Understanding Extortion Without Encryption

Traditionally, attackers deployed malware to encrypt files and demanded payment for decryption. More recently, their tactics have shifted toward data theft and immediate extortion, threatening to publish stolen information if victims refuse to pay.

From Ransomware to Extortion Campaigns

In traditional encryption-based ransomware attacks, attackers infected systems with malware that encrypted victims’ files. Then, they demanded payment in exchange for the decryption key. The data was locked but not exfiltrated. This meant that once those affected restored data from backups or obtained a decryptor key, their data’s confidentiality wasn’t necessarily compromised.

More recently, extortion without encryption campaigns have become more popular. In this model, attackers often directly steal sensitive information and threaten to publish it if the ransom isn’t paid. In many cases, they add new pressure layers, such as threatening to contact customers and the media to force victims to pay.

Why Attackers Skip Encryption

It takes time and expertise to develop ransomware that can bypass antivirus and EDR defenses, while advances in backup and recovery have made encryption far less profitable for attackers. Many organizations have also invested in stronger detection and response capabilities, which increase the likelihood of failure.

As a result of this, many modern ransomware groups use ransomware-as-a-service (RaaS) which involves leasing ransomware that is developed and maintained by other groups. Other groups skip encryption entirely and go straight for data exfiltration. This means they can operate faster, resulting in more profit.

The Rise of Double and Triple Extortion Ransomware

Many attackers are now using layered extortion tactics to maximize their leverage against victims and increase their chances of getting paid.

Double Extortion Ransomware Explained

In a double extortion ransomware attack, threat actors steal victims’ sensitive data whilebefore encrypting their files. This means they can raise the stakes when demanding ransom. In addition to paying to get their data decrypted, those affected must pay to stop attackers from leaking their stolen information.

This tactic significantly increases pressure on victims. Even if they can restore their systems from backups, the fear of data exposure is significant as it can lead to reputational damage and regulatory consequences. This often pushes them to negotiate or pay.

Triple Extortion Attacks

In a triple extortion attack, attackers go beyond encrypting and stealing data. Once they have demanded payment to stop a data leak, they ramp up their threats. This often involves contacting customers, business partners, or regulators to warn them that their information will be exposed.

This tactic puts pressure on the victim by creating public embarrassment and customer panic, as well as potential legal consequences. The goal is to expedite the ransom payment.

Harassment and Reputational Damage

Increasingly, attackers are targeting executives, customers, partners, and the media to put more pressure on their victims. This can include writing threatening letters or making calls to leadership, and letting third parties know that their data has been stolen.

In some cases, threat actors make more noise by publishing partial leaks or contacting journalists.

A recent example of this is the recent threats against Salesforce by the ShinyHunters group in October. The group claimed to have stolen 1 billion records from Salesforce customer databases, and announced that they would publish data publicly if their demands were not met.

In all of these cases, the attackers’ goal is to turn a breach into a reputational and legal crisis, ultimately forcing victims to pay the ransom more quickly.

Business and Security Implications of Data Theft Attacks

Extortion without encryption and data-theft attacks extend the threat beyond IT. As well as exposing organizations to financial losses and regulatory penalties, they can cause severe reputational damage that takes years to recover from.

Regulatory and Legal Exposure

Data breaches can trigger compliance violations under laws like GDPR, HIPAA, and other data-protection regulations. Breaching these regulations and exposing sensitive information can result in fines and legal penalties for organizations.

Operational and Financial Impact

Data theft attacks can quickly disrupt operations and lead to significant downtime costs. They also erode trust, which leads to customer churn. When combined with potential litigation and regulatory fines, these attacks can cause substantial financial and operational burdens.

Brand Trust and Reputational Fallout

Successful data theft attacks can significantly undermine public confidence in an organization’s ability to protect information. Stakeholders may lose trust, and negative media coverage can result in long-term reputational damage. Even temporary exposure of data can have lasting effects on brand perception and market credibility.

Defending Against Post-Ransomware Threats

Now that attackers no longer rely on encryption as their primary weapon, managed detection and response (MDR) and proactive defense strategies must adapt.

Detecting Data Exfiltration

Extortion without encryption typically involves silent data exfiltration. Once attackers gain entry, they focus on high-value information and exfiltrate it gradually, often disguising it as normal network traffic.

To identify these unusual transfers, organizations should invest in security solutions like network monitoring, data loss prevention (DLP), and anomaly detection. Regular monitoring can help identify newly installed applications like Rclone, which attackers often use to exfiltrate stolen data. It can also help detect outbound traffic to sites like mega.io or other cloud backup providers.

Improving Response Time

Speed is crucial for mitigating harm in data theft attacks. As soon as an account or system is compromised, security teams should take immediate action to contain the threat as quickly as possible. Real-time visibility into network and user activity can make it easier to detect suspicious behavior and prevent further data exfiltration.

Acting quickly can significantly reduce the operational and financial impact of threats. Integrating automated alerts and incident response workflows can also help teams to act decisively under pressure.

Preparing for the Next Phase of Ransomware

Organizations can build resilience and reduce the chance of successful silent exfiltration through continuous monitoring and rehearsing incident response. This helps anticipate attacks and safeguards sensitive data.

Continuous Threat Intelligence

Security teams can maintain continuous threat intelligence by monitoring the dark web and staying updated on leak sites. This helps uncover emerging attack trends, enabling them to anticipate new extortion tactics that bypass encryption.

Organizations should also monitor leak sites and other common exfiltration paths to look for evidence of their own data being leaked. In the event that the initial attack was missed, this can be an indicator of compromise.

Building a Culture of Preparedness

Creating a culture of preparedness is essential for dealing with post-ransomware threats. For instance, conducting regular tabletop exercises can help teams practice responding to data theft attacks in a controlled setting. This helps clarify roles and responsibilities and identify gaps in your strategy.

Executive involvement is also essential for embedding cybersecurity into your organization’s culture. It highlights security as a strategic priority and drives accountability, ensuring a more coordinated response when incidents occur.

Adapting to Extortion Without Encryption

Ransomware isn’t disappearing; it’s just changing. The rise in extortion without encryption means that organizations will need to rethink their defenses. This will involve prioritizing early detection, rapid response, data loss prevention, and strong collaboration across IT, legal, and executive teams to contain threats and reduce impact. Success will depend on adapting as quickly as the attackers do.

The post Extortion Without Encryption: The Next Phase of Ransomware appeared first on CyberMaxx.

Often, its attacks make the news, impacting well-known companies and directly affecting individuals. It’s important to examine trends and identify lessons that can be applied to our own practices in response to the ransomware threat.

Why the Decline in Q2 Attacks Doesn’t Tell the Whole Story

The first thing that stands out from this quarter’s report is the overall drop in attacks. That’s great at first glance. One thousand fewer attacks, a 40% drop in attacks compared to Q1. However, organizations cannot simply take the top numbers and totals to draw a broad, general conclusion about the threat level decreasing when they see these initial numbers.

