Ransomware is a moving target, constantly changing its tactics, and our goal with this monthly Bitdefender Threat Debrief is to help you stay ahead of the curve. To do this, we combine information from openly available sources (OSINT) – things like news reports and research – with data we gather by analyzing Data Leak Portals (DLPs), websites where ransomware groups post details about their victims. It’s important to remember that we can't independently verify all of these claims, but we can feel quite confident in the trends we see over time.
For this month's report, we analyzed data from February 1 to February 28 and recorded a
total of 962 victims claimed.
The February data revealed a grim milestone in ransomware history: a staggering 126% increase of claimed victims year-over-year, jumping from 425 victims in February 2024 to 962 in February 2025. But it's even worse than that: this is the single worst month in ransomware history based on the total number of claimed victims. Of those 962 victims, a staggering 335 were claimed by the Clop (Cl0p) group. That's a 300% jump from last month by this RaaS group, and it begs the question: what's behind this sudden spike?
The answer lies in a shift we've been warning about since 2022, but it's still catching many by surprise. Instead of focusing on specific companies or industries, some ransomware groups are becoming increasingly opportunistic by targeting newly discovered software vulnerabilities in edge network devices.
Here's how it works: Cybercriminals, regardless of whether they're financially motivated or state-affiliated, focus on finding vulnerabilities that meet certain criteria:
Less than 24 hours following the vulnerability’s public disclosure, threat actors launch automated scanners that scour the internet and establish remote access to vulnerable systems. After this initial access blitz threat actors begin the second stage of the attack – the manual hacking of victims. This second stage takes time. Attackers need to figure out which systems are worth their effort, and then they have to manually hack their way deeper, typically using Living Off the Land techniques to evade detection. This delay means the actual ransomware attack or data theft typically happens weeks or even months after threat actors gain initial access.
This diagram from our ransomware whitepaper breaks down the typical attack flow.
In Cl0p's case, our analysis points to their exploitation of two recent vulnerabilities in Cleo file transfer software, CVE-2024-50623 and CVE-2024-55956. These vulnerabilities, rated 9.8 out of 10 in severity, allowed attackers to run commands on vulnerable systems. Even though these vulnerabilities were revealed in October and December 2024, the manual part of the attack is what takes time, which can explain why we are seeing the spike in victims now.
Here are a few key defenses that can make a significant difference:
For a comprehensive understanding of the current ransomware playbook, including how these attacks are executed and, crucially, how to defend against them, please read our whitepaper on how to stop ransomware.
Now, let’s explore other notable news and findings since our last Threat Debrief release.
A chatbot aids researchers in examining Black Basta operations: Following the leak of more than one million Black Basta chats, a cybersecurity firm developed a chatbot named BlackBastaGPT. The tool allows researchers to parse the Black Basta chats, cutting down the burden that comes with manual searches and indexing. Highlights uncovered by analyses with this tool include records showing Black Basta’s profits, the group’s use of deepfakes, references to more than 60 CVEs, and the group’s struggle to keep infighting at bay.
One quote that really stood out to us came from "gg" who is the leader of the Black Basta group: "If we use standard utilities, we won't be detected...we never drop tools on machines." This statement perfectly highlights a core component of modern ransomware attacks that we've been discussing for some time now: the living off the land technique. Read our tech explainer on this in TechZone.
CISA publishes a joint advisory on Ghost ransomware: Ghost (Cring) is a ransomware group based in China that emerged in 2021 and has exploited vulnerabilities in software and applications exposed to the Internet, notably CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. CISA reports that the threat actor uses recognized tools such as PowerShell scripts, Cobalt Strike, and network share and DC enumeration programs. The ransomware can encrypt specific files and directories or a storage structure; it clears Windows Event logs and disrupts Volume Shadow Copy processes. Organizations are advised to implement prioritized security practices, including the following controls: reduce the risk of a Ghost ransomware attack: patch affected software, enforce network segmentation, schedule backups, and enforce phishing-resistant MFA.
