomware groups’ data leak sites. The consistent reporting of increased ransomware incidents from various sources confirms that this is a significant and growing danger for organizations across different sectors.

Despite concerted efforts by law enforcement agencies to disrupt ransomware operations, this form of cybercrime has demonstrated remarkable resilience. Even after the takedown of prominent groups like LockBit, ransomware activity strongly rebounded in the latter half of 2024. This resurgence suggests that while law enforcement actions can cause temporary disruptions, the underlying factors driving ransomware attacks remain potent. The emergence of new ransomware groups and the adaptation of existing ones highlight the persistent nature of this threat.

The ransomware ecosystem is also characterized by shifting power dynamics among various threat actors. RansomHub, a relatively new group that emerged in February 2024, rapidly rose to become a dominant force in the ransomware landscape, potentially filling the void left by the disrupted ALPHV/BlackCat operation. While LockBit, a long-standing major player, experienced a decline following law enforcement actions, there are indications of a potential comeback. Additionally, other groups like Qilin, Play, Akira, and Black Basta have shown significant activity and growth, contributing to the dynamic nature of the ransomware threat landscape.

Emerging Ransomware Tactics and Techniques

Ransomware operators are continuously refining their methods and adopting new technologies to maximize their impact. Several emerging tactics and techniques have been observed in recent ransomware attacks.

AI-Driven Social Engineering Attacks: A significant trend is the increasing utilization of artificial intelligence to enhance social engineering attacks. Cybercriminals are leveraging generative AI to craft phishing emails that are virtually indistinguishable from legitimate communications. These emails can convincingly mimic trusted contacts, including coworkers or service providers, and are personalized to increase their effectiveness. Furthermore, AI is being used to create realistic AI-generated voices for voice phishing (vishing) attacks, making it even more challenging for individuals to discern malicious attempts. The power of AI to assist in writing code has also lowered the skill barrier for cybercriminals to develop sophisticated phishing campaigns. Studies have shown alarmingly high click-through rates for phishing emails created by AI, underscoring the heightened threat posed by this tactic. The integration of AI into social engineering signifies a substantial increase in the sophistication of initial access methods, requiring a greater emphasis on user training and AI-powered defense mechanisms.

Exploitation of Remote Work and Cloud Vulnerabilities: The rise of hybrid and remote work environments has provided cybercriminals with new attack surfaces. Home office setups often lack enterprise-grade security measures, and unsecured personal devices or outdated VPN configurations make them easy entry points. Attackers are also increasingly targeting cloud environments and Managed Service Providers (MSPs). By compromising a single cloud or MSP, attackers can gain access to multiple downstream clients, amplifying the impact of their attacks. Exploiting misconfigurations in cloud services has also become a common entry method for ransomware deployment. Additionally, there have been instances of ransomware specifically targeting cloud storage services, such as AWS S3 buckets. The expanded attack surface due to remote work and the increasing reliance on cloud services necessitate a reevaluation of security perimeters and the implementation of robust security measures tailored to these environments.

Ransomware-as-a-Service (RaaS) Model: The Ransomware-as-a-Service (RaaS) model continues to be a significant driver in the proliferation of ransomware attacks. Through this model, cybercriminals can purchase or lease ready-made ransomware tools from more experienced developers. This lowers the technical barrier to entry, allowing even less skilled attackers to launch complex campaigns, leading to a rise in the frequency and variety of attacks. The RaaS model is also evolving, with cybercrime groups specializing in designated attack tactics and stages, often operating under sophisticated profit-sharing models. New RaaS platforms like RansomHub and Cicada3301 have emerged, further contributing to the accessibility of ransomware tools and services.

Highly Targeted Attack Strategies: Sophisticated ransomware groups are increasingly shifting away from large-scale, indiscriminate attacks and instead focusing on low-volume, high-impact campaigns targeting individual companies. These calculated attacks often prioritize stealing vast amounts of data without necessarily encrypting files, aiming to evade media and law enforcement scrutiny. Threat actors are likely to take a three-pronged approach, combining social engineering (particularly vishing), ransomware, and data exfiltration to amplify their extortion leverage.

Data Exfiltration as a Primary Objective: Exfiltrating data has become a central tactic in ransomware attacks. Nearly all major ransomware groups now employ double extortion tactics, where they not only encrypt systems but also exfiltrate sensitive data, threatening to leak it publicly unless their demands are met. There is also a growing trend of attackers focusing solely on exfiltrating data without encrypting systems. This approach allows for quicker, opportunistic operations and capitalizes on the fear of sensitive data being released to coerce victims into paying ransoms.

Multi-Vector Entry Methods: Newer ransomware groups are increasingly adopting multi-vector entry methods, including the use of zero-day exploits, cloud misconfiguration exploitation, and social engineering powered by AI. Attackers are also exploiting known software vulnerabilities, such as those in ConnectWise and VMware ESXi. Additionally, the use of infostealer malware and malicious scripts has been observed as a means to gain initial access to victim networks. This diversification of entry methods underscores the need for a layered security approach that addresses multiple potential points of compromise.

