Ransomware Attackers Evolve Tactics to Disable Endpoint Security Ransomware operators have expanded their methods to bypass endpoint security, moving beyond the traditional Bring Your Own Vulnerable Driver (BYOVD) technique. While BYOVD remains in use with 54 tools exploiting 35 vulnerable drivers attackers now employ script-based tools, misuse legitimate anti-rootkit software, and deploy fully driverless techniques to neutralize security defenses before encryption. This shift prioritizes reliability, allowing ransomware affiliates to disable Endpoint Detection and Response (EDR) systems quickly rather than evading detection. Research from ESET, based on telemetry and incident investigations, identified nearly 90 active EDR killers used by major ransomware groups, including Akira, Medusa, Qilin, RansomHouse, and DragonForce. Many of these tools are commercially traded in underground marketplaces, reflecting a mature, profit-driven ecosystem. Among the most prevalent tools is AbyssKiller, which combines the ABYSSWORKER rootkit with a HeartCrypt-packed loader, and CardSpaceKiller, frequently used by Akira, Medusa, and MedusaLocker. These tools leverage obfuscation techniques such as VX Crypt and VMProtect to evade detection, while others like SmilingKiller use control-flow flattening to complicate analysis. Some groups, like Warlock, deploy multiple EDR killers in succession, with recent samples showing signs of AI-assisted code generation. Attackers often separate the EDR killer from its driver, manually installing the driver first to ensure functionality before executing the payload. This division of labor makes defense evasion more accessible, even to less skilled threat actors. The focus on disabling security tools rather than making encryptors stealthy has become the primary method for ensuring successful ransomware execution. The impact is severe: victims face attacks where security measures are rendered ineffective before encryption begins. While driver blocking remains a necessary defense, organizations must also monitor for suspicious driver installations, enforce least-privilege access, and maintain strong endpoint telemetry to mitigate these evolving threats.

Ransomware as a Geopolitical Weapon: How Nation-States Exploit Cybercrime for Strategic Coercion Ransomware is no longer just a tool for financial extortion it has become a key instrument in geopolitical cyber warfare, enabling nation-states to disrupt adversaries while maintaining plausible deniability. Criminal groups, hacktivists, and state-aligned actors are increasingly converging, sharing infrastructure, tactics, and even strategic objectives to amplify the impact of cyber operations. ### Iran’s Hybrid Cyber Warfare Model Iran has emerged as a leading practitioner of this approach, blending cybercrime, espionage, and industrial sabotage. Recent investigations reveal how pro-Iran hackers have targeted critical wheat reserves, demonstrating how cyberattacks can directly threaten food security. A 2026 Trellix assessment highlighted Iran’s growing sophistication, including the use of ransomware-style operations that blur the line between state-directed campaigns and criminal activity. Meanwhile, Iranian-linked actors have targeted internet-connected cameras across the Middle East, synchronizing cyber operations with physical conflict. Ransomware’s role in the U.S.-Israel-Iran conflict has evolved significantly since 2020, when it was first used as cover for destructive or coercive activity. By 2023, it became a clear tool of strategic pressure, particularly after October 2023, when attacks increasingly intersected with critical infrastructure targeting. Groups like Handala Hack (TAT26-14) and DragonForce have conducted extortion campaigns against energy, healthcare, and manufacturing sectors, often leveraging ransomware-as-a-service (RaaS) models to obscure attribution. ### Blurring Lines Between Cybercrime and State Operations Iranian state actors frequently collaborate with criminal ransomware groups, using them as proxies to conduct attacks while maintaining deniability. The Pay2Key campaign, for example, aligned with geopolitical timelines, while groups like NoEscape, RansomHouse, and ALPHV/BlackCat have been linked to Iranian-backed access brokers. Unlike U.S. or Israeli cyber operations which typically adhere to formal military or intelligence channels Iran’s approach resembles irregular warfare, relying on proxies, criminal markets, and ambiguity to evade clear attribution. Despite the surge in ransomware activity, confirmed cases of direct operational technology (OT) disruption remain rare. Instead, the primary risk stems from enterprise-level compromises that indirectly affect industrial continuity, visibility, and recovery. ### Targeting Trends and Strategic Intent The most exposed sectors include water and wastewater, energy, fuel systems, transportation, manufacturing, government services, and healthcare. Within