Extortion and Ransomware Trends January-March 2025

Unit 42 has released its findings on current ransomware trends, noting that attackers are increasingly claiming compromises that cannot be substantiated, working together with nation-state actors, targeting cloud systems and using insider threats to carry out extortion.
The report shows that in incidents investigated between January-March 2025, 86% involved business disruption, either in terms of operational downtime, reputational damage, or both.
In terms of public data posted to ransomware leak sites during the same period, RansomHub was most commonly reported, with 254 incidents, followed by CL0P with 210 and Akira with 147.
retalated incidents varied by industry, with Manufacturing, Wholesale and Retail, Professional Services and High Technology seeing the highest numbers of reported incidents.
The report warns that ransomware remains a serious and evolving threat, with cybercriminals continuing to develop new ways of gaining access to corporate systems.
Unit 42 recommends that organisations review their security to protect against these new developments.

Fast Feed