Ransomware attacks have surged 179% compared with mid-2024 levels, driven by the rise of new RaaS operators, according to threat intelligence firm Flashpoint.
While notorious groups such as LockBit and BlackCat have fallen from prominence due to law enforcement crackdowns, emerging players are adopting new tactics, it has found.
Some groups, such as World Leaks and RansomHub, are moving away from traditional encryption in favour of pure extortion: stealing data and threatening to leak it without locking victims’ files.
Others are recycling leaked source code from defunct gangs or rebranding under new names, perpetuating a cycle of cybercrime.
Flashpoint also identified the use of AI tools in operations: Funksec, for example, has deployed AI-generated phishing lures and a malicious chatbot named “WormGPT”.
Meanwhile, China-linked adversaries continue to demonstrate significant capabilities in cyberespionage.
CrowdStrike has also warned of a threat actor it tracks as Murky Panda, which has targeted government, technology, academic, legal, and professional services organisations across North America since at least 2023.
Unlike financially motivated RaaS groups, Murky Panda’s activity is driven by intelligence collection.
The group has repeatedly exploited zero-day and n-day vulnerabilities in internet-facing devices and cloud environments, often moving laterally through trusted third-party relationships.
CrowdStrike investigators found the adversary capable of compromising software-as-a-service (SaaS) providers and cloud solution providers, enabling access not only to primary victims but also to their downstream customers.
The group also deploys a custom Linux-based malware family known as CloudedHope, which features anti-analysis measures and remote access capabilities. Its use of sophisticated operational security, such as modifying logs to evade detection, has made it difficult to track.
The findings show that despite the fall of old notorious groups, the threat from group collectives has not diminished.
As Flashpoint notes, more than 29 ransomware gangs ceased operations this year, but many are expected to re-emerge under new names.
With both criminal and state-linked actors evolving their techniques, organisations face a dual challenge: protecting against profit-driven extortion and defending sensitive data from geopolitical espionage.
