Silent Ransom Group, a long-running data extortion operation, continues to hit U.S.-based law firms by impersonating IT support and, in some cases, visiting victims in person to gain physical access to computers, the FBI said in an alert Tuesday.
The closed group, which likely operates from Russia and emerged in 2022 after Conti disbanded, has claimed responsibility for more than 100 attacks with activity surging during the past few months, according to researchers.
The FBI’s warning comes exactly one year after the agency released a previous alert about Silent Ransom Group consistently targeting law firms since mid-2023. The group doesn’t deploy encryption, but its dual use of social engineering and in-person visits for data theft is extremely rare with no known parallels across the vast cybercrime ecosystem, multiple experts told CyberScoop.
“There were probably a lot of times that this failed before it started succeeding because there’s a lot of trial-and-error involved,” said Allan Liska, field chief information security officer at Recorded Future. Whereas other ransomware groups would rather move on to other tactics or targets, “Silent Ransom Group has seen the value especially in going after law firms, and so they’re willing to put the extra effort into it,” he added.
The data extortion group, which is also tracked as Chatty Spider, UNC3753 and Storm-0252, isn’t as prolific as more high-tempo ransomware groups. Yet, it’s having a noticeable impact due to its proven knack for attacking organizations in the legal sector.
Halcyon tracked 134 ransomware incidents against law firms and legal services during the first quarter of this year, making it the fourth-most targeted industry accounting for more than 6% of all ransomware attacks the company tracked during the period.
Silent Ransom Group and Inc, a ransomware-as-a-service operation dating back to mid-2023, are largely responsible for that uptick, said Cynthia Kaiser, senior vice president at Halycon’s Ransomware Research Center.
“Silent was the first group to really just be targeting law firms, and they’ve targeted major law firms” with a clear understanding of what’s most problematic for organizations in that segment, she added. “The theft of data in and of itself is the biggest issue for the law firms, so they’re tailoring a lot of their operations around what they know about the sector.”
Law firms are a rich target because data theft creates huge privilege and reputational problems, which creates the perception they might be more willing to pay high extortion demands, Kaiser said.
Silent Ransom Group’s social engineering scheme involves phone calls or phishing emails that urge employees to call one of the group’s associates posing as IT support, the FBI said. If the group’s attempt to gain access to the employee’s computer via remote access tools fails, it sends an associate to the victim’s location to physically attach a storage device to the victim’s workstation.
This extra step is unique and places Silent Ransom Group in a completely different mode of operation than its peers in ransomware and data theft extortion. Some aggressive data theft extortion groups have harassed and threatened executives and employees with physical violence, but in-person visits for data theft are extraordinary.
“While Flashpoint has observed threat actors soliciting or co-opting both witting and unwitting insiders, we have not observed them physically sending attackers to victim locations. This tactic carries significant risk, as threat actors are able to use technology to obscure their real-world identities,” said Ian Gray, vice president of cyber threat intelligence operations at Flashpoint.
Joe Slowik, director of cybersecurity alerting strategy at Dataminr, said it’s easy to question why potential victims would fall for this tactic. “However, humans in the workplace need to implicitly trust others to get their jobs done,” he said.
“Questioning everything, while seemingly desirable, introduces significant friction and distrust in workplace environments and limits productivity in arbitrary ways,” Slowik added. “Criminal entities will continue to prey on human weaknesses and dependencies for success, and placing the burden solely on employees to defend against this is unfair and unreasonable.”
The FBI did not provide details about the people Silent Ransom Group uses to initiate the fake IT support calls or visit victims in person. Yet, with the group’s operators based in Russia, researchers speculate gig workers or subcontractors are playing a critical role by placing voice-based phishing calls in a common language and visiting victims at their workplace.
Liska said he’s under the impression the group is using freelance taskers that don’t necessarily know they are committing a crime. “They may be suspicious, but you know, they need the money,” he said.
“It’s kind of like a Doordash person that delivers Arby’s,” Liska said. “You know you’re doing really bad things to people, but you know what, they’re paying you to deliver.”
