Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Dragos’ latest industrial ransomware report illustrates criminals evolving into APTs in their own right.
Traditionally, state-sponsored hackers and hacking groups have been referred to as advanced persistent threats, or APTs, based on their resourcing and continuous malicious activity, but Dragos contends that ransomware operators are just as persistent.
According to the Dragos Industrial Ransomware Analysis: Q1 2025 report, the sheer scale of ransomware operations targeting organisations, the tactics employed, and the increasing use of ransomware as a state tool, places these cyber criminal operators firmly in the same ballpark as traditional APTs.
Ransomware operators are now taking advantage of AI-driven malware, while at the same time, some groups are moving away from encryption-based extortion entirely, instead relying on threatening to publish stolen data. Other groups are specifically targeting endpoint detection and response platforms before deploying into a network, while mass exploitation of known third-party vulnerabilities continues to allow some hackers to compromise networks at scale.
Ransomware groups and tactics
The first quarter of 2025 saw at least 12 new ransomware groups emerge, each occupying its own niche in the cyber crime ecosystem.
Unique among the new actors is FunkSec, which established itself as a hybrid ransomware-as-a-service operation thanks to its AI-powered malware that can take advantage of intermittent encryption to bypass traditional controls. The group has links to FSociety and Bjorka, with affiliates from those operations bringing a wealth of experience to FunkSec.
While Lynx was first seen in 2024, it accelerated its operation in the early months of 2025 by claiming 148 victims, with almost a third being industrial targets. This RaaS operation’s affiliates have been observed using advanced endpoint detection and response evasion techniques and sophisticated phishing campaigns.
Cyber Daily has written about DragonForce’s rapid evolution recently, and Dragos has noted the same. In particular, DragonForce appears to be linked to what is called The Five Families alliance of ransomware gangs, which allows for resource sharing and cooperation.
More generally speaking, zero-day vulnerabilities and file-sharing software continue to be targeted by aggressive actors. A vulnerability in the Common Log File System has been a common source of exploitation, allowing privilege escalation and network access, while the Clop ransomware gang has been posting victims of a vulnerability in the Cleo MFT file-sharing platform since late 2024.
By early 2025, it had claimed more than 300 victims, with 154 from the industrial sector.
AI-powered phishing continues to be a threat, while more groups are focusing on data exposure over data encryption to leverage their extortion threats. Groups like Hunters International (which appears to have recently evolved into a group called World Leaks) and Clop rely purely on data exfiltration over encryption.
“This evolution underscores the growing effectiveness of psychological leverage in ransomware operations, complicating response strategies, particularly for industrial organisations where data disclosure can severely impact operations, regulatory compliance, and brand reputation,” Dragos said in a recent blog post.
Who was hacked, where, and by who
Victims in Australia and New Zealand accounted for about 2 per cent of total ransomware activity around the globe, with 13 organisations from this region falling victim to ransomware in 2025’s first quarter.
That still puts us up there in terms of activity, though we’re dwarfed by attacks targeting organisations in the United States (413, more than half the total global activity), and Europe (135), where manufacturing was one of the most targeted sectors. Seventy-eight incidents were tracked in Asia, 54 in South America, and 11 in the Middle East.
Only three incidents were reported in Africa, including on the South African Weather Service, though Dragos believes this may be a case of severe under-reporting.
Manufacturing remains the most targeted sector, followed by transportation, communications, and industrial control systems. Within the manufacturing sector, the most targeted entities were in construction, food and beverage, and consumer, and equipment. Attacks against the manufacturing sector rose from 424 in Q4 2024 to 480 reported incidents in Q1 2025.
LockBit activity has fallen sharply in this first quarter of 2025, with only seven reported attacks. Perhaps unsurprisingly, Clop takes first place with 154 incidents, followed by Akira with 83, RansomHub with 82, and Lynx with 48.
“Organisations must urgently enhance cyber security defences through the implementation of robust multifactor authentication (MFA), stringent monitoring of critical network points, secure offline backups, and strengthened remote access management protocols,” Dragos said.
“Comprehensive training programs, regular reviews of network architectures, and adoption of AI-driven detection solutions are essential to counter advanced threats such as AI-crafted phishing, encryption-less extortion, and nation-state ransomware convergence observed with actors like Qilin.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
