Ransomware

We observed very few intrusions make it to the final stages of data exfiltration or encryption. However, Akira made it into our monthly top 10 threat list for October, marking the first time we’ve seen a ransomware group in the list since November 2021.

In addition to Akira, in 2025 we observed data exfiltration or encryption activity related to Qilin, Play, Inc ransomware. We also observed precursor activity that we assess would have led to Black Basta, Ransomhub and Lockbit variants.

Common ransomware precursors in 2025

As in previous years, multiple threats in our top 10 have reportedly preceded ransomware encryptor deployment or other extortion activities. Check out each of these pages for ideas on how to take action to detect those threats:

• SocGholish
• CleanUpLoader
• KongTuke
  

We’ve previously shared the simplified ransomware intrusion chain below as a way to think about detecting across the entire intrusion, and this chain continued to hold up as a high-level approach to breaking down ransomware.

Ransomware intrusion chain

Here are some of the common techniques, tools, and procedures we observe across “pre-ransomware” intrusion stages.

Initial access

Ransomware affiliates continue to use the same cast of characters for initial access, including phishing, valid credentials, and vulnerability exploitation. This year also continued a trend of ransomware affiliates utilizing aggressive social engineering techniques, like targeting the help desk through voice phishing.

Since at least August 2025, adversaries deploying Akira ransomware reportedly obtained initial access via misconfigured SonicWall VPNs or by exploiting SonicWall VPNs vulnerable to CVE-2024-40766. This SonicWall VPN vulnerability allows for unauthorized access to SonicWall VPN devices under certain conditions and was originally disclosed in August 2024 with an available patch released a day after disclosure. Nearly a year after the patch, Akira affiliates conducted a campaign targeting the same vulnerability or misconfiguration stemming from a failure to reset local account passwords with the update.

In observed Play, Qilin, and Akira intrusions, the affiliate adversaries exploited known Veeam vulnerabilities for initial access and privilege escalation: CVE-2023-27532, which targets the Veeam Backup & Replication component to obtain initial access, and CVE-2024-40711, a critical vulnerability that allows for remote code execution and privilege escalation.

In the observed instances exploiting CVE-2024-40711, the adversary added a user named “admon” [sic] to the administrator group by using Veeam.Backup.MountService.exe to spawn the process cmd.exe, with the following command line:

"C:\Windows\System32\cmd.exe" /c cmd.exe /c net localgroup Administrators Admon /add:

The consistent exploitation of vulnerabilities years after their initial disclosure underscores the need to expediently patch and update devices, particularly edge devices that can allow initial access. Read more in the Vulnerabilities trend section of this report.

We also observed multiple email bombing campaigns, which continues the trend observed in 2024 of ransomware affiliates utilizing direct engagement to social engineer their targets. The email bombing campaigns followed the same pattern as observed in 2024, beginning with flooding a victim’s inbox with spam. Next, the adversary—posing as an IT admin offering to help with the email problem—contacted the user via phone or a link to join a Microsoft Teams call. Once in contact, the adversary guided the user into running a remote monitoring and management (RMM) tool like Microsoft Quick Assist.

Check out our social engineering training guide for steps to prevent email bombing campaigns.

We also observed ransomware affiliates use SEO poisoning to trick users into downloading trojanized installers of administrative tools like DBeaver and OpManager to obtain initial access. Upon execution, the malicious binary would drop the legitimate administrative tool as well as the malicious component. The malicious downloads eventually led to the deployment of additional malware, including ransomware encryptors.

Finally, as noted in the Stealers section, we continued to see increasing use of info-stealing malware, which adversaries use to sell valid credentials to ransomware affiliates to gain access.

Discovery

As adversaries land on new systems, we regularly observe them conducting discovery with a combination of tools and the usual built-in commands:

• ipconfig
• whoami
• net
• nltest

This past year, we also observed ransomware affiliates using SoftPerfect Network Scanner to obtain information about network devices, Advanced Port Scanner to identify open ports, and SharpShares to enumerate accessible network shares. Adversaries also utilized BloodHound to obtain information about the Active Directory environment.

Privilege escalation and lateral movement

Ransomware affiliates quickly move laterally after gaining initial access, often attempting to move to unmonitored parts of the network. In fact, some intrusions progress from initial access to encryption in a matter of hours. In 2025, adversaries used what works, and what works is to use tools inherent to the system. To this end, adversaries used PsExec and net.exe to move to adjacent hosts or escalate privileges.

Defense evasion

As antivirus and endpoint detection have become really good at detecting execution of malware, adversaries have been forced to double down on defense evasion methods to remain undetected through the entire intrusion chain. As mentioned, one method is to quickly pivot to unmonitored devices. Other methods include utilizing EDR killers or attempting to turn off features in security products.

Ransomware affiliates also drop and execute malware from standard Windows system folders, like the world-writable PerfLogs directory, likely in an attempt to bypass traditional security detection tools by utilizing trusted folders that do not need elevated permissions to write to.

Command and control

This past year, we saw adversaries continue to abuse RMM tools. Adversaries use these tools to facilitate lateral movement, persistence, and command and control; we classify RMM usage under command and control, consistent with MITRE ATT&CK. RMM tools are an attractive option for adversaries because they offer robust sets of remote administration features with the veneer of legitimacy, as they are used for regular business functions.