High-level trends can give false hope to an organization, which is why it’s important to examine the numbers themselves. As the report demonstrates throughout, a false sense of security would form if we focused just on the total numbers.

Don’t Think in Silos: Risks Cross Every Boundary

One trap we must avoid is thinking in our own silo. The reality is simple: threats are everywhere, and they’re constantly shifting. It’s vast and far-reaching, and much of it affects us directly. Even if we initially downplay the threat from certain risk groups based on perceived attack likelihood, that assumption can be misleading.

The past few years have heightened our collective awareness of third-party and supply-chain risks. These are closely related, and we have seen their impact on organizations, customers, and the general public reach a heightened level of awareness. We need to look beyond the borders of our organization when assessing threats and considering our risk awareness. That includes industry trends that may not be ones we exist within, but are highly impactful to our daily operation as a business.

Move Beyond Prevention: Resilience is the New Goal

This leads us back to the need to elevate our mindset and the lens through which we view our security program. It is no longer enough to think in terms of prevention and recovery. Yes, they are important components, but that can’t be where we focus all of our efforts and resources. Our focus and aim must be resilience.

How do we continue to operate at or near 100% in the event of a security incident? What are our dependencies on supply chains and third parties that, if they were to suffer an incident and be unable to fulfill their obligations, how could that impact our ability to operate normally? We need to look at those considerations.

Healthcare’s Vulnerability and Why It Should Concern You

Healthcare remains one of the most frequent targets for attacks by these threat groups. The report explains the reasoning behind that. What we, as organizations, need to do is account for where the healthcare industry intersects with our business vertical. Remember, healthcare is a broad field; it encompasses more than just hospitals.

It’s all elements of the healthcare system, so hospitals, billing companies, insurance records, and all of it are part of it. There is a potential impact on our organization, even if we’re not in healthcare. Even if healthcare isn’t a part of our supply chain.

The Broader Impacts of Breaches on Your Workforce

Our people likely have healthcare coverage through the organization and certainly maintain some form of medical records. So, when there’s a breach of that information, everyone may feel an impact. There is a mental toll that many individuals go through when they learn that personal information that they expect to maintain their privacy, health, or financial information, gets exposed.

They have no idea how bad the impact will be on them. Can we build any measures to mitigate that risk? Can we incorporate a part of our security program that allows for resilience when a large breach may affect a large swath of our organization’s personnel, causing their focus and performance to be impacted by this new stress?

Think Like a Business Leader: Customer Industry Risk = Your Risk

Now, let’s look at it through more of a business lens. Your organization isn’t in healthcare. However, a significant portion of your customer and client base may be healthcare organizations. We’re using healthcare, but it can be any other industry that you serve or rely on to generate revenue as part of your operations.

Let’s say your organization provides a non-healthcare service to the healthcare industry. It’s one of your largest customer verticals and a focus of your go-to-market strategy. If that industry is experiencing an increase in attacks, they will need to address it with their resources. That means a shift in budget priorities. That may cause you to lose out on deals, have current customers cancel at renewal, and deter prospective clients because the budget dollars are no longer available.

Take a Holistic View of Threats Across Industries

We need to take a holistic approach when evaluating potential threats across the broader ecosystem. That means understanding where our organization overlaps with different business verticals and how attack trends in those sectors could affect us.

There is one other focus from this quarter’s report. We mentioned resilience earlier, and it is also mentioned in the report itself. No longer is security just about prevention and recovery; it’s also about how we set ourselves up to maintain resilience in the face of an attack.

It’s not only about disaster recovery (DR), but also about business continuity (BC), and increasing our focus on maintaining operations in the face of adversity, regardless of the threat. And it’s really about ensuring we’re true to the basics. The old, tried-and-true solutions that we’ve been hearing about for ages.

Security Basics Still Work If You Use Them

Vectors change, industries of focus change, and even what’s being ransomed or threatened changes, but what we can do to help protect ourselves has remained relatively consistent.

Key foundational practices include:

• Implementing multifactor authentication (MFA/2FA) for all accounts, especially those accessible from the internet
• Establishing a strong backup-and-recovery program that includes regular testing and a version of backups isolated from the corporate network
• Developing and regularly testing incident response plans and protocols to ensure staff are prepared for evolving attacker tactics
• Maintaining a disciplined patching and vulnerability management program to reduce exposure from both new and older vulnerabilities

These are just a few of the security basics that have been recommended for years and remain highly effective to this day.

The Quiet Risk: Unpatched Vulnerabilities

Patching and vulnerability management often receive little attention. It isn’t necessarily exciting. It’s usually not the program that gets folks to jump out of bed looking to conquer. The latest and greatest vulnerability, the one that’s large enough to make the news cycle, is the one that gets noticed and prioritized.

It’s the one that everyone’s asking about; how are we with this, are we protected? What do we need to do to be protected right now? Exploit development takes time, and threat groups work under the same ideas as regular businesses. If this still works for us, why should we incur the expense of changing just to chase the latest trend?

If you look at some of the highlighted vulnerabilities in the report, you’ll notice that they are typically one to two years old. They may not be related to recent headlines, or even garnered headline attention when they were first discovered, but they’re still being exploited today. And the reason they’re still being exploited is that there are still environments where these vulnerabilities remain unpatched. Therefore, threat actors have a sufficient market where what they developed years ago continues to generate a profit.

Why change?

Yes, patching and vulnerability management do have their complications. Timing a patch, potential downtime of a system to apply the patch, and any number of other concerns organizations face when a vulnerability is discovered. However, it remains one of our most effective tools for securing environments and strengthening organizational resilience.

Understand the Story Behind the Numbers

The difference in the numbers between Q2 and Q1 appears to be favorable. You notice a significant decline in attacks at first glance. But that’s why we have to dive deeper than just the initial numbers. We have to see where they’re focused and what that can really tell us. We must seek to understand what all these numbers are telling us and what those implications are for our business.

Review Q2’s Report.

The post Ransomware Trends Beyond the Headlines: A CISO’s Q2 2025 Perspective appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Introduction

Ransomware activity in Q2 of 2025 showed a significant decline compared to the previous quarter. We observed a total of 1488 successful ransomware attacks between April 1st and June 30th, compared to the 2461 we observed in Q1. This represents a 40% decline in activity. Despite the reduction, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 87 minutes during Q2.

We observed a total of 75 ransomware groups operating within Q2, up from 74 in Q1. There appears to have been a focus on sectors with sensitivity to operational disruption this quarter – healthcare, manufacturing being two of the top three industries hit – along with education, government and energy all showing growth as well, to a smaller degree.