OT environments, attackers focus on internet-facing PLCs, HMIs, remote access pathways, and engineering workstations, particularly at the Level 0/1 boundary where sensors and actuators lack authentication or logging. The strategic intent is clear: coercive disruption, with the ability to manipulate physical processes while minimizing detectable network evidence. ### The Challenge of Attribution Distinguishing between state-directed campaigns and opportunistic cybercrime has grown increasingly difficult. Threat intelligence teams rely on pattern-based attribution, analyzing capability thresholds, infrastructure overlap, geopolitical timing, and victim selection. However, shared tooling, access brokers, and RaaS models allow different actors to operate on the same infrastructure, complicating attribution. Cases like the Shamir Medical Center attack initially attributed to Eastern European ransomware but later linked to Iran highlight the ambiguity. ### Defensive Shifts: From Prevention to Resilience Industrial operators in the U.S. and Israel are adapting by prioritizing resilience over prevention. Key measures include: - Disconnecting internet-facing PLCs and tightening remote access controls. - Improving IT-OT segmentation and treating CISA advisories as operational baselines. - Enhancing recovery capabilities, particularly for OT systems where traditional IT restoration methods fall short. Governments are providing guidance such as CISA’s Cybersecurity Performance Goals (CPGs) but regulatory frameworks struggle to keep pace with conflict-driven cyber threats. While intelligence sharing has improved, operators often find it insufficiently actionable for real-time defense. As ransomware continues to evolve from a criminal enterprise into a geopolitical weapon, the distinction between cybercrime and state-sponsored warfare will only grow more blurred leaving critical infrastructure in the crosshairs of hybrid conflict.

Ransomware Surge in 2025: Record Victims and Evolving Threat Landscape Ransomware attacks reached new heights in 2025, with extortion groups publicly naming 7,458 victims on dark web leak sites a 30% increase from 2024 according to research by Searchlight Cyber. The report, cited by Security Brief United Kingdom, identified 124 active ransomware gangs, including 73 new groups, reflecting a fragmented but resilient criminal ecosystem where attackers frequently rebrand, splinter, or collaborate to evade law enforcement. Qilin emerged as the most prolific group in the second half of 2025, listing 697 victims, followed by Akira, IncRansom, Sinobi, and Play. Qilin’s surge was partly attributed to a coalition with Dragonforce and LockBit, demonstrating the growing trend of gang alliances. The report also noted the rise of "supergroups" like Scattered Lapsus$ Hunters, which consolidate smaller operations for greater impact. Beyond traditional tactics, attackers are increasingly leveraging AI to automate and refine attacks, while supply chain vulnerabilities remain a persistent weak point. Luke Donovan, Searchlight Cyber’s Head of Threat Intelligence, emphasized that arrests alone are insufficient to curb the threat, underscoring the need for organizations to enhance proactive exposure management and visibility to mitigate risks.

FBI Seizes RAMP, a Key Hub for Ransomware and Cybercrime Operations US law enforcement has dismantled RAMP (Russian Anonymous Marketplace), a prominent dark web and clearnet forum used by ransomware-as-a-service (RaaS) gangs, extortionists, and initial access brokers. The FBI, in coordination with the US Attorney’s Office for the Southern District of Florida and the DOJ’s Computer Crime and Intellectual Property Section, seized the forum’s domains, replacing them with a seizure notice and a mocking banner: "The Only Place Ransomware Allowed!" complete with an image of Masha, a character from a Russian children’s cartoon. DNS records confirm the takedown, and an alleged operator, "Stallman", acknowledged the seizure in a post on the XSS hacking forum. While expressing frustration over the loss of years of work, Stallman stated that his core business selling compromised network access remains intact, though he ruled out rebuilding the forum. Despite the disruption, experts warn that cybercriminals will likely migrate to other underground platforms, such as Rehub, where groups like Nova and DragonForce are reportedly relocating. Tammy Harper, a senior threat intelligence researcher at Flare, noted that while takedowns don’t eliminate the ecosystem, they create temporary chaos exposing threat actors to risks like reputation loss, escrow failures, and infiltration during the transition. The seizure also presents an opportunity for defenders to gather intelligence on affiliate networks, financial ties, and operational security weaknesses before criminals regroup. However, as with past takedowns, the cybercrime underground is expected to adapt quickly.