The post FBI warns US-based law firms to be on the lookout for cybercrime group that steals data in person appeared first on CyberScoop.
As AI becomes more integrated into federal IT (and attacker toolsets) government agencies will need to focus their resources on regulating and monitoring the identities that access their network, a top White House cybersecurity official said Thursday.
Nick Polk, branch director for federal cybersecurity in the Executive Office of the President, said that while AI models will present unique threats to federal networks, they will still generally require trusted access first, something defenders can use to their advantage.
“I think the important thing is that in many cases in order to use and exploit the vulnerabilities that [AI] might find, or use them in a manner…that could be malicious or adversarial, the first thing you have to do is get into the network,” Polk said at the Rubrik Public Sector Summit presented by FedScoop. “There are some cases where your software is facing the internet, there’s a little bit of an easier solution there, but most times you have to get into the network.”
That often means exploiting the access an employee, contractor or third-party vendor has to your systems and data. Even in an AI-powered future, the network security boundary still matters, providing organizations with meaningful control over who gets access to their systems and data and how.
“That’s really where strong identity is still really critical in order to [first] repel an attempted exploitation before it can happen or, [second,] identify very quickly that this person or this machine really shouldn’t be on the network” or is behaving anomalously,” Polk said.
However, even before large language models emerged, cybercriminals and foreign adversaries were increasingly compromising organizations not with malware or sophisticated exploits, but by gaining network access through stolen accounts, credentials, and other trusted assets.
Federal identity security, already a concern, is now set to become more critical in the age of AI.
Justin Ubert, director of cyber protection at the Department of Transportation, said beyond speed and scale, AI tools have given malicious hackers other advantages, like obviating the need for stealth.
“Now, you can have a smash-and-grab of your network that’s faster than you can respond to because…there’s no need to be quiet: just go in, grab and go [home],” said Ubert. “By the time your fences are working as they’re supposed to be, as we designed them to be, they’re already gone.”
AI tools can also easily become insider threats. Even when users restrict their ability to perform sensitive actions like downloading or exfiltrating data without human input, models have bypassed those guardrails by exploiting obscure technical loopholes.
Research released last month by the University of California-Riverside found that automated AI agents “can become dangerously fixated on completing assignments without recognizing when their actions are harmful, contradictory or simply irrational.”
The study, which examined Anthropic’s Claude Sonnet and Opus 4, as well as OpenAI’s ChatGPT-5, found that model agents struggled with contextual reasoning, had biases towards taking action (i.e. figuring out how to do something instead of whether to do it) and would frequently get tripped up by contradictory or infeasible goals.
Anna Libkhen, acting CISO for the Bureau of Economic Analysis at the Department of Commerce, said that AI has become “much more clever in hiding how it managed to penetrate and attack and come through as a trustworthy source.”
When asked how the federal government was working to address current gaps in identity security that are increasingly being exploited by AI systems, Libkhen said federal leaders are “peeing in their pants” before adding “at least I am.”
“It is scary, yes, we are very vulnerable,” Libkhen said.
She compared the use of AI agents to teaching a child to ice skate: the first thing you teach them is how to handle a fall and recover. Likewise, organizations will need to plan for when their agents fail and quickly recover lost assets.
“Our agents will go wrong, they will do things we don’t expect them to. How do we get up?” said Libkhen. “Do we have that third set of data because that agent erased the database and the backup? Is it safe elsewhere? What kind of holes can you anticipate and what will it take for us to recover from those holes?”
The post White House cyber official: identity security matters more than ever in the age of AI appeared first on CyberScoop.
A new alert from the FBI says criminal enterprises are hacking both brokers and carriers to steal cargo for resale.
The post FBI Warns of Surge in Hacker-Enabled Cargo Theft appeared first on SecurityWeek.
A pair of persistent and problematic threat groups affiliated with The Com are actively targeting organizations across multiple critical infrastructure sectors for rapid data theft and extortion attacks, according to CrowdStrike.