Qilin is the threat actor with the most successful ransomware attacks this quarter – with 176 total, followed by Akira with 139 and Play with 124. Qilin was most active within the healthcare industry and technology sectors.

While Cl0p was extremely active last quarter, they have not been as active recently – this may be due to them still working through the backlog of victims from exploting Cleo Harmony back in February.

Lockbit Updates

In recent months, two major ransomware groups were quietly hacked, and both attacks featured the same message: “Don’t do crime, xoxo from Prague.” No one has come forward to take responsibility.

In April, the Everest groups leak site was defaced, and then in May Lockbits affiliate panel was also updated with the odd message. The lockbit breach also leaked internal data and crypto wallet addresses.

Theories are circulating that it may have been a rival gang or law enforcement, however no one has officially taken credit for either attacks, which are very likely by the same individual (or group!).

HealthCare

Between April 1 and June 30, 2025, the healthcare sector experienced 95 ransomware attacks, making it the third most targeted industry during this period, following Manufacturing and Tech at 157 and 136 respectively.

Across the broader ransomware landscape, a healthcare organization is now hit with a successful attack roughly every 22 hours. Groups like Qilin and others continue to exploit healthcare’s operational urgency pressuring victims to pay quickly to avoid disruptions to patient care or data exposure.

The impact of each incident tends to be disproportionately high compared to other industries; leading to care delays, system outages, and regulatory complications.

Qilin:

Qilin have been the most prolific group this quarter, primarily targeting high-impact and operationally critical industries.

Manufacturing led all sectors, followed by Technology and Healthcare, reflecting Qilin’s focus on data-sensitive and disruption-prone environments. Transportation/Logistics and Education were also notable targets.

A full breakdown of their operational target industries can be seen in the full report.

Qilin have demonstrated consistent growth throughout the first half of 2025, with attack volumes rising steadily each month. Starting with a relatively low number of incidents in January, activity nearly doubled by February and remained stable through March and April. A sharp increase followed in May, and June marked the group’s most active month to date, with over 75 recorded attacks.

The vulnerabilities we have observed the group using are as follows:

• CVE-2023-4966 aka CitrixBleed
• CVE-2023-27532 in Veeam Backup Credential Access
• CVE-2025-31161, an authentication bypass in CrushFTP
• CVE-2025-31324 in SAP NetWeaver (which interestingly was exploited at least 3 weeks before public disclosure – showing that the group had early access to a 0day).
• CVE-2025-32756 which allows unauthenticated RCE in several Fortinet products.

The full list of exploited vulnerabilities is also available in the report, along with a breakdown of their currently active infrastructure.

Q2 Conclusion

The second quarter of 2025 marked a complex and transitional period in the ransomware landscape. While overall attack volume declined significantly, threat activity remained widespread, with critical sectors such as healthcare, government, and education continuing to face sustained pressure. Despite the slowdown in raw

numbers, the frequency of attacks and the strategic focus of top ransomware groups indicate that the threat remains both adaptive and persistent.

Qilin emerged as the most active ransomware group this quarter, steadily increasing its operations and overtaking previously dominant group such as Cl0p. Their consistent targeting of high-impact industries, exploitation of newly disclosed vulnerabilities, and technical adaptability demonstrate a clear evolution in capability and reach. At the same time, the temporary absence of Cl0p from top rankings despite its history of impactful, exploit-driven campaigns highlights the cyclical and opportunistic nature of ransomware group activity.

Sectors like healthcare continue to experience frequent and damaging incidents, underscoring the need for targeted resilience strategies. Meanwhile, the recent breaches of ransomware infrastructure such as the defacements of Everest and LockBit hint that threat actors themselves are not immune to disruption, though the sources of these countermeasures remain unknown.

In summary, Q2 2025 presented fewer attacks overall, but increased complexity in attacker behavior, tooling, and targeting. Organizations must remain proactive, adaptable, and intelligence-driven in their defensive strategies as ransomware continues to evolve.

Read the full report.

The post Ransomware Research Report | Q2 2025 – Audio Blog Interview appeared first on CyberMaxx.

According to CyberMaxx research, 1,488 attacks were recorded in Q2 (April-June), representing a 40% decrease from the 2,461 attacks in Q1 (January-March). Despite this drop, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 41 minutes during the second quarter.

There were 75 active ransomware groups in Q2, a slight increase from 74 in Q1. However, the number of attacks per group has dropped from 33.2 to 19.8. This could reflect shifts in law enforcement pressure, infrastructure disruptions, or changes in attacker strategy.

With 176 attacks, Qilin has overtaken Cl0p as the most active ransomware group. It is followed by Akira (139 attacks), Play (124 attacks), Safepay (101 attacks), and Dragonforce (73 attacks).

Cl0p has now dropped from the list of most active ransomware groups, following intense activity in early 2025 and a sharp decline since March. This highlights the cyclical and opportunistic nature of ransomware group activity.

Qilin has been steadily growing throughout the first half of 2025, indicating an expansion of operational capacity and increased aggressiveness in target selection. Qilin’s sustained growth demonstrates how some ransomware groups expand their reach even as overall attacks decline, highlighting the group’s rise as a dominant threat actor.

Manufacturing (157 attacks, approximately one every 13.6 hours), technology (136 attacks, approximately one every 16 hours), and healthcare (95 attacks, approximately one every 22.5 hours) were the most targeted industries in Q2.

Although healthcare experiences fewer attacks than some other sectors, each incident can cause significant harm, including care delays, outages, and regulatory issues. Persistent attacks on healthcare highlight its vulnerability stemming from the urgency of its operations, the sensitivity of its data, and the prevalence of outdated systems. Attackers often exploit this vulnerability with double extortion, forcing organizations to pay quickly to avoid disruptions.

While Q2 2025 saw a decrease in overall attacks, it also revealed more complex tactics, tools, and targeting methods employed by attackers. As ransomware continues to evolve, organizations must remain proactive, adaptable, and informed to defend effectively.

CyberMaxx’s cyber research team regularly investigates threats independently. These efforts aim to build shared knowledge across the cybersecurity community.

Access the full Ransomware Research Report here: https://www.cybermaxx.com/q2-2025-ransomware-research-report/

About CyberMaxx

CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company

providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing. For more information, visit: https://www.cybermaxx.com/

CyberMaxx Media Contact

John Pinkham
jpinkham@cybermaxx.com

The post CyberMaxx Q2 2025 Ransomware Research Report shows a 40% drop in attack volume from the previous quarter. appeared first on CyberMaxx.

In another shakeup in the ransomware world, the Lockbit ransomware gang has suffered a major leak. Many of the group’s onion addresses currently redirect to an SQL database containing a trove of sensitive information, exposing not just victim data but also the inner workings of Lockbit’s negotiation tactics, technical support processes, and attack strategies.

