Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Eighty ransomware operations were active in the first quarter of 2025, with 13 new groups identified and Australia emerging as a popular target.
Rapid7 Labs has released its latest quarterly ransomware report, and – pretty much as always – the numbers paint a picture of an evolving criminal landscape as new actors emerge and established operators continue to expand affiliate operations.
And yet, it’s a landscape becoming increasingly set in its ways.
“Established threat actors and relative newcomers are taking an ‘if it ain’t broke, don’t fix it’ approach, shunning unpredictability for proven revenue generation techniques,” Rapid7 Labs’ researchers said in an 8 April blog post.
“And, in almost all cases, the name of the game is data exfiltration and blackmail via leak site posts.”
Top operators
There were 80 ransomware groups active between 1 January and 31 March, with 13 of them being newly observed operations. These new groups include Ailock, the Belsen Group, CrazyHunter, Cs-137, D0Glun, and GD LockerSec.
Clop was the number one most prolific ransomware group, with 413 leak posts made on its darknet site. Babuk came in at number three, and Babuk-Bjorka at number four. Rapid7 noted that all three groups made it into the list based on the number of posts made to their leak sites, not leaks, however.
Here’s the full top 10 and the number of leak posts made in the first three months of 2025:
| Clop | 413 |
| RansomHub | 232 |
| Babuk | 168 |
| Babuk-Bjorka | 163 |
| Akira | 135 |
| Lynx | 115 |
| Qilin | 111 |
| FunkSec | 96 |
| Cactus | 94 |
| Play | 84 |
The big trends
The Black Basta ransomware group appears to have self-destructed after its chatlogs were widely leaked in February. These logs confirmed a trend that Rapid7 had long suspected – that ransomware gangs were investing their profits into buying zero-day vulnerabilities.
“Within the Black Basta chat logs, we observed that on November 23, 2023, the group was offered a zero-day exploit targeting Ivanti Connect Secure for their purchase,” Rapid7 said.
“The exploit came with an asking price of US$200,000 and is described by the seller as an unauthenticated RCE exploit, leveraging an unknown memory corruption vulnerability.”
While Rapid7 is unaware if the purchase was actually made, the fact that the vulnerability does not appear to be any of the Ivanti CVEs disclosed during the period suggests the flaw remains unpatched.
Another new trend is the reuse of previously leaked data. The Babuk group has been utilising old data from previous RansomHub, FunkSec and LockBit leaks, while FunkSec has engaged in similar practice on several occasions. Even LockBit turned to recycling old data in the wake of aggressive law enforcement activity disrupting its usual hacking operations.
Tactics
Ransomware-as-a-service has established itself as a “key tactic” that allows affiliates to shop around for the ransomware group of their choice before buying into established software and infrastructure that allows them to begin targeting victims practically immediately.
And when making those attacks, double extortion techniques – encrypting data and threatening to publish it on the dark web – remain popular, while at the same time, some groups are dropping their ransom demands to convince more, smaller victims to pay. FunkSec has been observed demanding ransoms as (relatively) low as US$10,000.
While some ransoms are dropping, the time to make contact and negotiate a settlement remains highly varied between groups. Clop, for instance, relies upon pressuring victims to respond within 24 hours, while RansomHub provides deadlines of between 72 hours and 90 days.
Another emerging trend is what Rapid7 is calling “reportage-style commentary” regarding a victim’s alleged security failings. Cyber Daily observed this tactic in the recent ransomware attack on the Pound Road Medical Centre in Victoria by the Anubis operation. In that case, Anubis listed alleged failings that led to a leak of patient data and poor security practices within the medical centre itself.
“Newer groups hungry for publicity and affiliate network building will potentially look to emulate the Anubis approach and do a little reportage style journalism of their own,” Rapid7 said.
“Gimmicks sell and grab publicity, and reputational damage from data leaks may well go hand in hand with regulatory embarrassment and bad publicity.”
You can read the full 2025 Ransomware: Business as Usual, Business is Booming report here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