The financially-motivated attackers, which CrowdStrike tracks as Cordial Spider and Snarky Spider, have used voice-phishing and social engineering attacks to break into victims’ identity platforms and traverse SaaS environments since at least October 2025, the company said in a report Thursday, which it shared exclusively with CyberScoop prior to release.
Adam Meyers, senior vice president of counter adversary operations at CrowdStrike, said the subgroups composed of native English speakers primarily target U.S.-based organizations in the academic, aviation, retail, hospitality, automotive, financial services, legal and technology sectors.
This “new wave of ecrime threat actors” are closely aligned with Scattered Spider and linked to other subsets of The Com, including SLSH and ShinyHunters, Meyers said.
Because these attacks target identity systems and can expose data in other connected services beyond the initial breach point, it’s difficult to determine how many victims have been caught up in these campaigns.
CrowdStrike’s warning closely follows research Palo Alto Networks’ Unit 42 and the Retail & Hospitality Information Sharing and Analysis Center shared last week about Cordial Spider’s string of attacks targeting organizations in the retail and hospitality industry, among others.
Cordial and Snarky Spider have set lures via voice calls, text messages and emails directing targeting employees to phishing pages posing as their employer’s legitimate single sign-on page or primary identity provider, researchers said.
These phishing pages, which capture credentials, session keys or tokens, depending on the workflow, provide attackers an entry point into systems, which they exploit for widespread access across victims’ entire SaaS ecosystems.
Attackers use these initial hooks to remove and establish multi-factor authentication devices, then delete emails and other alerts that would otherwise warn organizations of potential malicious activity, researchers said.
The data theft for extortion campaigns share striking similarities, but CrowdStrike said the tactics, techniques and procedures for each subgroup are distinct. These variances include hours of operation, different phishing domain providers, preferred operating systems, data leak sites, and the tools or devices they used to register for multi-factor authentication.
The domain for BlackFile, Cordial Spider’s data-leak site, was offline as of Wednesday, according to Meyers.
CrowdStrike declined to put a range on the groups’ extortion demands, but Unit 42 previously said Cordial Spider, which is also tracked as CL-CRI-1116 and UNC6671, are typically in the seven-figure range.
Some victims that didn’t pay extortion demands have been subjected to DDoS attacks, and Snarky Spider has used more aggressive follow-on harassment tactics, including the swatting of victim organizations’ employees, Meyers said.
CrowdStrike said Cordial and Snarky Spider also use residential proxy networks — including Mullvad, Oxylabs, NetNut, 9Proxy, Infatica and NSOCKS — to evade IP-based detection and blend in with typical traffic.
Residential proxy networks, which rely on IP addresses assigned to real home users, can serve a legitimate purpose, but researchers have been warning that unethical or outright criminal operators are abusing these networks to build and support botnets, cybercrime campaigns, espionage and other malicious activity.
Cordial and Snarky Spider haven’t achieved the impact or technical capability of Scattered Spider, but the groups share many commonalities and objectives, Meyers said.
“They’ve kind of taken their playbook and they’re using a lot of their techniques, but we haven’t really seen the technical sophistication demonstrated by them that we saw from Scattered Spider,” he said. “It’s kind of the new generation of Scattered Spider.”
The post Two new extortion crews are speedrunning the Scattered Spider playbook appeared first on CyberScoop.
Researchers warn that BlackFile, an extortion group likely associated with The Com, continues to impersonate IT support in voice-phishing and social engineering attacks that have impacted organizations in multiple industries, including healthcare, technology, transportation, logistics, wholesale and retail.
Attackers have been actively targeting organizations in the retail and hospitality industry since February, according to Unit 42’s latest intelligence on the campaign, which the Retail & Hospitality Information Sharing and Analysis Center (RH-ISAC) released alongside indicators of compromise Thursday.
The threat group, which is also tracked as CL-CRI-1116, UNC6671 and Cordial Spider, appears to be targeting victims opportunistically in a campaign that remains active and ongoing, Matt Brady, senior principal researcher at Palo Alto Networks’ Unit 42, told CyberScoop.
“The core objective of these threat actors is to pressure targeted organizations into paying large ransom demands, typically in the seven-figure range,” Brady said.