The leaker’s identity is anonymous; however, they did leave the message “Don’t do crime, CRIME IS BAD, xoxo from Prague”. The same message was seen on the Everest PR page in April 2025 before going offline, suggesting it could be the same individual or group. Kevin Beaumont has suggested that it could be the DragonForce gang behind the attacks, however, no group has taken credit yet. Lockbit has an open ransom available for any information related to who is behind the attack.

Key Takeaways from the Leak

Technical Support for Victims

Lockbit went beyond the typical role of a cybercriminal organization by providing “technical support” to victims. They guided them through the decryption process, even allowing uploads of up to 100MB and over 100 files to prove that their decryptors worked as promised.

Controlled File Sharing

In maintaining operational security, Lockbit refused to engage with external file-sharing links. They relied solely on their own internal upload service during negotiations and communications.

Varied Negotiation Tactics

The leaked chats reveal Lockbit’s flexible pricing strategy, which included ransom demands ranging from $3,800 to $4,500,000 in Bitcoin

In one specific instance, they accepted a $5,000 deposit to grant the victim an extension on their payment deadline.

Limited Transparency on Exfiltrated Data

Victims were not given complete file trees of stolen data. Instead, Lockbit provided high-level descriptions, listing servers and shares (e.g., ESXi, shares) without offering deeper insights.

Disturbing Interactions

In one instance, a victim even asked for career advice on getting started in ransomware, highlighting the normalization of cybercrime in certain circles:

“Bro, I want to ask for your advice. If I want to make some extra money on the side but do it safely like you guys, do you have any recommended directions?”

Tools and Techniques

Lockbit promoted the use of Eraser by heidi.ie, for securely deleting files after operations. They were also transparent about their infiltration methods:

• Following employee activity and exploiting weak points (e.g., Google Backup logins)
• Leveraging manager accounts with user privileges to escalate access
• Using AnyDesk installed across hosts for lateral movement
• Offering to sell intrusion paths and defense recommendations for $10,000 USDT

Aggressive Threats to Victims

If victims resisted paying, Lockbit escalated to direct threats:

• “If you choose to give up paying the ransom, we will follow up.”
• “We will conduct subsequent attacks, incidents, and data disclosure.”

Multilingual Negotiations

Victims often requested that Lockbit operators communicate in languages other than English, highlighting the global nature of their attacks. In some leaked exchanges, victims expressed difficulty with English and asked if the gang could converse in their native language:

• “Can you speak Chinese? Writing in English is so hard.”
• “What is your mother language?”

Lockbit, however, generally maintained English as the default language for most negotiations.

Targeting Chinese Companies and Supply Chains

Multiple attacks appeared aimed at Chinese companies, with Lockbit acknowledging that these ransoms were seen as affordable by their standards. Additionally, the leaked data suggests they leveraged supply chain connections, attacking multiple victims via compromised networks of other organizations.

Conclusion

This leak offers another window into the inner machinery of ransomware operations. From their structured support model to aggressive extortion methods and detailed infiltration techniques, the revelations emphasize the professionalization of ransomware groups and the ever-evolving threat they pose.

Organizations must take this moment as a wake-up call—bolstering network defenses, conducting thorough security audits, and ensuring incident response plans are in place.

The post The Lockbit Leak Exposed: Secrets of a Ransomware Gang appeared first on CyberMaxx.

Reframing the Cybersecurity Strategy When the Numbers Look Grim

It’s simple to look at the initial numbers comparing Q1 2025 to Q4 2024 and see that the number of attacks increased, again. It’s also clear that we set a new record for most attacks in a quarter, again. And when faced with that, it’s fair to wonder, what’s the point?

It feels like every step we take, every move we make, they’re watching us (now you’re humming the tune) and adjusting, constantly gaining the advantage. The pressure to keep up makes it easy to adopt a defeatist attitude and just forge ahead, focusing only on what seems best for the business. As a result, security projects often get pushed aside because the effort just doesn’t seem to make a dent.

On the surface, our prospects seem grim. Indeed, witnessing the scope of attacks, along with a rising number of threat groups, often triggers a strong emotional response. That kind of pressure can lead to the urge to step back and redirect our efforts toward other priorities.

However, the real value lies beneath these numbers. The tactics, techniques, and procedures employed by the attackers provide us with valuable lessons to learn from. In this case, going toward the light is precisely what we should do.

A Cybersecurity Strategy Starts by Acknowledging the Threat Landscape

First things first, let’s get the “negative” out of the way. You can’t plan until you know what you’re up against, so you need to see the whole board and then see where you can gain an advantage. The increase in the number of attackers would logically lead to a rise in the number of attacks. It may simply be that the attack rate reflects a volume issue rather than a shift in tactics.

It’s a small consolation, but we’ll take the wins where we can. However, we can’t ignore the fact that the number of attacks increases. The trend continues even if we believe it’s tied to the growing number of players in the game. As a result, we have to acknowledge an uncomfortable truth. Operating in a connected world increases the likelihood that our organization will become a target.

So, if the odds of an attack are increasing in likelihood, risk management tells us to take action. We need to examine how to either reduce the probability or mitigate the impact of these events. And here’s where we find our hope and build our action plan.

Two Key Vectors: Vulnerabilities and Credentials

There appear to be two primary factors contributing to many of the attacks observed in Q1 2025: the exploitation of vulnerabilities and credential compromise. You may hear these referred to as “threat vectors.” Basically:

• How does the threat enter your environment?
• What vector is used to gain entry?

That’s good, that gives us a starting point. If I know where they’re more likely to attack, that helps narrow my scope somewhat of where I want to start my efforts in shoring up the defenses.

Vulnerabilities and credentials aren’t rare, which means there are likely multiple options available to us. We prefer to build our defense in depth, allowing us to add layers by stacking our options. Already, we can see that the light at the end of the tunnel is getting brighter and the way out is becoming clearer.

That light at the end of the tunnel isn’t an oncoming train, after all. What else can we learn from the quarterly report?

What Targeted Attacks Reveal About Your Cybersecurity Strategy

Preferred targets. It appears that threat actors have preferred target profiles, specifically businesses or business verticals, where they tend to focus their efforts.

It makes sense. Threat actor groups operate similarly to many companies. They have an organizational structure, a business plan, and make their decisions on ROI and cost-benefit analysis. It doesn’t make sense for them to spend more on an attack than they can expect to gain, so they want to maximize their impact.

So, what are the preferred target profiles? They tend to focus on businesses that can afford little to no downtime due to operational interruption, namely the healthcare and financial services industries.

Okay, that makes sense. Both require immediate access to data and systems to support snap decision-making and analysis. They also handle higher-stakes issues, namely healthcare, where the responsibility involves human life. There is no higher stake than that. So that’s one component.

Business Models of Threat Actors

Then we see that the compromise of the business system, Cleo, seems to have thrown off the numbers a bit, due to how many of their clients were impacted by the compromise of their system.

