As we enter 2025, the ransomware landscape remains dominated by financially motivated attacks, despite some groups shifting towards non-financial objectives. Law enforcement actions have disrupted major players like LockBit and BlackCat, leading to the rise of smaller, agile ransomware groups such as RansomHub, BlackLock, Lynx, FOG, and BASHE. These groups have leveraged innovative affiliate models and diverse tactics, continuing to pose significant threats to various sectors, particularly healthcare. Affected: RansomHub, LockBit, BlackCat, BlackLock, Lynx, FOG, BASHE, healthcare sector.
Keypoints :
- The ransomware landscape is evolving with a focus on financially motivated attacks.
- Law enforcement actions have disrupted major ransomware groups, creating opportunities for smaller actors.
- RansomHub emerged as a leading affiliate program in 2024, attracting numerous affiliates with a favorable payment model.
- BlackLock and Lynx also gained prominence, targeting critical enterprise assets and multiple sectors.
- FOG and BASHE introduced unique operational models, emphasizing adaptability and affiliate support.
- The overall trend indicates a continued rise in ransomware attacks, with a diverse range of tactics and victimology.
MITRE Techniques :
- T1190 – Exploit Public-Facing Application: Ransomware groups exploited vulnerabilities in publicly facing services.
- T1566.001 – Spear Phishing Attachment: Initial access was often gained through phishing emails.
- T1562.001 – Disable Security Tools: Attackers deployed EDR-specific malware to disable endpoint security.
- T1021.001 – Remote Desktop Protocol: RDP was commonly used for lateral movement within networks.
- T1486 – Data Encrypted for Impact: Ransomware encryption was a universal attribute of attacks.
Indicator of Compromise :
- No IoC