Unit 42 declined to say how many organizations have been impacted thus far, and RH-ISAC did not respond to a request for comment.
BlackFile’s attacks against companies in the retail and hospitality sector are part of a broader wave of voice-phishing attacks initiated by multiple cybercrime groups, which Google Threat Intelligence Group and Okta warned about in January.
Unit 42 also noted that BlackFile’s activities overlap with an ongoing data theft and extortion campaign CrowdStrike has been tracking as Cordial Spider since at least October 2025.
Yet, the threat group’s tactics have been far from cordial. RH-ISAC said some attackers have swatted company personnel, including executives, to increase leverage and pressure victims to pay their ransom demands.
The threat group lures victims via voice-phishing attacks and phishing pages mimicking corporate single-sign on services to steal credentials before moving into privileged accounts.
“They scrape internal employee directories to obtain contact lists for executives,” RH-ISAC wrote in a blog post. “By compromising these senior accounts via further social engineering, they gain persistent, broad-spectrum access to the environment that mirrors legitimate executive session activity.”
The group’s unauthorized access and data theft for extortion activity spans SaaS environments, Microsoft Graph API permissions, Salesforce API access, internal repositories, SharePoint sites and datasets containing employee’s phone numbers and business records.
BlackFile also created a data-leak site to extort victims that it claims ignored or failed to agree to its demands, according to researchers.
Brady said Unit 42 has observed relatively consistent activity from the threat group since February.
RH-ISAC advises organizations to manage multi-factor identity verification for callers and limit the IT support actions that can be completed in a single call without escalation to management.
The post BlackFile actively extorting data-theft victims in retail and hospitality sector appeared first on CyberScoop.
US conducts sweeping crackdown on Southeast Asian cyberscam operations as part of what officials say is a “new theater of war”.
The post US Launches Sweeping Crackdown on Southeast Asia Cyberscams and Sanctions Cambodian Senator appeared first on SecurityWeek.
A new malware-based credential-stealing campaign, which researchers are calling “DeepLoad,” has been infecting enterprise business IT environments.
In a report released Monday, ReliaQuest AI researchers Thassanai McCabe and Andrew Currie say the most relevant feature of this attack is the way it uses artificial intelligence and other engineering “to defeat the controls most organizations rely on, turning one user action into persistent, credential-stealing access.”
DeepLoad is delivered to victims via “QuickFix” social-engineering techniques, such as fake browser prompts or error pages. If the user falls for the scheme, the malware developers — or more likely their AI tools — put a lot of work into building evasion of security technology “at every stage” of the attack chain.
The loader “buries functional code under thousands of meaningless variable assignments,” and the payload runs behind a Windows lock screen process that is “overlooked by security tools” monitoring for threats. ReliaQuest said “the sheer volume” of code padding likely rules out human-only involvement.
“We assess with high confidence that AI was used to build this obfuscation layer,” McCabe and Currie write. “If so, organizations should expect frequent updates to the malware and less time to adapt detection coverage between waves.”
DeepLoad can steal credentials through real-time keylogging, and even if security teams block the initial loader, it was able to persist through backup contingencies.
“In the incidents we investigated, the loader spread to connected USB drives, which means the initial host is unlikely to be the only impacted system,” McCabe and Currie wrote. “Even after cleanup, a hidden persistence mechanism not addressed by standard remediation workflows re-executed the attack three days later.”
ReliaQuest’s research offers more evidence that over the past year, some traditional static cybersecurity practices — such as searching for malware signatures or file-based patterns — may be fast becoming obsolete, as AI models can spin out endless variations of attack tooling with unique signatures.
Other organizations like Google and Anthropic have been sounding the alarm that AI-enhanced cyberattacks are dramatically shrinking the time defenders must respond to a compromise.
At the RSA Conference in San Francisco this year, experts told CyberScoop that the next two years are set to be a “perfect storm” favoring AI-powered offense, with cybercriminals and nation-states more quickly adapting the technology to add greater speed and scale to their attacks than their defensive counterparts.
