Ransomware Threat Still Rising: Key Trends in the Technology Sector in 2025

The 2025 Trustwave Technology Risk Radar Report highlights ransomware as a major and persistent threat within the technology sector that shows no signs of abating as new ransomware-focused threat groups are constantly appearing.

The report indicates that over 20,000 hosts were found using legacy Windows operating systems (Windows 2012, 2008, and 2007), which are no longer supported by Microsoft and are not receiving updates leaving them critically vulnerable to ransomware and exploit frameworks like EternalBlue.

The global threat level for ransomware is currently high, with an alarming 10% weekly increase in attacks, and a staggering 85% of these attacks targeting the technology sector.

Several new and established ransomware groups have notably targeted the technology sector in the past year.

• Ransomhub
  • Emerged in February 2024, quickly gaining notoriety for "big game hunting", specifically targeting organizations likely to pay large ransoms to avoid operational downtime.
  • They employ a double extortion model, encrypting data and threatening to leak stolen information.
  • Ransomhub has targeted healthcare, technology, and critical infrastructure sectors, with increased activity against technology firms in Europe (Germany, Italy, Hungary) and the United States by March 2025.
  • Examples of technology sector targets exposed on their data leak portal include Europtec, Bassi, Conterra, and Technicare in March 2025.
• CL0p
  • Highly active, particularly in early 2025, leading its peer group with 413 leak posts in Q1 2025.
  • The group resumed activity in February 2025, exploiting zero-day vulnerabilities like CVE-2024-506235 and CVE-2024-559566 in Cleo MFT solutions.
  • This led to a significant surge, impacting 389 victims in February alone, a 1,400% increase from 26 victims in 2024.
  • CL0p focuses on mass data exfiltration and has historically earned substantial sums, such as $75–100 million from the 2023 MOVEit exploit (CVE-2023-343627).
  • Technology sector targets exposed include Jaggedpeak, Rackspace, and Iovate.
• Akira
  • Operations began in March 2023, known for its retro-styled data leak site and multi-extortion tactics.
  • Akira demands high ransoms, often reaching hundreds of millions of dollars.
  • It has targeted sectors including technology, education, finance, manufacturing, real estate, and critical infrastructure.
  • The group claimed over 350 organizations as of early 2025, with a record escalation in November 2024, posting over 30 new victims in a single day.
  • Technology sector targets listed include Toppan Next, Rackspace, and Iovate.
• Fog
  • First appeared in April 2024, known for its aggressive tactics, including rapid encryption of files and deletion of backups to prevent recovery.
  • Fog primarily targets higher education institutions and technology firms, often exploiting compromised VPN credentials for initial access.
  • The group also operates a data leak site for double extortion.
  • Attacks are characterized by their speed, with encryption sometimes occurring within hours of initial access.
  • Technology sector targets include GitLab, Melexis, Eumetsat, and Inelmatic.

Popular MITRE Tactics and Techniques Used by Ransomware Groups

Ransomware groups leverage a range of MITRE ATT&CK tactics and techniques to carry out their attacks. Some of the most popular observed tactics include:

• Initial Access (TA0001)
  • Phishing (T1566): Most initial access attempts against web applications were phishing, leveraging social engineering with links to external websites.
  • Exploit Public-Facing Application (T1190): Exploiting known vulnerabilities like Log4j (CVE-2021-44228) and PHP-CGI remote command execution.
  • Valid Accounts (T1078).
• Execution (TA0002)
  • Command and Scripting Interpreter (T1059): Malicious use of PowerShell scripts and commands.
  • User Execution (T1204): Execution of malicious files and links.
• Persistence (TA0003): Commonly involve Account Creation (T1136) and Account Manipulation (T1098).
• Privilege Escalation (TA0004): Often through manipulation of valid cloud-based accounts.
• Defense Evasion (TA0005): Techniques like process name masquerading, process injection (e.g., into explorer.exe), and access token manipulation.
• Credential Access (TA0006): Predominantly generic brute-force attacks (72.8%) followed by OS Credential Dumping (T1003) and Steal or Forge Kerberos Tickets (T1558).
• Discovery (TA0007): Primarily Network Service Discovery (T1046) and Account Discovery (T1087).
• Lateral Movement (TA0008): Most often via Remote Services, particularly Remote Desktop Protocol (RDP), characterized by "RDP nesting".
• Collection (TA0009).
• Exfiltration (TA0010): Such as Exfiltration Over Web Service: Exfiltration to Cloud Storage (T1567.002).
• Command and Control (TA0011): Mostly through communication to web services over HTTP(S) to non-standard ports, often using algorithmically generated domains and malformed User Agents.
• Impact (TA0040): Including Data Encrypted for Impact (T1486) and Indicator Removal on Host: Clear Windows Event Logs (T1070.001).

Global Threat Level and Emerging Actors

The United States and Canada (39%) and Europe (21%) are identified as the most vulnerable regions to ransomware attacks, reflecting the significant activities of groups like Ransomhub, CL0p, Akira, and Fog. With the emergence of new threat actors such as Monti, Safeplay, Hellcat, Nightspire, and Devman, there is no sign ransomware activity will decrease in the near future.

Mitigating Ransomware Risks in the Technology Sector

To counter these sophisticated threats, technology organizations must transition from a reactive to a proactive cybersecurity posture. Key recommendations include:

• Inventory, Assess, and Patch: Maintain a regular inventory of networks, including OS versions, open ports, and installed applications. Prioritize vulnerability assessments for valuable and publicly exposed systems and establish an agile patching cycle to promptly address security updates. This is critical for addressing vulnerabilities in legacy Windows operating systems and other publicly exposed services.
• Strengthen Identity and Access Controls: Enforce Multi-Factor Authentication (MFA) across all systems, especially for remote access. Implement least-privilege policies and regularly audit user roles.
• Backups and Business Continuity: Crucially, maintain encrypted, offline, and immutable backups of critical systems. Regularly test backup restoration procedures and develop and rehearse business continuity plans for cyber-related disruptions like ransomware attacks and data loss.
• Secure Third-Party and Supply Chain Relationships: Conduct risk assessments on vendors, include cybersecurity obligations in contracts, and monitor for dark web leaks involving suppliers, taking immediate action if credentials or data are exposed.
• Raise Internal Awareness and Training: Conduct regular cybersecurity training for all employees, tailored to their roles. Run phishing simulations and social engineering drills, as phishing is frequently the initial step for network infiltration. Educate teams on the implications of leaked credentials, weak passwords, and public Wi-Fi exposure.
• Monitor the Threat Landscape: Subscribe to industry-specific threat intelligence feeds and regularly review relevant vulnerabilities. Implement dark web monitoring tools to identify when your organization or its domains appear in breach data or access markets, and participate in information-sharing communities.

Despite being at the forefront of digital offerings, the technology industry often lags in information security. By implementing these fundamental best practices, organizations can significantly enhance their resilience against ransomware and other cyber threats, allowing them to focus on delivering cutting-edge technology to their customers.