Hmm. That feels familiar.

It wasn’t that long ago that SolarWinds was at the center of a similar compromise that led to widespread impact. Therefore, we can conclude that threat actors are prioritizing their attacks on vendors that supply utilities to a wide range of businesses.

Vendors that many companies rely on for their own operational functionality. That tells me the vulnerability vector actually splits into two. One part involves vulnerabilities on my vendor’s systems, and the other involves vulnerabilities on the systems I directly control.

There probably isn’t one solution that addresses both areas. I need to treat them separately and match each with the right response. That’s good, I’m getting a lay of the land. However, it also means that I must consider all of my vendors and providers as potential threat vectors, so we’ll need to account for that as well.

Why Legacy Systems Are a Blind Spot in Cybersecurity Strategy

Then there’s this bit about “legacy” systems. What does that mean? Was the system approved because a related parent or grandparent system had already been implemented? Did it go forward mainly for that reason?

Well, no, legacy means something different here. Generally, legacy systems typically include tools implemented long ago or championed by senior leadership. These systems usually don’t receive the support that modern systems do.

Many legacy system vendors no longer support their older products. Some offer a newer version and expect organizations to migrate to it. Others release updates or patches only in extreme cases. In some situations, the vendor is no longer in business.

Legacy systems make IT and security professionals nutty. They feel like systems running on a countdown timer to failure. The timer has been ticking for a long time. You get the sense it should have reached zero already And, at this point, you’re operating on borrowed time.

How to Prioritize Focus Areas in Your Cybersecurity Strategy

Now that we’ve established the playing field, I can focus on determining where to apply my efforts and resources. If we look at the playing field, we start to see several critical areas take shape. The first is vendor risk management, which lays the groundwork for evaluating external dependencies. Next is inventories, which help track and manage system assets.

Vulnerability and patch management follow, ensuring that known issues are addressed in a timely manner. Identity and credential management also rise to the top, offering control over who accesses what. Finally, I want my organization to understand where it fits into the larger ecosystem, because no system operates in isolation.

That sounds like a lot, but it’s actually more straightforward than it first appears.

Mapping Your Ecosystem Connections

Let’s start with the last one: how our organization fits into the larger ecosystem. Well, the first question I need an answer to is, what exactly is it that we do here? I need to understand what our business offers and how we generate revenue. After all, that’s the whole point of a business: to make money.

• Are we a service provider or a system supplier to other companies?
• If that’s the case, what’s our connection to the healthcare and financial services spaces?
• Are we a prime target because we offer threat actors a single point of entry that could gain them access to multiple endpoints?

I also need to look at this from the other end:

• Are we dependent on healthcare or financial services to provide us with business?
• What’s the likelihood that my organization could be collateral damage because of an attack on one of those other institutions?

I want to be able to map those connections and track them in my risk register. Then I want to ensure that this is an exercise I perform regularly, so I’m aware of any changes and can adapt accordingly.

Asset Inventory and Visibility in a Cybersecurity Strategy

Since we’re already considering external forces, let’s stay external and examine the Cleo connection. It’s not just my connections to a business vertical I need to identify and track; it’s also the vendors I use for my own operations.

What vendors or solutions are our departments using for their operations, file sharing, and online applications, such as Software as a Service (SaaS)? I also want to know what they use for databases, CRM, ERM, IT management, email, and other essential services.

That also relates to inventories. If I don’t know that a system is in use, it can’t be on my risk register, which means I’m not accounting for it when I look at my defense posture and future planning. I can’t properly plan how to attack that particular castle.

Okay, so of those vendors:

• Which ones are prevalent, or at least, which ones are widely used by healthcare and financial services?
• Where’s my crossover?

Those systems become a priority. Now I’m starting to compile a good list of my vulnerabilities. And now we move internally.

• Do I know what systems are running internally?
• How good is my asset inventory?

In other words:

• Do I know what systems and versions are running within my environment?
• Do I know what they’re running on, both in terms of software and hardware?

There’s a reason asset inventory consistently appears when referencing various best practice frameworks and standards, and it emerges early in the process. You can’t properly plan if you’re not aware of all of your assets (just ask Wesley, as he plans the castle assault in The Princess Bride).

Let’s presume my asset inventory is pretty solid. How do I stay on top of their vulnerabilities? The simplest method is to regularly scan my system using utilities that maintain a database of known vulnerabilities. These tools can generate a report, which I can then review to determine how to address them.

In many instances, vendors regularly issue patches and software updates that not only address vulnerabilities but also add or improve features. That comes under our Patch and Vulnerability Management practice.

Strengthening Vendor Due Diligence in Your Cybersecurity Strategy

I’m aware of my third-party vectors, so what else can I do? I can conduct vendor due diligence, ask them about their security practices, and assess whether I’m comfortable with the answers. You may already be doing this; it’s where our vendor questionnaires and SOC 2 reports come into play.

Many organizations are diligent about sending questionnaires and requesting SOC 2 reports, but too few actually read them. These are far more valuable than you may realize, and I cannot encourage organizations enough to actually read and review these reports.

I also want to know if the vendor provides notifications about new vulnerabilities and alerts when internal patches are available. Relying solely on online updates isn’t ideal. Clients should be alerted directly when a vulnerability is identified. That communication should also reach the general public and include clear instructions for system users.

But I can also combine efforts here. See, one way to protect myself within the vendor is to ensure that I protect who is able to access my part of their system, at least to the best extent I can, and that means protecting my user accounts—their credentials. And since credential protection practices don’t just apply to third-party systems, I can double up for internal protections.

Making Patch Management Work in a Cybersecurity Strategy

The big one for me here is ensuring that multifactor authentication is enabled and enforced. Having it as an option at the vendor is nice. However, optional settings aren’t enough. I need to make sure it’s enforced in every case, whether through vendor controls or my own.

Then, I want to check any system I have where someone enters credentials to gain access and ensure that multifactor authentication is enabled and enforced by default. Computers, systems, VPN providers, cloud solutions —whatever it is—if you have to log in, you want to ensure there’s an MFA component.

Now, that sounds like it could get cumbersome to my users. To some extent, it might, so I need to strike a balance. Organizations can configure their systems to recognize safe activity and reduce the frequency of repeated MFA prompts. Users benefit from smoother access while maintaining security integrity. Attackers with stolen credentials still fail to log in because MFA stops them at the gate.

We’re not getting into that here, but know that it exists, and you have options there, too.

Look at the progress we’ve made already. What’s next?

Patch and vulnerability management. We have already identified it, so I want to ensure I’m doing everything I can to put my IT and security teams in a solid position to implement the program. That means resources and prioritization.

Are they comfortable, and is the business comfortable? You have to marry the two, which means both will likely need to compromise from their ideal state. You typically need to account for a system being offline, even for a brief period, to apply a patch or update. It’s just the nature of how systems apply them.