McCabe and Currie say the likely continued use of AI to frustrate static analysis monitoring means that defenders will need to shift focus to other indicators of compromise.
“Based on what we’ve observed, organizations must prioritize behavioral, runtime detection—not file-based scanning—to catch this campaign (and similar ones) early,” they wrote.
The post Researchers say credential-stealing campaign used AI to build evasion ‘at every stage’ appeared first on CyberScoop.
A 27-year-old North Carolina man was found guilty of six counts of extortion for a series of crimes he committed while working as a data analyst contractor for a D.C.-based international technology company, the Justice Department said Thursday.
Cameron Nicholas Curry, also known as “Loot,” stole a trove of corporate data, including sensitive employee and compensation information, which he used to extort his employer, according to court records. Curry ultimately made off with approximately $2.5 million from the victim organization in January 2024.
The insider attack underscores immeasurable risks companies accept when employees, or contractors placed in roles by a third-party recruitment company, as was the case with Curry, are allowed to access sensitive data on a company-owned laptop. Officials did not name the company.
Curry used his access to the company’s network to remove corporate data for extortion while he worked for the company between August and December 2023. Immediately following his last day of employment with the company, Curry started sending threatening emails to its employees and demanded a ransom to not leak and destroy the data.
Officials said he sent more than 60 emails to various employees and executives over a six-week period, threatening to disclose the company’s payroll data, claiming it showed significant pay inequity across the workforce. In those emails, Curry framed the data theft extortion attack as an effort to implement salary transparency.
“Loot and our partners aim to ensure that everyone is being paid accordingly, providing employees with the leverage they deserve while also adhering to federal government regulations on protected acts,” Curry wrote in one of the emails, according to the indictment.
Curry included attachments with the emails containing screenshot images of spreadsheets listing the personally identifiable information of company employees. Officials said he also warned the company he would provide employees instructions on how to address pay discrimination through mediation, the Equal Employment Opportunity Commission or a class-action lawsuit.
Some of the extortion emails got personal, including a claim that one person on the legal team wasn’t getting a bonus while most employees in high-level positions did receive bonuses. Curry also threatened to report the breach to the Securities and Exchange Commission, citing rules that require public companies to disclose cyberattacks quickly.
The publicly traded company notified the FBI of the breach on Dec. 14, 2023 and paid Curry’s ransom demand almost a month later.
Multiple operational security mistakes helped authorities identify and build a case against Curry rather quickly. He used personal and verifiable data to establish a new Coinbase account, and two of the debit cards linked to the account Curry established to receive a ransom belonged to his mother and sister.
Authorities searched Curry’s apartment, digital devices and vehicle in Charlotte, North Carolina, just weeks after the ransom was paid. He was arrested and released on bond in late January 2024.
Officials said Curry initiated his extortion scheme after he learned his contract with the company wouldn’t be renewed. He faces up to 12 years in prison at sentencing.
You can read the full indictment below.
The post North Carolina tech worker found guilty of insider attack netting $2.5M ransom appeared first on CyberScoop.
Professional NBA and NFL athletes were allegedly deceived and victimized by a 34-year-old Georgia man’s sneaky social-engineering scheme that he ran while impersonating a well-known adult film star, the Justice Department said Monday.
Kwamaine Jerell Ford allegedly initiated and committed some of the crimes while incarcerated in federal prison for a similar, widespread phishing scam that also targeted college and professional athletes and musical artists starting in 2015.
“While serving time for stealing credit card numbers from athletes and celebrities to fund his lifestyle, Ford allegedly engaged in the same conduct again,” Theodore S. Hertzberg, U.S. attorney for the Northern District of Georgia, said in a statement.
The alleged repeat offender, while adopting the persona of an adult film model, tricked professional athletes into providing him their iCloud login credentials and multifactor authentication codes for those accounts to steal financial and personally identifiable information to pay for personal expenses.
Ford is accused of executing more than 2,000 unauthorized transactions on professional athletes’ debit and credit cards from November 2020 to September 2024, according to an unsealed indictment. He was in federal custody for the first 14 months of the conspiracy and released on probation for prior crimes in January 2022.
