38% drop in encryption over the past 12 months as more cybercriminals turn to silently exfiltrating data for extortion as their main stock in trade.Picus’ suggestion that the volume of ransomware attacks is dropping is disputed by other experts.Tony Anscombe, chief security evangelist at endpoint security vendor Eset, offered a contrasting perspective.”In the recent Eset H2 2025 Threat Report, the detection data shows a 13% increase between H1 and H2, coupled with the number of publicly reported victims increasing by 40% reported via ecrime.ch, then it [ransomware] does not appear to be in decline,” Anscombe tells CSO.Nick Hyatt, senior threat intelligence consultant at cybersecurity services firm GuidePoint Security, says the data of more than 7,000 victims was publicly posted last year, a figure that likely excludes “victims who paid and were never posted by the threat actor.”Far from showing any signs of consolidation, the number of active ransomware groups hit an all-time high last year, according to GuidePoint.”Threat actors streamlined their attack capabilities, using a mix of established techniques, vulnerability exploitation, and novel attacks to execute on their objectives,” says Hyatt.
Rogues gallery: Experts polled by CSO commonly rated Qilin, Cl0p and Akira as among the most active ransomware groups but there was no shortage of other contenders.”Akira stands out as the No. 1 ransomware group today from Huntress’ 2025 data,” says Dray Agha, senior manager of security operations at managed detection and response firm Huntress. “Their tradecraft is rapidly evolving specifically to neutralize existing security solutions, and we are seeing them aggressively target the hypervisor level to completely bypass traditional endpoint security protections.”Collin Hogue-Spears, senior director distinguished technical expert at application security firm Black Duck Software, says that ransomware operators have stopped operating like organized crime and started operating like a platform business.”Qilin posted over 1,000 victims in 2025, a seven-fold increase over the prior year,” according to Hogue-Spears. “LockBit 5.0 clawed back to operational capacity after its takedown.”Meanwhile the Scattered Spider/Lapsus$/ShinyHunters (SLSH) federation is running extortion-as-a-service, an approach that makes it easier for less technically skilled cybercriminals to make a dishonest living.SLSH has created a “structural shift” in the cybercrime ecosystem.”Seventy-three new groups appeared in six months because they no longer need to build their own tooling,” says Hogue-Spears. “They rent it.”
New threat techniques require security rethink: Vasileios Mourtzinos, a member of the threat team at managed detection and response firm Quorum Cyber, says that more groups are moving away from high-impact encryption towards extortion-led models that prioritize data theft and prolonged, low-noise access.”This approach, popularized by actors such as Cl0p through large-scale exploitation of third-party and supply chain vulnerabilities, is now being mirrored more widely, alongside increased abuse of valid accounts, legitimate administrative tools to blend into normal activity, and in some cases attempts to recruit or incentivize insiders to facilitate access,” Mourtzinos says.The evolving tradecraft of ransomware groups should prompt a rethink of defensive strategies.”For CISOs, the priority should be strengthening identity controls, closely monitoring trusted applications and third-party integrations, and ensuring detection strategies focus on persistence and data exfiltration activity,” Mourtzinos advises.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4137010/ransomware-groups-switch-to-stealthy-attacks-and-long-term-access.html