Ransomware Gangs Shift to Cartel-Like Operations, Led by DragonForce The global ransomware landscape is undergoing a major transformation as cybercriminal groups adopt a cartel-like model, prioritizing collaboration over competition to strengthen attacks and ensure long-term survival. At the forefront of this shift is DragonForce, a ransomware group that emerged in 2023 and is now evolving into a highly organized criminal enterprise. Research by LevelBlue, a Texas-based cybersecurity firm, reveals that DragonForce is actively recruiting affiliates by offering extensive infrastructure and operational support. Rather than operating as a traditional ransomware gang, the group positions itself as a service provider, lowering the technical barrier for newcomers while expanding its reach. Affiliates retain independence in developing and deploying ransomware but must share a portion of profits with DragonForce in exchange for access to petabytes of data storage, server monitoring, decryption tools, and attack testing environments. Beyond basic ransomware-as-a-service (RaaS) offerings, DragonForce provides data audit services, allowing affiliates to assess the financial value of stolen data before launching double-extortion attacks threatening both encryption and public leaks. This model enhances the efficiency and profitability of cybercrime operations. Recent intelligence, including a July 2025 report by Check Point Research, places DragonForce among the top ransomware groups, trailing only Akira and Qilin. The group has also engaged in aggressive tactics against rivals, including website defacements and member poaching, earning a reputation as both dominant and predatory. Some observers have dubbed DragonForce the "Godfather" of ransomware gangs, a title reinforced after rival group RansomHub accused it of collaborating with Russia’s FSB to suppress competition a claim that highlights the blurred lines between cybercrime and geopolitics. As ransomware operations grow more centralized and sophisticated, international law enforcement agencies including those in the U.S., U.K., Italy, Germany, and Australia are facing increased pressure to dismantle these emerging cybercrime cartels before they solidify into an even more entrenched threat.

DragonForce Ransomware Gang Expands Operations, Targets 120+ Organizations Worldwide The DragonForce ransomware gang has compromised over 120 organizations globally in the past year, evolving from a ransomware-as-a-service (RaaS) model into a full-fledged ransomware cartel. According to a report by Bitdefender, the group gains initial access through phishing, credential stuffing, and the exploitation of critical vulnerabilities, including CVE-2024-21412, CVE-2024-21887, and CVE-2024-21893. Once inside networks, DragonForce employs living-off-the-land (LotL) techniques to maintain persistence and move laterally, evading detection. In one high-profile intrusion last year, the group demanded a $7 million ransom, underscoring its financial motivations. Beyond its own operations, DragonForce has aggressively expanded its influence by partnering with other RaaS groups and attempting to take over rival operations, including LockBit and RansomHub. The gang has vandalized competitors’ data leak sites and targeted their attack infrastructure in a bid to dominate the ransomware landscape. These tactics signal a shift toward consolidation and heightened competition among cybercriminal syndicates.

DragonForce Ransomware Strikes Saudi Arabia, Exfiltrates 6TB of Sensitive Data A recent ransomware attack by the DragonForce group has targeted a prominent real estate and construction firm in Riyadh, Saudi Arabia, resulting in the theft of over 6TB of sensitive data. The breach was first announced by the threat actors on February 14, 2025, with a ransom deadline set for February 27 just ahead of Ramadan. After the deadline passed, DragonForce published the stolen data on a dedicated leak site (DLS), separate from its primary platform. The group employs advanced CAPTCHA mechanisms to evade automated tracking by cybersecurity firms, complicating monitoring efforts. Operating under a Ransomware-as-a-Service (RaaS) model, DragonForce has expanded its affiliate network, offering tools and resources to cybercriminals in exchange for a share of ransom payments. Affiliates are recruited via the RAMP underground forum, with commissions reaching up to 80% one of the highest rates in the cybercrime market. Communication occurs through TOR-based instant messaging (TOX), and affiliates must demonstrate network access to qualify. The group provides additional support, including "call services" for victim intimidation, NTLM/Kerberos hash decryption tools, and a customizable ransomware builder for tailored attacks. DragonForce also employs dual extortion tactics, encrypting data while threatening public leaks if demands are unmet. In some cases, they release audio recordings of ransom negotiations to pressure victims further. Initial access is often gained through phishing, RDP, and VPN vulnerabilities, with the Middle East emerging as a prime target due to wealthy organizations, cybersecurity gaps, and geopolitical factors. Since its emergence in December 2023, DragonForce has evolved its tactics, leveraging TOR-based communications, secure Bitcoin payments, and sophisticated encryption methods. The attack on Saudi Arabia underscores the growing threat of ransomware in the region, particularly as groups like DragonForce refine their operations to maximize impact.