RA World tools are traced back to Chinese threat actors: RA World attacks, which execute malware using a DLL sideloading technique, feature toolsets that are associated with Mustard Panda and other Chinese threat actors. Those same tools have been used in cyber espionage campaigns and have supported prior predictions of the blending of APT and RaaS operations.
Akira compromises a webcam to bypass defenses: Akira leverages multiple techniques to execute ransomware and have developed unique tools such as encryptors that are designed for different OSes. Initially, Akira would infiltrate a victim’s network through an insecure remote access application and run AnyDesk to exfiltrate victim data and use RDP to perform lateral movement before executing the ransomware.
This strategy was not viable since Akira’s ransomware would be discovered by the EDR agent installed on most systems and therefore isolated from the environment. Akira searched for and found an alternative method. After gaining access to a victim’s server via RDP, Akira added an archive file to the server that contained the ransomware. The threat actor conducted a network scan and found a webcam. The webcam was an ideal target because it had flaws that allowed remote shell access, and the device featured a Linux OS that was compatible with Akira’s Linux encryptor. In addition, the webcam was not actively monitored with controls in place for alerting. Once Akira gained access to the webcam, they deployed the ransomware over SMB; this allowed the threat actor to evade the EDR and encrypt network shares and files across the victim’s network.
FunkSec releases a new tool: FunkSec is a ransomware group that is catching the attention of the cybersecurity community due to its rapid growth, use of AI, and expanding partnerships. The group recently announced the release of a Wolfer tool, which is an infostealer. Once it is dropped to a victim’s machine, commands are input into Command Prompt to use the tool. Wolfer interacts with a Telegram bot to output details about the target such as system information, network connections, processes, software on the system, and Wi-Fi passwords.
Cactus is identified as a group linked to Black Basta: Researchers uncovered that Cactus uses tactics similar to Black Basta in their ransomware campaigns. This includes the use of social engineering tactics that abuse Quick Assist and Teams and the BC Module. Cactus leverages the BC module QBackConnect to maintain persistence and perform reconnaissance tasks. The module has characteristics that are also associated with the QakBot loader.
New ransomware groups emerge: Anubis and Run Some Wares are two of several groups that were recently discovered. Both groups employ double extortion tactics and have their own data leak sites.
Bitdefender's Threat Debrief analyzes data from ransomware leak sites, where attacker groups publicize their claimed number of compromised companies. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers' self-proclaimed success, the information comes directly from criminals and might be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks.
Ransomware gangs prioritize targets where they can potentially squeeze the most money out of their victims. This often means focusing on developed countries. Now, let’s see the top 10 countries that took the biggest hit from these attacks.
The Bitdefender Threat Debrief is a monthly series analyzing threat news, trends, and research from the previous month. Don’t miss the next Threat Debrief release, subscribe to the Business Insights blog, and follow us on Twitter. You can find all previous debriefs here.
Bitdefender provides cybersecurity solutions and advanced threat protection to hundreds of millions of endpoints worldwide. More than 180 technology brands have licensed and added Bitdefender technology to their product or service offerings. This vast OEM ecosystem complements telemetry data already collected from our business and consumer solutions. To give you some idea of the scale, Bitdefender Labs discover 400+ new threats each minute and validates 30 billion threat queries daily. This gives us one of the industry’s most extensive real-time views of the evolving threat landscape.
We would like to thank Bitdefenders Vlad Craciun, Mihai Leonte, Gabriel Macovei, Andrei Mogage, and Rares Radu for their help putting this Threat Debrief together.
tags
Jade Brown is a threat researcher at Bitdefender. A cybersecurity thought leader who is passionate about contributing to operations that involve cybersecurity strategy and threat research, she also has extensive experience in intelligence analysis and investigation.
View all postsDon’t miss out on exclusive content and exciting announcements!