This past year, we observed the following RMM tools deployed prior to ransomware encryptors:

• AnyDesk
• QuickAssist
• SimpleHelp

Notable ransomware trends in 2025

2025 saw about 33 percent more ransomware victims than 2023 and 2024, according to ransomware leak site scrapers, continuing the year-over-year trend of increasing intrusions. Similarly, there is a near identical percentage increase in the number of active ransomware groups, according to the same ransomware leak site trackers.

Despite this, ransomware negotiators continue to report a decreasing percentage of victims that choose to pay the ransom. This trend of fewer victims paying is likely due to increased adoption of immutable backups and improved business recovery plans that mean many victims do not need the encryptor to recover from a ransomware intrusion.

Further, law enforcement takedowns have proven that ransomware operators do not delete data as promised, meaning that the word of ransomware operators in data leak extortion operations cannot be trusted.

Despite this, the ransomware ecosystem is still largely profitable. This is likely due to adversaries trending towards quantity of intrusions over high ransom payment demands—or big game hunting. Even with a lower percent of victims paying, the ransomware operators are able to achieve results by simply playing the numbers game. Further, ransomware operators can opt for easier targets and noisier intrusions, cutting bait when the victim identifies the intrusion early, as they know another victim is already in the pipeline.

Increase in exfiltration to extortion without encryption

After years reporting about trends towards double and triple extortion from ransomware affiliates, we have come full circle to ransomware groups that are engaging in extortion without any encryption. In these cases, the adversary will steal data and use threats of releasing the stolen information for leverage to extort victims. Intrusions that rely solely on data theft are less technically challenging, and can rely on living-off-the-land techniques and tools inherent to the operating system. Therefore, data theft can be accomplished more quickly and more stealthily than moving laterally and dropping encryptor malware. Threat groups that have adopted the extortion without encryption technique include Lapsus$, Cl0p, Hunters, and BianLian.

Ransomware affiliates directly engaging targets

A notable trend from 2024 was an increase in aggressive social engineering tactics like voice phishing, and this trend has been adopted by even more ransomware operators in 2025. Adversaries are phishing the help desk and impersonating SaaS administrators in order to get users at the target organization to give them unfettered access.

In the intrusions we observed, the adversaries followed the email bombing playbook discussed above, with QuickAssist typically being the resulting RMM of choice. One of the most brazen social engineering tactics observed this year was Medusa ransomware adversaries offering a cut of the ransom profits to an employee in exchange for insider access, as reported by BBC. This trend may indicate that adversaries are having less success with traditional phishing techniques and have pivoted to engaging employees directly.

The good news for defenders is that even though new techniques and tools have emerged, many ransomware techniques have remained the same for the past several years. Continuing to focus on detection across the entire ransomware intrusion chain—particularly ransomware precursors—remains an effective strategy to ensure ransomware incidents have minimal impact.

The tried-and-true guidance of patching known vulnerabilities remains a solid approach to preventing initial access, as many ransomware intrusions start this way. If an organization can’t keep up with patching all vulnerabilities, we recommend prioritizing based on vulnerabilities in internet-facing devices listed in CISA’s Known Exploited Vulnerabilities catalog.

Prevention

An effective prevention strategy is increasing defender visibility across your network.  Ransomware affiliates are adept at quickly pivoting to unmonitored parts of the network and any endpoints without security monitoring can create an attacker playground. Enhancing endpoint visibility by deploying detection and response sensors across systems limits adversaries’ freedom. In addition to reducing the number of unmonitored endpoints, consider these additional preventive measures:

• Educate employees on the latest ransomware actor TTPs, such as the email flooding techniques employed by multiple ransomware affiliates.
• Prioritize patching internet-facing vulnerabilities, ransomware affiliates will often exploit vulnerabilities years after their disclosure.
• Maintain an approved tools list and monitor or deny unauthorized RMM tools. Legitimate tools can be exploited—know what’s in your environment and how the tools are utilized. Adversaries will often change the filename, download and run it from a non-standard directory, or make suspicious network connections.

When it comes to detecting ransomware, the earlier you detect it, the better. While you may not be able to prevent initial access, having detection in depth along multiple intrusion phases will increase the likelihood of identifying adversary behavior before the intrusion gets to exfiltration or encryption. We encourage you to check out the following Threat Detection Report pages for detection opportunities as all of these threats have been observed prior to encryption or exfiltration:

• Initial access: KongTuke, SocGholish, Scarlet Goldfinch, Malicious Copy and Paste
• Execution: CleanUpLoader
• Reconnaissance: BloodHound
• Credential access and privilege escalation: Mimikatz
• Lateral movement: Cobalt Strike, Impacket, Ingress Tool Transfer
• Command and control: RMM tools, NetSupport Manager

As adversaries conduct discovery about the environment, we’ve found they regularly perform similar commands. The following detection analytic can help identify nltest behavior that helps an adversary learn more about domain trusts. Of course, if this is a command that is commonly run in your environment, you’ll need to tune it, but in our experience nltest is fairly uncommon.

If the activity makes it all the way to ransomware, the following detection analytic reliably identifies adversaries deleting volume shadow copies. This is something we see the majority of ransomware groups do if they encrypt data and cause impact. While this is a detection of “last resort,” if you detect at this point and act quickly, you may be able to prevent further lateral movement and encryption.