Europol’s IOCTA 2026 Report: Ransomware, AI, and Hybrid Threats Reshape Cybercrime Landscape Europol’s latest Internet Organised Crime Threat Assessment (IOCTA) 2026 reveals a rapidly evolving cybercrime ecosystem, marked by professionalized ransomware operations, the exploitation of AI, and deepening ties between cybercriminals and hybrid threat actors. The report, covering trends from 2025, highlights a shift in extortion tactics, the rise of ransomware-as-a-service (RaaS), and the growing intersection of cybercrime with broader criminal networks. ### Ransomware Dominates, Tactics Evolve Ransomware remains the EU’s most pervasive cyber threat, with over 120 active brands observed in 2025. Attackers are moving away from traditional data encryption, instead favoring pure data theft and extortion, leveraging psychological pressure tactics such as DDoS attacks, corporate email spamming, and cold-calling victims. The report notes that enterprises are often less prepared for data leaks than encryption, making this shift particularly effective. The RaaS model has lowered the barrier to entry, enabling even low-skilled actors to launch attacks using bundled toolkits. These platforms now offer integrated services, including botnets for payload delivery, data exfiltration infrastructure, machine learning support, and ransom negotiation tools. Operators take a cut of each payment, incentivizing the development of streamlined, all-in-one offerings. Key ransomware groups in 2025 include: - Qilin: A dominant player with ties to the defunct Conti group, offering high affiliate payouts (up to 85%) and automated exploitation of Fortinet SSL VPN vulnerabilities. - Akira: Linked to Conti, expanding attacks to virtualized environments via SonicWall VPN flaws. - DragonForce: A modular, service-driven group using leaked Conti and LockBit code, specializing in tailored extortion for high-value targets. - LockBit: Struggled to recover after its 2024 takedown but released a cross-platform variant with enhanced anti-forensics. - Cl0p & Play: Closed groups operating with strict internal security, targeting critical infrastructure and deploying double extortion. A new alliance between DragonForce, LockBit, and Qilin emerged in late 2025, signaling deeper collaboration in the ransomware ecosystem. Meanwhile, semi-closed and closed groups such as Fog and BlackBasta are adopting tighter control, recruiting only trusted affiliates and developing proprietary tools to evade detection. ### Hybrid Threats and Cybercrime-as-a-Service The IOCTA 2026 report warns of blurring lines between cybercriminals and hybrid threat actors, with state-linked groups increasingly using criminal networks as proxies for disruptive operations. In the cybercrime-as-a-service (CaaS) economy, hybrid actors are simply another customer, complicating attribution and enforcement. A notable development is the Scattered LAPSUS$ Hunters (SLSH) alliance, formed in August 2025 by Scattered Spider, ShinyHunters, and LAPSUS$. These English-speaking groups specialize in SIM swapping, social engineering, insider recruitment, and large-scale data theft, targeting corporations, healthcare, and transport sectors. Their tactics include persistent harassment post-payment, and some members have ties to The Com network, a criminal ecosystem linked to extremism and child exploitation. ### AI, Infostealers, and DDoS as Enablers Cybercriminals are rapidly adopting AI tools to automate attacks, enhance social engineering, and blur the line between legitimate and malicious technology. Infostealers remain a critical enabler, fueling a broad illicit market that supplies ransomware affiliates, fraudsters, and initial access brokers (IABs). DDoS attacks persist as a low-effort, high-impact tool, often used for extortion or ideological disruption. While mitigation measures have improved, the minimal resources required make DDoS a sustainable strategy for destabilization, with targets including governments and critical infrastructure. ### Law Enforcement Challenges and Future Outlook Europol’s Executive Director, Catherine De Bolle, emphasized the urgent need for proactive, collaborative efforts to counter cybercrime’s accelerating pace. The report calls for: - Investment in AI capabilities for law enforcement. - Stronger cross-border cooperation and data retention policies. - Closer private-sector collaboration to access critical data held by online service providers. The IOCTA 2026 report concludes that the cybercrime landscape will continue evolving at speed, driven by advanced tools and complex criminal networks. Law enforcement’s ability to close the "velocity gap" matching the pace of cybercriminal innovation will determine its effectiveness in the coming years.

