Posted: 10 Min ReadThreat Intelligence

Ransomware 2025: Attacks Keep Rising as Threat Shows its Resilience

Despite the takedowns of some well-known names, ransomware remains a major cybercrime threat.

Ransomware attacks continued to trend upwards in 2024, rising by 3% compared to 2023, underlining the resilience of this particular cyber threat.

This increase occurred despite significant disruption in the ransomware space in 2024, and a dip in attacks in the first quarter of the year. Two of 2023’s leading ransomware operations, LockBit and Noberus, were subjects of law enforcement disruptions in late 2023 and early 2024, which did cause an initial decline in ransomware activity early in the year. However, activity in the space rebounded strongly in the second half of 2024.

Figure 1. Claimed ransomware attacks by actors operating data leak sites, 2022-2024.
Figure 1. Claimed ransomware attacks by actors operating data leak sites, 2022-2024.

When it comes to the tactics, techniques, and procedures (TTPs) leveraged by ransomware actors, living-off-the-land and dual-use tools remain the most frequently seen tools in ransomware attack chains. Exfiltrating data in so-called double extortion attacks and disabling security software before deploying payloads are now strong focuses of ransomware actors and are two things we see frequently in ransomware attack chains prior to the ransomware being deployed. A technique called Bring Your Own Vulnerable Driver (BYOVD) has become increasingly popular among ransomware attackers over the last two years for disabling security software.

Also notable over the past year or so is an apparent shift in power from ransomware operators to affiliates, with ransomware operators now offering generous terms seemingly in order to attract the best affiliates. This trend was evident in the approaches taken by the operators of two of the most active ransomware families in 2024, RansomHub and Qilin. 

The ability of ransomware operators to pivot and rebound their activity even in the face of significant pressure from law enforcement and disruptions underlines the resilience of a threat that has remained one of the biggest issues on the cybercrime landscape for many years. 

Some of the recent notable trends observed on the ransomware landscape are detailed in this blog. More details about all these trends and the ransomware landscape in general can be found in the Symantec Threat Hunter Team’s latest whitepaper: Ransomware 2025: A Resilient and Persistent Threat.

RansomHub Rises to Replace Declining LockBit

One of the biggest ransomware stories of 2024 was the emergence of Greenbottle, the operators of the RansomHub ransomware-as-a-service (RaaS). RansomHub first appeared in February 2024, and by the third quarter of the year, it was one of the most prominent ransomware operations, responsible for the highest number of claimed attacks in that quarter.

When RansomHub first appeared, initial analysis by Symantec found that the payload was a development of an older ransomware family known as Knight. Source code for Knight (originally known as Cyclops) was offered for sale on underground forums in February 2024 after Knight’s developers decided to shut down, so it is possible that other actors bought the Knight source code and updated it before launching RansomHub. 

The group has reportedly become popular with many affiliates because it offers better terms compared to rival operations, such as a greater percentage of ransom payments and a payment model where the affiliate is paid by the victim before passing on the operator’s cut. 

Attackers deploying RansomHub have been seen gaining initial access to victim networks by exploiting known vulnerabilities such as the Zerologon vulnerability (CVE-2020-1472), CitrixBleed (CVE-2023-3519), Fortinet FortiOS (CVE-2023-27997), Java OpenWire protocol marshaller (CVE-2023-46604), and Confluence (CVE-2023-22515). Attackers also used several dual-use tools before deploying the ransomware, including Atera and Splashtop, which were used to facilitate remote access, while NetScan was used to likely discover and retrieve information about network devices. 

Also notable is that RansomHub’s rise came at the same time as the decline of one of the biggest names on the ransomware landscape, LockBit. LockBit, which is operated by a group Symantec tracks as Syrphid, has been active on the ransomware scene since 2019 and has been one of the biggest names on the ransomware landscape in that time. However, Syrphid was disrupted by multiple law enforcement operations in 2024, and this impacted its activity levels. The group was first targeted by an international law enforcement operation in February 2024, although it remained active afterward. However, in May 2024, the group's alleged ringleader, Dimitry Khoroshev (aka LockBitSupp), was also indicted in the U.S.

This second law enforcement blow seemed to have a more significant impact on LockBit’s activity. While it remained the largest ransomware operation by number of claimed attacks in 2024, you can see a distinct change in trends in the second half of the year, as RansomHub started to dominate and LockBit activity steeply declined (See Figure 2). It is possible that the combined effects of the two law enforcement operations led to a loss of trust among LockBit affiliates, particularly since authorities indicated they had collected information that could identify affiliates. 