Prosecutors did not name victims, divulge how many athletes Ford allegedly victimized during his latest scheme, or how much money he obtained through the conspiracy.
He pleaded not guilty Friday to 22 charges for crimes including wire fraud, obtaining information by computer from a protected computer, access device fraud, aggravated identity theft and sex trafficking. Ford is being held without bail pending a trial.
Using the adult film model’s identity, Ford allegedly enticed his high-profile victims to communicate with him on social media by falsely claiming he would send them adult film content through iCloud.
When a professional athlete responded, Ford allegedly sent phishing messages to the victim designed to look like legitimate Apple customer service text messages. Officials said Ford spoofed legitimate Apple customer service accounts and posed as an Apple customer support representative to request victims’ login details via text messages.
Prosecutors said Ford told his victims the messages contained a video file shared through an iCloud link that required them to reply with an MFA code. Ford allegedly attempted to access his victims’ iCloud accounts at the same time, triggering an MFA code delivery to the victim’s device.
Professional athletes who provided their iCloud MFA codes to Ford were ultimately tricked into giving him complete access to their iCloud accounts, officials said. Ford allegedly used that access to steal sensitive data, driver’s licenses and credit card information that he used for personal spending.
Ford also, while impersonating the adult film star, allegedly victimized an OnlyFans model by claiming he would advance their career. Prosecutors said Ford enticed the OnlyFans model to engage in and record commercial sex acts with professional athletes without their consent.
“Ford clearly did not learn from his prior conviction for a similar scheme. This time, he allegedly escalated his criminal activity — stealing identities and money while also moving into coercion and sex trafficking,” Peter Ellis, acting special agent in charge at the FBI Atlanta office, said in a statement.
Ford allegedly advertised the victim to targeted athletes, coordinated their travel to coincide with athletes’ known locations, and negotiated payments from the athletes for sex with the victim. Prosecutors said Ford took a financial cut from those commercial sex acts, many of which the victim was coerced into filming without the athletes’ knowledge.
Ford is also accused of using these videos from the OnlyFans model to engage with additional athletes under false pretenses. When the OnlyFans model resisted filming the sex acts, Ford allegedly coerced them to send him money in lieu of the videos.
In 2019, Ford was sentenced to three years in prison and ordered to pay restitution of almost $700,000 after he pleaded guilty to computer fraud and aggravated identity theft. That scheme, which also ran for about four years, allowed Ford to hack into more than 100 Apple accounts belonging to high-profile professional athletes and rappers.
Ford was still in prison for those crimes when he allegedly established a new scheme targeting similar victims on some of the same technology platforms.
You can read the indictment below.
The post Zero lessons learned: Convicted scammer allegedly ran another athlete-focused phishing scam from federal prison appeared first on CyberScoop.
Ransomware remains a scourge that shows some signs of relenting, but incident responders and threat hunters are busier than ever as more financially-motivated attackers lean exclusively on data theft for extortion.
Attacks that only involve data theft for extortion may not be more prevalent than traditional ransomware when attackers encrypt systems, but momentum is moving in that direction, Genevieve Stark, head of cybercrime intelligence at Google Threat Intelligence Group, told CyberScoop.
“When you look at the actors in the English-speaking underground, those actors are almost all just focusing on data-theft extortion right now,” Stark added. This includes groups like Scattered Spider, ShinyHunters, Clop and other groups that have been responsible for some of the largest and farthest-reaching attacks over the past few years.
Google Threat Intelligence Group’s research report on ransomware, which it shared exclusively and discussed with CyberScoop prior to release, underscores how the evolution and spread of cybercrime can cloud a collective understanding of ransomware, or attacks that use malware to encrypt or lock systems.
Ransomware attacks also often include data theft as an additional pressure point for extortion — occurring in 77% of ransomware intrusions Google observed last year, up from 57% in 2024 — but it’s not technically ransomware unless encryption is involved.