Ransomware Attacks Hit Record Highs in 2025 Despite Major Disruptions A new study by Symantec and the Carbon Black Threat Hunter Team reveals that ransomware attacks surged to unprecedented levels in 2025, with threat actors adapting rapidly to law enforcement crackdowns and evolving their extortion tactics. The report documented 4,737 claimed ransomware attacks the highest annual total on record despite the collapse of two major operations. RansomHub, the most active group at the time, abruptly shut down in April 2025, causing a brief dip in activity. However, former affiliates quickly migrated to other groups, restoring attack volumes within weeks. LockBit (tracked as Syrphid) also failed to recover after late-2024 law enforcement actions. New leaders emerged to fill the void. Akira and Qilin each accounted for 16% of attacks, while Inc, Safepay, and the newly identified DragonForce contributed smaller but significant shares. The fluid movement of affiliates, access brokers, and tooling between groups sustained overall activity levels. Beyond traditional encryption-based ransomware, extortion campaigns without encryption surged in 2025. These attacks focused on data theft and public leaks pushed total extortion incidents to 6,182, a 23% increase from 2024. Snakefly’s Cl0p operation played a key role, exploiting vulnerabilities in enterprise software to target government and industrial sectors at scale. Social engineering also became a dominant attack vector, with groups like ShinyHunters and Scattered Spider using phone-based impersonation, credential harvesting, and OAuth abuse to breach cloud environments. Attackers tricked employees into authorizing malicious apps or sharing authentication codes, reducing reliance on malware. A new ransomware strain, Warlock, drew attention for its ties to older espionage tooling. Exploiting a zero-day in Microsoft SharePoint and using DLL sideloading, Warlock incorporated components linked to Chinese state-sponsored activity, blending ransomware with broader intrusion campaigns. Despite these shifts, attack chains remained consistent. Threat actors relied on "living off the land" techniques, leveraging PowerShell, remote management tools, and credential dumping to evade detection. Malware often appeared late in the intrusion, just before encryption or data theft. The findings underscore how ransomware operations continue to thrive, even as law enforcement disrupts key players, by diversifying extortion methods and exploiting shared infrastructure.

DragonForce Ransomware Emerges as a Global Threat with Dual-Extortion Tactics A new ransomware operation, DragonForce, has rapidly become a major cybersecurity threat since its debut in late 2023, targeting organizations across multiple industries with advanced encryption and data theft techniques. Operating under a ransomware-as-a-service (RaaS) model, the group equips cybercriminal affiliates with a sophisticated toolkit to execute high-impact attacks. DragonForce employs a dual-extortion strategy, encrypting critical business data while simultaneously exfiltrating sensitive information. Victims face pressure to pay ransoms under the threat of public leaks on dark web sites, complicating recovery efforts even for those with backups. The group maintains a centralized data leak site (DLS) to host stolen data, evolving from earlier methods that relied on dedicated victim-specific pages. ### Targeted Sectors and Regions The ransomware has primarily struck manufacturing, business services, technology, and construction sectors, with the highest concentration of attacks in the United States, United Kingdom, Germany, Australia, and Italy. ### Technical Sophistication and Multi-Platform Capability DragonForce stands out for its cross-platform functionality, capable of compromising Windows, Linux, ESXi, BSD, and NAS systems. Its features include: - Multiple encryption modes (full, header, partial) with customizable file targeting. - Delayed-start attacks to evade detection. - Multithreading for faster encryption and detailed logging. - "Dry run" testing to refine attacks before execution. - Network reconnaissance via SMB port scanning to identify vulnerable systems. - Mutex identifiers derived from leaked Conti ransomware source code. - Shadow copy deletion using WMIC commands to block file recovery. The group also provides unlimited storage, professional file analysis, and decryption support for affiliates, along with a configuration interface for tailored attacks. ### Adaptive Tactics and Infrastructure DragonForce continuously refines its tools, shifting from decentralized victim sites to a centralized domain for hosting leaked data. Its Atom product line further expands its capabilities, reinforcing its position as a persistent and evolving threat. Security researchers highlight the group’s code reuse from previous malware families and its aggressive anti-recovery measures, making it a formidable challenge for targeted organizations.