Figure 2. Claimed LockBit and RansomHub attacks by quarter, 2024.
Figure 2. Claimed LockBit and RansomHub attacks by quarter, 2024.

While Figure 2 indicates a decline in LockBit activity, it is notable that in December 2024, an individual claiming to represent the LockBit ransomware gang began promoting LockBit 4.0, announcing that the newest iteration of the malware would be launched in February

Symantec’s Threat Hunter Team has observed LockBit 4.0 being deployed in attacks since then. The attackers used a publicly available Windows password recovery tool and a Veeam credential stealer. They also used WMI to stop services and NetSh to enable RDP. It will be interesting to see if the launch of LockBit 4.0 indicates a resurgence of activity from Syrphid, or if other ransomware operators will continue to dominate in 2025.

Qilin is One to Watch

Another notable ransomware family in 2024 was Qilin. Qilin, which first appeared in 2022, is operated by a group Symantec tracks as Stinkbug. According to the U.S. Department of Health and Human Services, the group likely originated in Russia and spent time expanding in 2023, recruiting affiliates on underground forums.

This recruitment drive appears to have paid off as Qilin grew to be the fourth biggest ransomware operation by the end of 2024, behind LockBit, RansomHub, and the long-established Play. Like RansomHub, the generous terms that Stinkbug offers Qilin affiliates appear to be a main factor in its success. Affiliates reportedly earn 80% of any ransom payment, rising to 85% for ransoms above $3 million. 

Figure 3. Top ten ransomware operations by claimed attacks, 2024.
Figure 3. Top ten ransomware operations by claimed attacks, 2024.

Qilin, which was initially written in Go but later written in Rust, is one of a growing number of ransomware threats capable of targeting multiple platforms, including Windows, Linux, and ESXi. In June 2024, Stinkbug claimed responsibility for a ransomware attack that disrupted services at multiple hospitals across London in an incident that was declared “critical” by the National Health Services (NHS) London. 

In October 2024, Stinkbug updated the Qilin payload to add a number of features to enhance its capabilities. The new version, dubbed Qilin.B, added enhanced encryption with the use of AES-256-CTR with AES-NI when used on machines that support hardware-accelerated encryption, making the encryption process considerably faster. It also features enhanced evasion techniques, including the termination of processes related to security, database, and backup services. To hinder recovery, it also deletes Volume Shadow Copies, logs, and its own binary after the encryption process is finished.

This enhancement of the ransomware’s features may serve to make it even more popular among affiliates and see it used even more widely by attackers in 2025.

Attackers Continue to Favor Living-off-the-land Tools

Ransomware actors continue to use a huge array of TTPs to carry out ransomware attacks. Attackers use these TTPs to gain access to and spread across victim networks, drop payloads, steal credentials, exfiltrate data, and turn off security software to prevent their activity from being discovered.

While ransomware families may come and go, TTPs tend to change less frequently, with minor evolutions occurring and attackers learning from other successful attacks. A huge proportion of tools used by attackers is legitimate software. Malware tends to be deployed sparingly and may only appear at the conclusion of an attack (such as when a ransomware payload is deployed).

Two key things ransomware attackers leveraged living-off-the-land tools for in 2024 were data exfiltration and disabling security software. 

Data Exfiltration

Exfiltrating data is a huge part of ransomware attacks now, with almost all attacks now involving double extortion, where attackers exfiltrate data from a victim’s network before encrypting it, to increase the pressure on victims to pay a ransom demand.

The vast majority of tools used for data exfiltration are dual use—legitimate software used by the attackers for malicious purposes. Among the tools we see attackers use for data exfiltration are familiar names like PowerShell, Remote Desktop Protocol (RDP), Cobalt Strike, and WinRAR. Another popular choice is Rclone, an open-source tool that can legitimately be used to manage content in the cloud but has been seen being abused by ransomware actors to exfiltrate data from victim machines.

