FOCUS MODE
EXTRACT IOC
Threat Research

Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience

Symantec
Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience
Qilin ransomware, initially developed in Go and later in Rust, targets various platforms like Windows, Linux, and ESXi. In June 2024, a significant attack on London hospitals was claimed by Stinkbug, leading to considerable disruptions. The updated version, Qilin.B, introduced advanced encryption and evasion techniques, while attackers increasingly utilize living-off-the-land tools for data exfiltration and security software impairment. This trend raises concerns for organizations, as the sophistication of ransomware continues to grow. Affected: healthcare sector, Windows, Linux, ESXi platforms

Keypoints :

  • Qilin ransomware targets multiple platforms including Windows, Linux, and ESXi.
  • Stinkbug claimed responsibility for a ransomware attack disrupting hospitals in London in June 2024.
  • Qilin.B features enhanced AES-256-CTR encryption and effective evasion techniques.
  • The ransomware deletes system logs and shadow copies post-encryption to hinder recovery attempts.
  • Attackers increasingly utilize legitimate tools for data exfiltration and disabling security software.
  • Double extortion methods have become prevalent in ransomware attacks.
  • Popular tools for data exfiltration include PowerShell, RDP, Cobalt Strike, WinRAR, and Rclone.
  • Remote access software, such as AnyDesk, Atera, and TeamViewer, are frequently abused by attackers.
  • BYOVD (Bring Your Own Vulnerable Driver) techniques are being leveraged to disable security products.
  • Ransomware remains a significant threat in the cybercrime landscape for 2025.

MITRE Techniques :

  • TA0002: Execution – Use of remote access tools like AnyDesk and TeamViewer for executing commands and dropping payloads.
  • TA0010: Exfiltration – Employing legitimate tools such as Rclone for exfiltrating data from victim machines.
  • TA0040: Impact – Enhanced malware features like AES-256-CTR encryption and deletion of Volume Shadow Copies to impede recovery.
  • TA0007: Discovery – Utilizing tools such as RDP and Cobalt Strike to gather information about the target network.
  • TA0041: Command and Control – Leveraging living-off-the-land techniques for command execution and data manipulation.
  • TA0005: Credentials Access – Using PowerShell and other TTPs to steal credentials during the attack.
  • TA0042: Defense Evasion – Employing BYOVD techniques to exploit signed vulnerable drivers for disabling security measures.

Indicator of Compromise :

  • [Email Address] attacker@example.com
  • [IoC Type] AnyDesk
  • [IoC Type] Atera
  • [IoC Type] Cobalt Strike
  • [IoC Type] Rclone

Full Story: https://symantec-enterprise-blogs.security.com/threat-intelligence/ransomware-trends-2025

Views: 30

Tags: DISCOVERY, HEALTHCARE, LEARN, WINDOWS, MOBILE, IMPACT, EMAIL, BACKUP