Ransomware in 2025: The Evolution from Encryption to Industrial-Scale Extortion In 2025, ransomware has transformed from a technical threat into a sophisticated extortion ecosystem, rendering traditional defenses like backup restoration insufficient. Following major takedowns of groups like LockBit and BlackSuit in 2024, the landscape fragmented into decentralized, collaborative operations. Affiliates now move fluidly between brands, sharing tools and access brokers, making attribution and disruption far harder while maintaining severe impact on victims. ### The Extortion Spectrum: Beyond Double Extortion Modern ransomware campaigns now deploy a spectrum of tactics optimized for scale, leverage, and resilience. Groups like Qilin, Akira, SafePay, INC, and Lynx formalized the classic double-extortion model stealing data, encrypting systems, and threatening public disclosure while framing ransom demands as "risk mitigation" to exploit legal and reputational fears. Cl0p refined encryption-less extortion at industrial scale, exploiting supply-chain vulnerabilities to exfiltrate data from hundreds of victims simultaneously. Meanwhile, DragonForce and RansomHub demonstrated the durability of cartel-style operations, where shared infrastructure sustains extortion even as groups rebrand or dissolve. ### Targeting SMBs in High-Regulation Regions Research into SafePay ransomware revealed a deliberate shift toward small and mid-sized businesses (SMBs) in high-GDP, high-regulation regions like the U.S. and Germany. Over 90% of SafePay’s 500+ victims were SMBs service-based companies with enough resources to pay but insufficient resilience to withstand downtime or public exposure. Regulatory frameworks like GDPR, NIS2, and HIPAA amplify the cost of breaches, making extortion more lucrative than encryption alone. ### The Psychological Playbook: Weaponizing Fear Ransomware groups now employ scripted coercion tactics to manipulate victims, even in low-tech campaigns. MongoDB ransom operations, active since 2017, illustrate this shift. Attackers exploit misconfigured, internet-exposed databases, dump or delete data, and leave ransom notes demanding small payments prioritizing psychological pressure over technical sophistication. Key psychological tactics include: - Surveillance & Awareness – Creating perceived omniscience ("We are aware you’ve accessed this guide"). - Artificial Time Pressure – Escalating deadlines to force impulsive decisions. - Legal & Regulatory Fear – Framing ransom as cheaper than GDPR fines or lawsuits. - Reputation Blackmail – Threatening leaks to media, competitors, or regulators. - Internal Hierarchy Pressure – Isolating technical staff to prevent escalation. ### Defensive Shifts for Security Teams To counter exposure-focused ransomware, organizations must: 1. Integrate legal and communications teams into incident response, preparing breach notifications and regulatory disclosures as first-line defenses. 2. Train staff to resist psychological tactics, fostering an environment where security incidents can be reported without fear of blame. 3. Prioritize vulnerability management using threat intelligence to focus on actively exploited CVEs. 4. Conduct targeted configuration audits for high-risk misconfigurations, such as unauthenticated databases. ### The New Reality: Extortion Over Encryption Modern ransomware is defined by leverage stolen data, regulatory exposure, and psychological coercion rather than malware. From industrial-scale operations to low-tech campaigns, attackers optimize for speed, scale, and pressure. For security teams, this means evolving beyond recovery-focused playbooks to proactive risk mitigation, including external exposure monitoring, configuration hardening, and credential leak detection. The threat is no longer just technical; it’s a human and legal crisis.