“Over the past several years we’ve seen a gradual increase in the overall percentage of directly observed financially motivated incidents that involved only data theft extortion incidents, growing from around 2% of incidents in 2020 to more than 15% of incidents in 2025,” said Bavi Sadayappan, senior threat intelligence analyst at GTIG.
“In the same time span, the percentage of incidents involving ransomware deployment has fluctuated. We’ve seen a decrease in ransomware incidents in the past year, with 39% of incidents involving ransomware in 2024 compared to 31% in 2025,” she added.
The company declined to say how many ransomware attacks it responded to in 2025. “We hesitate sharing the number of cases that we work on, in terms of a quantitative number, because it’s so difficult for everybody to agree on what constitutes one incident versus two,” said Chris Linklater, practice leader at Mandiant. “Anecdotally, we’re staying very busy.”
Stark acknowledged that significant challenges prevent the industry from developing a clear, comprehensive picture of ransomware’s true scale and impact. Insight is largely confined to what individual incident response firms see in their own cases, and what information is shared is typically provided case by case rather in a centralized way.
“We’re not doing a great job as an industry in looking at the volume. I think that we’re overly dependent on things like the volume of data-leak sites, which have a lot of problems,” she said.
The increase in data extortion is likely driving an increase in these posts. At the same time, some threat clusters are making non-credible claims or recycling previous breaches and claiming them as their own work. “Data-leak sites as a measure is actually pretty poor, and I think that as an industry we’ve over relied on that,” Stark said.
Yet, the data is still useful for gauging certain trends, such as shifts in targeting or an increase in alleged attacks on specific sectors or regions, researchers said.
For what it’s worth, Google said the amount of posts on data leak sites jumped 48% from the year prior to 7,784 posts in 2025. Meanwhile, the number of unique data leak sites climbed almost 35% over the same period to 128 sites with at least one post.
Google’s report also focuses on the tactics and shifts it observed during its response to ransomware attacks last year, including the most common ways attackers broke into systems, the most prominent ransomware families and increased targeting of virtualization infrastructure.
Exploited vulnerabilities was the top initial access vector in ransomware attacks last year, accounting for a third of all incidents, followed by various forms of web compromise and stolen credentials. Attackers most commonly exploited vulnerabilities in widely used virtual private networks and firewalls from Fortinet, SonicWall, Palo Alto Networks and Citrix, researchers said.
Zach Riddle, principal threat intelligence analyst at GTIG, said this doesn’t reflect a growing trend as much as a recurring cycle of different initial access vectors, which rise and fall year to year for various reasons.
Google specifically called out 13 vulnerabilities, many disclosed years ago, ranking those defects among the top exploited vulnerabilities for ransomware attacks last year. Three of those vulnerabilities affect Fortinet products, followed by two from Microsoft, two from Veritas, and one each from SonicWall, Citrix, SAP, Palo Alto Networks, CrushFTP and Zoho.
Stolen credentials were the initial access point in 21% of ransomware intrusions last year, and attackers often used those credentials to authenticate to a victim’s VPN or Remote Desktop Protocol login, Google said in the report.
Attackers are also confronting more challenges in deploying ransomware once they break into victim networks. “We’re actually seeing a decrease in successful ransomware deployment,” Sadayappan said. Google observed a year-over-year decline from 54% in 2024 to 36% last year.
Another landmark change reflected in ransomware activity in 2025 involves increased targeting of virtualization infrastructure, such as VMware ESXi hypervisors. Attackers targeted these environments in 43% of ransomware intrusions last year, up from 29% in 2024.
“It lets the attacker hit a huge number of systems with a very small amount of effort,” Linklater said, adding that “it makes the investigation significantly harder to accomplish, because a lot more of the forensic evidence is lost when those hypervisors are attacked.”
The most prominent ransomware families in 2025 included Agenda, Redbike, Clop, Playcrypt, Safepay, Inc, RansomHub and Fireflame, according to Google. The most active ransomware brands last year included Qilin, Akira, Clop, Play, Safepay, Inc, Lynx, RansomHub, DragonForce and Sinobi.
The post The ransomware economy is shifting toward straight-up data extortion appeared first on CyberScoop.
Login