As much as you want 24/7/52 uptime for your systems, you’re going to need to budget in some downtime to allow for patching and general maintenance. There are ways to achieve both, but again, it requires resources, and we won’t delve into all of that here today.

Your patch responders are also likely to want to patch everything quickly, as soon as it’s released. Well, that’s not really feasible either. I’ll grant you downtime, but you have to grant me a window that the business determines is the least impactful to operations.

I also don’t want patches to be applied as soon as they’re released. I want to stay cutting-edge without taking unnecessary risks, so I track public response to patches and test them in controlled environments. Once they mature and I feel confident, I’ll move forward with a full rollout. So we need to ensure we’re all comfortable with the final process.

Adding Business Resilience to Your Cybersecurity Strategy

The last point we addressed in this quarterly report was a decrease in the number of companies paying ransoms. Well, that sounds good. How’d they manage that? Resilience.

Organizations have refocused their efforts on business resiliency. Backups, redundancies, restoration, and failover of all components come into play. That seems like an awful lot of effort to combat ransomware, doesn’t it?

When every other measure already substantially reduces the risk, what justification is there for additional investment in resiliency? The chance of a ransomware attack feels minimal. Well, here’s a not-so-secret secret: resilience applies beyond ransomware.

Resilience Beyond Ransomware

All organizations need to have a Business Continuity and Disaster Recovery (BC/DR) plan. Resilience is the primary focus of these plans.

• How do I keep my business running until I can resume normal operations?
• How do I recover my business to a state where I can resume normal operations?

Resilience plans aren’t just for ransomware; they’re for whatever negative impact my organization may face. Therefore, focusing on my business’s resilience will address multiple areas of concern.

Regardless of the threat, whether it’s ransomware or a natural disaster, I need a resilience plan. That plan often includes overlapping components, which allows me to address multiple risks at once, and that is always a plus.

Why Testing Is Critical to Any Cybersecurity Strategy

So, how do I feel about my resilience plan? When was the last time it was reviewed? When was the last time I tested it?

A plan remains theoretical unless it’s tested and proven functional. Backups are meaningless unless they’re successfully restored. System recovery becomes a reality only when it’s performed and validated. Confirmation of timing and real-world testing is essential.

Restoring just one file doesn’t prove resilience; it only creates an illusion. Entire systems must undergo full restoration. Those systems also need to meet defined recovery windows.

If you know you can’t function without a system for more than 48 hours or you’ll go out of business, that timeline becomes non-negotiable.

But if you don’t test your restoration and resilience efforts:

• How do you know you’re meeting your timeline needs?
• Who cares how good a resilience system you’ve built if it takes 96 hours to implement it?

You’d have had to close your doors two days before the restoration was completed, making it worthless.

Final Thoughts: Cybersecurity Strategy—Back to Basics, Forward with Intent

Wow, that’s a lot covered. But I would argue it isn’t really.

In fact, everything that’s covered is all in line with what we know to be best practices anyway. It reinforces these practices and establishes our baseline when we build towards resiliency and defense.

When we take the fight forward, we take an offensive mindset to our defensive posture. All of these elements help secure our operations. When approached with the right mindset, they create an environment that allows our users to excel and meet or exceed our expectations and desires.

It all comes down to understanding that perhaps there’s nothing new to learn; instead, we should return to our basics and ensure we’re keeping up with current technologies and solutions.

But the premise is the same. It’s everything we want to be doing anyway. It’s simply a matter of identifying our assets and attacking that “castle” effectively. While our fortunes may seem bleak when we see how the attacks are trending, we can derive a lot of value from just a few simple, concerted efforts. Just have to pull on the threads.

Now we’re prepared and can plan. So go ahead. Have fun storming the castle.

The post Cybersecurity Strategy: Key Takeaways from Q1 2025 Ransomware Research Report appeared first on CyberMaxx.

CyberMaxx recently released the Q1 2025 Ransomware Research Report. This quarter produced the highest number of recorded attacks so far. Amongst the findings, our researchers discovered that Healthcare facilities remained some of the most highly targeted, likely because they are left vulnerable due to the potential life-or-death consequences of operational disruptions.

Operational downtime at a healthcare facility can be devastating, putting patient safety, critical services, and sensitive data at immediate risk. When systems go offline, it can delay urgent care, disrupt access to medical records, and halt life-saving procedures—making every minute count.

Threat actors know this. That’s why healthcare is a prime target for ransomware attacks. Cybercriminals exploit the urgency and potential harm caused by downtime, believing that the high stakes will pressure organizations into paying the ransom quickly to restore operations.

By the Numbers

Of the over 400 organizations CyberMaxx protects, 75 are healthcare facilities. That equates to upwards of 500K endpoints across hospitals, doctors’ offices, dentists, and more. During this past quarter, there have been a total of 2,461 ransomware and data extortion attacks. Of those, 127 took place in a healthcare organization. 68 attacks were based in the United States, totaling 54% of the healthcare related attacks.

A Common Cause of Healthcare Data Breaches

The Oracle Health Data Breach is one example of a recent compromise. Oracle Health became aware of the breach around February 20, 2025, initiating a comprehensive investigation and response process. In early 2025, Oracle Health, formerly known as Cerner, suffered a significant data breach affecting multiple U.S. hospitals and healthcare providers. The breach occurred due to unauthorized access to legacy data migration servers, using compromised customer credentials. This unauthorized access reportedly began sometime after January 22, 2025, with the attackers exfiltrating patient data to an external location. Notification of affected clients began in March, with Oracle Health striving to provide transparency on the extent of the breach.

The stolen data reportedly included sensitive patient information from electronic health records, though the precise scope and amount of compromised data remain unclear. The use of compromised credentials to access legacy systems underscores a common vulnerability within the healthcare sector, where outdated or insufficiently protected systems remain integrated with modern networks.

An individual identifying themselves as “Andrew” has attempted to extort the affected healthcare providers, demanding payments in exchange for not releasing the stolen data. Notably, this threat actor does not appear to be affiliated with any known ransomware group, suggesting the possibility of either a lone actor or a new entity entering the scene.

The motivations and capabilities of “Andrew” are still under investigation, but the lack of affiliation with a prominent ransomware group could complicate efforts to track and apprehend the individual. The healthcare sector is still particularly vulnerable to such attacks, given the sensitive nature of patient data and the potential harm that could result from its unauthorized disclosure.

A Case for Updating Legacy Systems

This breach highlights the ongoing challenge of securing legacy systems and ensuring that customer credentials are adequately protected. As Oracle Health continues to investigate and mitigate the impacts of the breach, healthcare organizations must remain vigilant and proactive in bolstering their own cybersecurity measures.

