• Advent of encryptionless extortion propels attack numbers to new heights.
• Success of Snakefly (aka Cl0p) and ShinyHunters could create attack template that will be mimicked by other attackers.
• Akira, Qilin, Safepay and DragonForce expand after collapse of RansomHub and LockBit.
• Vast majority of tools used by attackers are legitimate software.

The cyber-extortion epidemic reached new heights in 2025, with a record number of attacks recorded. As outlined in our new whitepaper, this increase is being powered by a new breed of attackers who eschew encryption and rely solely on data theft as leverage for extortion. By using zero-day vulnerabilities or exploiting weaknesses in the software supply chain, attackers can steal data from even the best-defended organizations before they become aware of the issue. 

Meanwhile, there has also been no decline in the number of attacks involving encryption. This is despite significant levels of disruption among key players, such as the collapse of LockBit in late 2024 and the closure of RansomHub in April 2025. Instead, other ransomware operators such as Akira, Qilin, Safepay and DragonForce expanded rapidly in the wake of those departures, quickly winning over affiliate attackers who previously worked with the departing actors. 

Growth in attacks

Analysis of data from ransomware leak sites found that ransomware actors claimed a total of 4,737 attacks during 2025, up from 4,701 in 2024, a 0.8% increase. The number of attacks claimed in 2025 was the highest ever. 

While attacks involving encryption have remained just above 4,700 annually for the past few years, there has been a significant jump in the number of attacks that don’t involve encryption and instead rely on data theft alone as a lever for extortion. If these attacks are factored in, the number of extortion attacks in 2025 was 6,182, a 23% increase on 2024. 

These tactics were pioneered by the Snakefly cybercrime group (aka Cl0p), which regularly mounts zero-day exploit campaigns against enterprise software to exfiltrate data at scale and extort victims through threat of leaks. Its most recent campaign came to light in October 2025, when it was linked to extortion attacks that targeted users of Oracle E-Business Suites (EBS). Snakefly exploited a critical zero-day vulnerability (CVE-2025-61882) in EBS that allowed unauthenticated attackers to remotely execute code on vulnerable systems.

It has since been joined by other actors such as ShinyHunters, which made headlines this year when it carried out a series of attacks that targeted the Salesforce instances of multiple major corporations.

New players emerge

While ransomware activity levels have remained persistently high, there have been dramatic changes in the make-up of the ransomware threat landscape. LockBit (aka Syrphid) and RansomHub (aka Greenbottle) – two of the largest Ransomware-as-a-Service (RaaS) operations seen to date – disappeared from the scene in 2025. LockBit experienced significant disruption in late 2024 and has not managed to rebuild despite several attempts, while RansomHub shut down in April 2025. Other players have benefited significantly from these departures, most notably Akira (16% of claimed attacks), Qilin (16%), Inc (6%), Safepay (6%) and the new arrival DragonForce (5%).

Tools, tactics and procedures

A key point about ransomware attack chains is that most of the tools used by today’s attackers are legitimate software. Malware is used sparingly and may only appear at the conclusion of an attack (such as when a ransomware payload is deployed).

Living off the land – using tools that are readily available on the target’s network to advance an attack – has been adopted to some degree by nearly all ransomware actors. It allows attackers to minimize the risk of detection by reducing the number of tools that they must install and use on the victim’s network.

PowerShell is the most frequently exploited living-off-the-land tool, used in 25% of all ransomware attacks investigated by the Threat Hunter Team. Its popularity comes from its powerful and versatile scripting capabilities, combined with its integral role as a native Windows component widely used for legitimate purposes. 

It is followed by PsExec (22% of all attacks), a Microsoft Sysinternals tool for executing processes on other systems. The tool is primarily used by attackers to move laterally on victim networks, executing commands on other machines on the network. 

In addition to living off the land, attackers make heavy use of dual-use software, legitimate software packages that are installed on the target’s network by the attackers themselves. Popular tools include the network scanning tool NetScan (used in 19% of all attacks investigated) and Rclone, a remote backup utility that is often used for data exfiltration (10%). 

One of the most popular categories of tools are remote access/remote desktop and RMM software packages. Remote access tools have a legitimate use case for applications such as tech support or remote working. However, from an attacker’s perspective, they effectively provide a backdoor into a machine, allowing the attacker to issue commands, download additional software, and exfiltrate data. RMM software is used for managing machines on a network and rolling out new software or software updates. Attackers can leverage the same functionality to deliver malicious tools, including ransomware payloads.

Frequently used tools in this category include AnyDesk (13% of attacks investigated), ScreenConnect (4%), PDQ (3%) and Splashtop (2%).

New risks ahead

While attacks involving encrypting ransomware remain as prevalent as ever and still pose a threat, the advent of new types of encryptionless attacks adds another degree of risk, creating a wider extortion ecosystem of which ransomware may become just one component. 

This broadening of potential attack types presents new challenges for enterprises that not only have to maintain a robust security posture on their own networks but now also must put greater focus on the security of their software supply chain. 

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin