As we navigate through 2025, the cybersecurity landscape continues to evolve, with ransomware remaining a significant threat to organisations worldwide. Here, we delve into the top five ransomware groups currently making headlines and provide a summary of their Tactics, Techniques, and Procedures (TTPs).
1. RansomHub
RansomHub has emerged as a dominant force in the ransomware ecosystem. Despite facing significant disruptions, including the potential downfall of their data leak site and infrastructure takeover by rival group DragonForce, RansomHub has maintained its position as a leading threat actor.
TTPs:
- Initial Access: RansomHub primarily exploits weak credentials on VPNs and gateways lacking multifactor authentication (MFA).
- Execution: They deploy ransomware payloads through phishing emails and exploit kits.
- Persistence: The group uses stolen credentials to maintain access and deploy additional malware.
- Exfiltration: Data is exfiltrated before encryption, often using FTP servers as drop zones.
- Impact: They demand high ransom payments, leveraging the threat of data leaks to coerce victims.
2. Akira
Akira has quickly gained notoriety since its inception in April 2023. Known for its high volume of attacks, Akira has targeted various sectors, exploiting vulnerabilities in VMware ESXi servers.
TTPs:
- Initial Access: Exploits vulnerabilities in publicly facing applications, particularly VMware ESXi servers.
- Execution: Uses automated scripts to deploy ransomware across multiple virtual machines.
- Persistence: Maintains access through compromised user accounts with elevated privileges.
- Exfiltration: Steals sensitive data before encryption to increase leverage over victims.
- Impact: Causes significant disruption by encrypting critical systems and demanding substantial ransoms.
3. Qilin
Qilin has been one of the most active ransomware groups in 2025, known for its sophisticated attacks and high-profile targets.
TTPs:
- Initial Access: Utilises spear-phishing campaigns and exploits known vulnerabilities in software.
- Execution: Deploys custom ransomware variants tailored to the victim’s environment.
- Persistence: Uses advanced obfuscation techniques to evade detection.
- Exfiltration: Employs secure channels to exfiltrate data, ensuring it remains undetected.
- Impact: Targets large enterprises and critical infrastructure, demanding multi-million dollar ransoms.
4. SafePay
SafePay has seen a surge in activity, particularly in Germany, where it has targeted numerous organisations.
TTPs:
- Initial Access: Exploits weak credentials and unpatched vulnerabilities in remote access systems.
- Execution: Uses a combination of manual and automated techniques to deploy ransomware.
- Persistence: Establishes backdoors to maintain long-term access.
- Exfiltration: Focuses on exfiltrating financial and personal data to maximize ransom demands.
- Impact: Known for its aggressive negotiation tactics and high ransom demands.
5. Fog
Fog is a relatively new player but has quickly made a name for itself with its innovative attack methods.
TTPs:
- Initial Access: Leverages social engineering and zero-day vulnerabilities to gain initial access.
- Execution: Deploys ransomware through sophisticated malware that can bypass traditional defenses.
- Persistence: Uses rootkits and other advanced techniques to maintain a foothold in the victim’s network.
- Exfiltration: Exfiltrates large volumes of data, often using encrypted channels to avoid detection.
- Impact: Targets high-value organisations, demanding ransoms that can reach tens of millions of dollars.
Conclusion
The ransomware landscape in 2025 is marked by the rise of new groups and the persistence of established ones. These groups continue to evolve their tactics, making it imperative for organisations to stay vigilant and adopt robust cyber security measures. Implementing multifactor authentication, regular patching, and comprehensive security awareness training are critical steps in defending against these ever-present threats.
By understanding the TTPs of these top ransomware groups, organisations can better prepare and protect themselves from potential attacks. Stay informed, stay secure.