The incident also serves as a reminder that attackers are increasingly targeting healthcare institutions due to their critical role in society and the high value of the data they possess. Ensuring robust protection of sensitive data should remain a top priority for all entities operating in the healthcare sector.

Securing Your Healthcare Data

Healthcare organizations must prioritize proactive defense, real-time detection, and incident response—because even a short disruption can have life-threatening consequences, and attackers are counting on that pressure to profit.

Don’t miss this session hosted by CyberMaxx and HS-ISAC, full of stories from cybersecurity experts and healthcare customers, validating the real-world impact of cyber threats happening daily, targeting medical and dental organizations of all sizes. Hear all the ways you can take steps to protect your organization from the rising threats. Learn more here: Improving Healthcare Cybersecurity So Patient Data Doesn’t End Up on the Dark Web | CyberMaxx

More Reading on Ransomware

• Download Q1 2025 Ransomware Research Report
• All Ransomware Research Reports

The post The State of Ransomware in Healthcare appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware

Ransomware activity continues to climb in the first quarter of 2025, with 2461 attacks carried out by 74 active groups. This is a 4% increase over last quarter, which was the previous period with the highest volume of attacks on record.

At the forefront of this quarter is Cl0p, which was responsible for 398 attacks, roughly 16% of the total. Cl0p achieved this by chaining two vulnerabilities together in Cleo Harmoney and VLTrader for a huge impact. These vulnerabilities are listed under

• CVE-2024-50623
• CVE-2024-55956

This campaign peaked in February with 331 attacks, the highest monthly total ever recorded by a single group.

Other top actors included RansomHub, Akira, Babuk2, and Qilin. Surprisingly, Lockbit, once a dominant force, dropped to 24th place with only 23 attacks. Exploitation of unpatched systems continues to be a favored technique for initial access among ransomware groups.

BlackBasta

In February 2025, a major leak of internal chat logs exposed the inner workings of the BlackBasta ransomware group. The leak discusses their target preferences, tactics, and tools.

Target Selection

Black Basta prioritized organizations with low tolerance for downtime, including healthcare, financial services, and critical infrastructure. These sectors were targeted strategically, given the high stakes and pressure to restore operations quickly, factors that increase the chance of ransom payments.

Exploitation Tactics

The group typically exploited known vulnerabilities rather than expensive zero-days. However, they did purchase at least one high-value exploit for use against CVE-2024-26169, used for privilege escalation on Windows systems. Microsoft patched it in March 2024, but evidence suggests Black Basta had access prior to its public disclosure, dating back as early as December 2023.

Tools and Techniques

Two tool variants linked to the group were uncovered by Symantec. One, compiled in December 2023, is publicly available on VirusTotal. The second, from February 2024, appears to have been privately tested. The leak also confirmed extensive credential harvesting operations—key to initial access and lateral movement. A link to the VirusTotal analysis is available in the full report.

Underground Forum

Logs indicate the group actively used platforms like exploit.in to acquire or trade vulnerabilities.

Conclusion

This leak gives us a behind-the-scenes look at a major ransomware group. It highlights the groups clear focus on exploiting vulnerabilities in critical sectors and leveraging credential harvesting to facilitate their attacks. As always, proactive patching, credential protection, and a hardened defense strategy are needed to stay ahead of these tactics, especially for organizations in critical sectors.

Bybit

In February 2025, the Bybit cryptocurrency exchange suffered one of the largest crypto thefts to date—400,000 ETH, worth $1.5 billion. The attack has been attributed to the Lazarus Group, a North Korean state-sponsored threat actor known for targeting digital assets.

Lazarus exploited Safe{Wallet}, a third-party multi-signature wallet platform designed to enhance transaction security. The attackers compromised a developer’s workstation at Safe{Wallet}, injecting malicious JavaScript into its frontend interface.

This clever move allowed them to disguise an unauthorized transfer as a legitimate transaction. Exploiting user behavior—specifically the tendency to rapidly click through approval prompts—they bypassed the multi-signature protection and triggered a massive transfer from Bybit’s cold wallet without raising alarms.

Once the theft was complete, Lazarus laundered the stolen ETH through multiple intermediary wallets, swapping tokens and using cross-network services to obscure the funds’ origins. The stolen assets currently sit dormant across multiple wallets.

The big takeaway here is that even the most secure systems can be undermined by third-party vulnerabilities and user complacency.

Chainalysis

In 2024, ransomware attacks reached record levels, especially in the fourth quarter. But in a surprising twist, ransomware payments actually fell. According to Chainalysis, victims paid $813 million in crypto, down 35% from $1.25 billion in 2023.

This unexpected decline comes as Q4 2024 marked the most active quarter ever for ransomware. The drop in payouts signals a shift in how organizations are responding to these threats.

So, what are the reasons for this decline?

First, companies are improving their cybersecurity, with stronger defenses and better backups, so that many can now recover without paying.

Second, regulatory pressure is rising. Governments are discouraging ransom payments to avoid fueling criminal activity.

And third, there’s greater awareness. Organizations now better understand the long-term consequences of paying ransoms, encouraging repeat attacks.

Add to that a global law enforcement crackdown—seizing crypto, arresting operators, and dismantling gangs—and the result is a ransomware ecosystem that’s getting harder to profit from. However, with ransomware numbers continuing to climb it also suggests that while payment volumes have decreased, the overall threat of ransomware continues to grow.

Oracle Health

In early 2025, Oracle Health, formerly known as Cerner, suffered a major data breach affecting multiple U.S. hospitals and healthcare providers. The breach stemmed from unauthorized access to legacy data migration servers using compromised customer credentials, with activity traced back to late January.

Sensitive patient data from electronic health records was exfiltrated, though the full scope remains unclear. Oracle Health discovered the breach in February and began notifying affected clients in March.

Adding to the complexity, an individual calling themselves “Andrew” has attempted to extort healthcare providers, threatening to release the stolen data. “Andrew” isn’t linked to any known ransomware group, suggesting a possible lone actor or emerging threat.

This breach highlights two critical vulnerabilities: outdated legacy systems and inadequate credential protections.

Q1 Conclusion

Security teams must prioritize patch management and ensure that critical vulnerabilities are addressed promptly. Organizations should also emphasize credential protection, implementing multi-factor authentication (MFA) and monitoring for compromised accounts.

The post Ransomware Research Report | Q1 2025 – Audio Blog Interview appeared first on CyberMaxx.

According to CyberMaxx research, there were 74 active groups responsible for 2,461 recorded incidents in Q1 2025. This figure marks a 4.3% increase over the previous quarter, which saw 66 active groups conduct 2,358 attacks.

In Q1 2025, ransomware groups averaged 33.2 successful attacks each. With 398 attacks, Cl0p was the most active group this quarter, representing approximately 16% of all successful attacks.