New Ransomware Groups and Their Characteristics

The ransomware landscape in 2024 and early 2025 has seen the emergence of several new threat actors, each with their own characteristics and tactics.

RansomHub: RansomHub emerged as a prominent ransomware group in February 2024 and quickly rose to become a leading player in the ransomware ecosystem. It is widely perceived as the “spiritual successor” to the ALPHV/BlackCat ransomware operation, potentially involving former affiliates. RansomHub operates as a Ransomware-as-a-Service (RaaS) platform and prioritizes attack volume over payment rates, aiming to generate substantial revenue through widespread affiliate expansion. Their ransomware, developed in Golang and C++, targets Windows, Linux, and ESXi systems and is known for its fast encryption capabilities. Notably, RansomHub has been observed using a custom tool called “EDRKillShifter” to disable Endpoint Detection and Response (EDR) software on compromised systems.

Fog Ransomware: Fog ransomware appeared in early April 2024 and primarily targets U.S. educational networks by exploiting stolen VPN credentials. They employ a double extortion strategy, publishing data on a TOR-based leak site if victims do not pay. Fog ransomware has demonstrated alarming speed, with the shortest observed time from initial access to encryption being just two hours. There are also indications of potential collaboration between Fog and the Akira ransomware group, suggesting a degree of coordination within the cybercrime community.

Lynx Ransomware: Lynx emerged in July 2024 as a rebranded variant of INC ransomware and employs double extortion tactics. This group utilizes advanced encryption techniques and selectively targets industries like finance, manufacturing, and architecture, while stating that they avoid socially critical sectors such as government organizations, hospitals, and non-profit groups.

Other Notable New Groups: The ransomware landscape has also seen the emergence of numerous other groups, including Cicada3301, a sophisticated multi-platform RaaS operation; ArcusMedia, known for its advanced privilege escalation techniques; BrainCipher, which uses a variant of LockBit 3.0; Interlock, targeting critical infrastructure with cross-platform capabilities; SafePay, a LockBit-based malware; SpaceBears, a data broker ransomware group; and Volcano Demon, which uses phone calls for extortion. Additionally, groups like Meow, KillSec, DragonForce, Anubis, Linkc Pub, RunSomeWares, Sarcoma, Hellcat, Morpheus, APT73 (Bashe), Termite, Eldorado, Handala, Helldown, Mad_Liberator, MyData, Black Suit (formerly Royal), Virlock, and VanHelsingRaaS have also been identified as new or active players in the ransomware ecosystem. Each of these groups may employ unique tactics or target specific industries, contributing to the overall complexity of the ransomware threat.

Recommendations for Enhanced Ransomware Protection

To strengthen their security posture against the latest ransomware threats, organizations should consider implementing the following recommendations:

• Implement AI-Powered Security Solutions: Deploy AI-driven security platforms for enhanced threat detection, behavioral analysis, and anomaly detection to identify sophisticated attacks, including those leveraging AI and LotL techniques.
• Strengthen Remote Work and Cloud Security: Implement robust security measures for remote work environments, including secure VPN configurations, endpoint protection on personal devices, and regular security awareness training for remote workers. Ensure proper configuration and security of cloud infrastructure and services.
• Enhance Employee Training: Conduct comprehensive and ongoing security awareness training that specifically addresses the latest phishing tactics, including AI-generated emails and the emerging threat of vishing.
• Implement Advanced Evasion Technique Detection: Deploy specialized tools and techniques to detect and mitigate LotL and BYOVD attacks, including monitoring for unusual usage of legitimate system tools and auditing kernel driver activity.
• Maintain Vigilant Patch Management: Establish a rigorous patch management process to ensure all software, operating systems, and drivers are updated promptly to address known vulnerabilities.
• Adopt a Zero-Trust Framework: Implement a zero-trust security model that operates on the principle of “never trust, always verify,” requiring continuous authentication and authorization for all users, devices, and applications.
• Develop and Test Incident Response Plans: Create a detailed incident response plan specifically for ransomware attacks and conduct regular testing and simulations to ensure its effectiveness.
• Implement Data Loss Prevention (DLP): Deploy DLP solutions to monitor and prevent the exfiltration of sensitive data, mitigating the risk associated with double extortion tactics.
• Focus on Critical Infrastructure and OT Security: Organizations in critical infrastructure sectors should implement specialized security solutions and practices tailored to the unique challenges of protecting OT environments.
• Participate in Threat Intelligence Sharing: Engage in threat intelligence sharing initiatives within industry-specific Information Sharing and Analysis Centers (ISACs) to stay informed about the latest threats and best practices.

References:

• TRACKING RANSOMWARE – FEBRUARY 2025
• The reality of ransomware in 2025: What you need to know
• Ransomware Attack Surge Continues in 2025
• Recent Ransomware Attacks

About The Author