However, one of the most popular types of legitimate software used by ransomware attackers is remote access/remote desktop and remote monitoring and management (RMM) software. Attackers can use this software, which has many legitimate purposes, for a wide range of activities, including issuing commands and dropping payloads, but the exfiltration of data from victim machines is one of the main ways they leverage this type of software during ransomware attacks. Legitimate remote access software used by attackers include:

AnyDesk: Malicious usage of AnyDesk is now a well-known TTP and, in some cases, attackers will attempt to avoid raising suspicions by renaming the AnyDesk executable to something that may appear more innocuous, a technique known as masquerading. AnyDesk has been used extensively in pre-ransomware activity that has led to the deployment of ransomware, including AvosLocker, Monster, Noberus (aka BlackCat), BlackByte, and Lunamoth.

Atera: Atera has legitimate uses as an RMM tool and can monitor the performance and health of Windows and Mac devices, printers, servers, routers, and more. It is used by attackers for remote access and has been seen being used to download Rclone from the cloud so that it could likely be used to exfiltrate data. It has also been observed being used alongside other remote access tools including ScreenConnect. Atera has been used in attack chains that have led to the deployment of ransomware, including Lunamoth, BlueSky, Ransom Cartel, Conti, and Royal.  

ScreenConnect (formerly ConnectWise):remote desktop application tool by ConnectWise that is used to enable remote access to computers. It can legitimately be used for remote monitoring and management, backup and disaster recovery, and more. It has been used alongside ransomware, including Royal, AvosLocker, Noberus, and Yanluowang.

Splashtop: A family of legitimate remote desktop and remote support software developed by Splashtop Inc. Enables users to remotely access computers from desktop and mobile devices.

TeamViewer: A legitimate remote access and collaboration application. It and similar tools are often used by attackers to obtain remote access to computers on a network. 

Disabling Security Software

A common tactic frequently deployed by ransomware attackers at present is the impairment of defenses, usually by attempting to disable antivirus (AV) or endpoint detection and response (EDR) products. The use of impairment techniques and tools has risen markedly among ransomware actors over the past two years, most likely in response to vendors improving their ability to identify patterns of malicious activity that occur prior to ransomware deployment.

Attackers have been seen leveraging living-off-the-land techniques to disable security software, such as using Windows utilities to disable Windows Defender. However, by far the most frequently used technique for defense impairment is the BYOVD technique. Attackers will deploy a signed vulnerable driver to the target network, which they then exploit to disable security software. Since drivers operate with kernel access, they can terminate processes, making them an effective tool for disrupting security measures.

In most cases, the vulnerable driver is deployed along with a malicious executable, which will use the driver to issue commands. These drivers are considered “vulnerable” as it should not be possible to leverage them in this way. BYOVD is popular with attackers due to its effectiveness and reliance on legitimate, signed files, which are less likely to raise red flags. A wide range of drivers have been used in such attacks, with anti-rootkit drivers developed by security vendors being frequently among the most commonly exploited.

The most frequently used BYOVD tools seen in the past two years include: 

TrueSightKiller: A publicly available tool that leverages a vulnerable driver named truesight.sys. The signed driver was originally developed to be used in RogueKiller Anti-Malware, developed by Adlice Software. 

Gmer: A rootkit scanner that can be used to kill processes.

Warp AVKiller: A variant of a Go-based information-stealing threat called Warp Stealer, which appears to be just used to bypass security products. It uses a vulnerable Avira anti-rootkit driver to disable security products.

KillAV: Malware used to deploy various vulnerable drivers for terminating security processes.

GhostDriver: A publicly available tool that leverages vulnerable drivers to kill processes.

Poortry (aka BurntCigar): A malicious driver documented by Sophos that is frequently employed alongside a loader known as Stonestop. Unlike many drivers, Poortry may have been developed by attackers who then succeeded in getting it signed.

AuKill: A tool documented by Sophos that uses an outdated version of the driver used by the Microsoft utility Process Explorer to disable EDR processes.

Looking Forward

It seems certain that ransomware will remain one of the main cybercrime threats in 2025. Attackers’ ability to pivot their activity to evade detection, coupled with the emergence of new threats when law enforcement disrupts existing operations, means that tackling ransomware is likely to remain a major challenge for business, government, security vendors, and law enforcement for some time to come.

Learn more about this threat in our comprehensive whitepaper: Ransomware 2025: A Resilient and Persistent Threat.  

About the Author

Threat Hunter Team

Symantec

The Threat Hunter Team is a group of security experts within Symantec whose mission is to investigate targeted attacks, drive enhanced protection in Symantec products, and offer analysis that helps customers respond to attacks.

Want to comment on this post?

We encourage you to share your thoughts on your favorite social platform.