Other notable ransomware groups in Q1 2025 were RansomHub (234 attacks), Akira (217 attacks), Babuk2 (156 attacks), and Qilin (113 attacks). Notably, Lockbit, one of the most prolific groups throughout 2024, fell to 24th place with only 23 attacks.

February 2025 was a record-breaking month for the Cl0p: the group carried out 331 individual attacks, the highest number ever recorded by a single group in a single month.

Cl0p’s dominance stems from its use of two critical vulnerabilities. These include CVE 2024 50623 and CVE 2025 55956 in Cleo Harmony products.

This surge in ransomware activity during Q1 2025 marks a clear escalation in ransomware threats, and Cl0p has raised the benchmark for attack efficiency and volume.

The group’s successful exploitation of critical vulnerabilities reinforces the urgent need for security teams to prioritize patch management and promptly address critical vulnerabilities in Q2 2025.

Organizations should enhance their monitoring and detection capabilities to catch intrusions before data exfiltration occurs and ensure they implement multi-factor authentication (MFA) while actively monitoring compromised accounts.

CyberMaxx’s cyber research team regularly investigates threats on its own. These efforts aim to build shared knowledge across the cybersecurity community.

Access the full Ransomware Research Report here: Q1 2025 Ransomware Research Report

About CyberMaxx

CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing.

For more information, visit: www.cybermaxx.com

CyberMaxx Media Contact
Clint Poole
cpoole@cybermaxx.com

The post CyberMaxx Q1 2025 Ransomware Research Report shows 4.3% increase in attack volume over the previous quarter, setting new records appeared first on CyberMaxx.

Last year, the total volume of ransom payments decreased year-over-year (YoY) by approximately 35%, according to a report published in February 2025 by Chainalysis. In addition, less than half of recorded incidents resulted in payments.

The big question is: what’s driving this shift, and what can businesses learn from it?

The Surging Volume of Ransomware Attacks in 2024

Ransomware attacks are at record highs. The fourth quarter of 2024 saw the highest spike in attacks that we have observed on record, according to CyberMaxx’s Q4 2024 Ransomware Research Report.

However, as attack frequency has increased, it appears that victims are becoming less willing to pay.

A Historic Year for Ransomware

There were 4,831 ransomware attacks in 2024, which is the highest number ever recorded in a single year. There were 2,358 attacks in Q4 alone—a 137% increase from Q3.

Cybercriminals are exploiting vulnerabilities such as CVE-2024-0012 (Palo Alto PAN-OS RCE) and CVE-2024-9474 (Privilege Escalation) to launch attacks.

Key Trends Driving the Increase

The mainstream adoption of cloud is a major factor driving this increase: there was a 39% rise in cloud-targeted attacks in 2024 compared to 2023.

Holidays are also prime targets for cybercriminals. With many businesses reducing security staff as employees take vacations, attackers find more opportunities to strike. For example, December 24th experienced a significant spike in cybercrime activity.

The increased accessibility of sophisticated hacking tools has also likely contributed to the rise in the number of threat groups: 66 active ransomware groups were recorded in Q4 ransomware trends 2024, the highest on record.

Why Are Fewer Victims Paying Ransom?

While cybercriminals are launching more attacks, their business model is struggling due to stronger cyber extortion defense and changing industry responses.

In addition, governments across the globe are tightening their regulations and compliance frameworks to address this growing threat and hold organizations accountable. As a part of this, there is mounting pressure on government agencies to enforce these regulations to reduce the financial incentives for ransomware gangs.

Improved Cybersecurity Measures

To improve ransomware attack prevention, many businesses are implementing more robust backup strategies to reduce the leverage of ransomware gangs. This often involves storing data across multiple locations and implementing additional backup servers for added security.

The rise in cyberattacks has also led to insurers tightening their policies. Many insurers now require clients to prove they can recover without paying ransoms.

The widespread use of zero-trust architecture also helps to limit the spread of ransomware between networks.

Law Enforcement and Disruptions to Ransomware Groups

The increased crackdowns on ransomware gangs have also likely contributed to the decline in ransomware payments. In February last year, a coordinated international operation helped to take down LockBit, a leading ransomware gang.

Lockbit was the most active ransomware group in Q1 2024, and it made up 30% of the total volume for the quarter.

Across the globe, governments are increasingly collaborating on sanctions and cybersecurity regulations to cut off ransomware actors’ financial access. Law enforcement has also seized dark web leak sites, which has disrupted cybercriminal operations.

In January, the US Department of Justice announced it had disrupted the infrastructure of the online cybercrime marketplaces known as Cracked and Nulled. These were key marketplaces for selling stolen data and malware. Combined, they have over 10 million users worldwide.

Shifting Attitudes Toward Ransomware Payments

These shifting attitudes by governments and high-profile companies refusing to pay ransoms have set a precedent. They may have encouraged other organizations to prioritize resilience and recovery rather than compliance with cybercriminals.

Public and regulatory pressure has also likely contributed to the decline in ransomware payments by discouraging people from complying with attackers’ demands. For instance, ministers in the UK are currently considering a ban on all UK public bodies making ransomware payments.

Meanwhile, data recovery capabilities have improved, which means businesses can often restore their operations without having to pay attackers.

The Ransomware Paradox: More Attacks, Fewer Payouts

Despite rising attack numbers, cybercriminals are finding it harder to monetize their efforts. This shift creates new challenges for businesses while also opening up potential opportunities.

Cybercriminals Are Adapting

Some ransomware groups are turning to data extortion models, threatening to leak stolen data instead of encrypting files.

Leaked data can lead to severe breaches of privacy, identity theft, and loss of customer trust. It can lead to long-term reputational damage, as well as severe legal and regulatory consequences.

Meanwhile, other groups are targeting critical infrastructure, where the stakes for downtime are often higher.

What Businesses Must Do Next

To protect against ransomware gangs, businesses must double down on ransomware resilience and improve their cyber extortion defense.

This process involves making regular backups, using immutable storage to protect data by preventing any changes to it and carrying out regular tabletop exercises to help groups understand how they would respond to an emergency.

Businesses should also invest in proactive security measures, including endpoint detection and response (EDR), zero-trust networks, and 24/7 security monitoring.

Finally, businesses can improve their ransomware attack prevention strategies by continuously monitoring emerging ransomware tactics. They should focus especially on key areas such as cloud security and identity-based threats.

Businesses Must Remain Vigilant Against Ransomware Groups

The decline in ransomware payments is a positive sign, as it proves that strong security measures, law enforcement efforts, and shifting corporate policies are working.

However, the number of ransomware attacks is still on the rise, and businesses can’t afford complacency.

Proactive security strategies, robust recovery plans, and expert cybersecurity partnerships, like those offered by CyberMaxx, are crucial for staying ahead of evolving threats.

The post Why Ransomware Payments Plummeted in 2024 appeared first on CyberMaxx.