Bitdefender has combined information from openly available sources (OSINT) – including news reports and research – with data we gather by analysing Data Leak Portals (DLPs), websites where ransomware groups post details about their victims to develop our March 2025 Threat Debrief. It’s important to remember that we can’t independently verify all of these claims, but we can feel quite confident in the trends we see over time.
February marked a grim milestone in ransomware history: a staggering 126 per cent increase of claimed victims year-over-year, jumping from 425 victims in February 2024 to 962 in February 2025. But it’s even worse than that: this is the single worst month in ransomware history based on the total number of claimed victims. Of those 962 victims, a staggering 335 were claimed by the Clop (Cl0p) group. That’s a 300 per cent jump from last month by this RaaS (ransomware-as-a-service) group, and it begs the question: what’s behind this sudden spike?
The answer lies in a shift we’ve been warning about since 2022, but it’s still catching many by surprise. Instead of focusing on specific companies or industries, some ransomware groups are becoming increasingly opportunistic by targeting newly discovered software vulnerabilities in edge network devices.
Here’s how it works: Cybercriminals, regardless of whether they’re financially motivated or state-affiliated, focus on finding vulnerabilities that meet certain criteria:
- The vulnerabilities have high-risk scores (CVSS).
- The vulnerabilities allow attackers to remotely take control of a system (RCE).
- The vulnerabilities affect software that’s accessible from the Internet.
- An exploit developer or malicious actor has already published the proof of concept (PoC) for the exploitation process.
In less than 24 hours of the vulnerability’s public disclosure, threat actors launch automated scanners that scan the Internet and establish remote access to vulnerable systems. After this initial access blitz comes the second stage of the attack – the manual hacking of the victims. This second stage takes time. Attackers need to figure out which systems are worth their effort, and then they have to manually hack their way deeper, typically using living off the land techniques to evade detection. This delay means the actual ransomware attack or data theft typically happens weeks or even months later.
In Cl0p’s case, our analysis points to their exploitation of two recent vulnerabilities in Cleo file transfer software, CVE-2024-50623 and CVE-2024-55956. These vulnerabilities, rated 9.8 out of 10 in severity, allowed attackers to run commands on vulnerable systems. Even though these vulnerabilities were revealed in October and December 2024, the manual part of the attack is what takes time, which can explain why we are seeing these victims now.
Here are a few key defences that can make a significant difference:
- Smart Patching: Prioritise patches for actively exploited vulnerabilities and maintain awareness of known exploits (CISA KEV catalogue). A flexible patching strategy is key to rapid response.
- Threat Hunting: Proactively search your network for hidden threats. Discover backdoors before attackers launch their main attack.
- EDR/XDR with SOC/MDR: Use advanced detection systems (EDR/XDR) and expert analysis (SOC/MDR) to detect attackers moving within your network (lateral movement) and stop them before they reach critical data.
Notable Ransomware News
Now, let’s explore other notable news and findings since our last Threat Debrief release.
- A chatbot aids researchers in examining Black Basta operations: Following the leak of more than one million Black Basta chats, a cybersecurity firm developed a chatbot named BlackBastaGPT. The tool allows researchers to parse the Black Basta chats, cutting down the burden that comes with manual searches and indexing. Highlights uncovered by analyses with this tool include records showing Black Basta’s profits, the group’s use of deepfakes, references to more than 60 CVEs, and the group’s struggle to keep infighting at bay. One quote that really stood out to us came from ‘gg’, the leader of the Black Basta group: “If we use standard utilities, we won’t be detected. … We never drop tools on machines.” This quote perfectly highlights a core component of modern ransomware attacks: the ‘living off the land’ technique, a tactic we’ve been raising awareness of (read our tech explainer on TechZone).
- CISA publishes a joint advisory on Ghost ransomware: Ghost (Cring) is a ransomware group based in China that emerged in 2021 and has exploited vulnerabilities in software and applications exposed to the Internet, notably CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. CISA reports that the threat actor uses recognised tools such as PowerShell scripts, Cobalt Stike, and network share and DC enumeration programs. The ransomware can encrypt specific files and directories or a storage structure; it clears Windows Event logs and disrupts Volume Shadow Copy processes. Organisations are advised to implement prioritised security practices, including the following controls: reduce the risk of a Ghost ransomware attack: patch affected software, enforce network segmentation to, schedule backups, and enforce phishing-resistant MFA.
- RA World tools are traced back to Chinese threat actors: RA World attacks, which execute malware using a DLL sideloading technique, feature toolsets that are associated with Mustard Panda and other Chinese threat actors. Those same tools have been used in cyber espionage campaigns and have supported prior predictions of the blending of APT and RaaS operations.
- Akira compromises a webcam to bypass defences: Akira has leveraged multiple techniques to execute ransomware and they have developed unique tools such as encryptors that are designed for different OSes. Initially, it was common for Akira to infiltrate a victim’s network through an insecure remote access application. They’d run AnyDesk to exfiltrate victim data and use RDP to perform lateral movement before executing the ransomware.
This strategy was not viable since Akira’s ransomware would be discovered by the EDR agent installed on most systems and therefore isolated from the environment. Akira searched for an alternative method. After gaining access to a victim’s server via RDP, Akira added an archive file to the server that contained the ransomware. The threat actor conducted a network scan and found a webcam. The webcam was an ideal target because it had flaws that allowed remote shell access, and the device featured a Linux OS that was compatible with Akira’s Linux encryptor. In addition, the webcam was not actively monitored with controls in place for alerting. Once Akira gained access to the webcam, they deployed the ransomware over SMB; this allowed the threat actor to evade the EDR and encrypt network shares and files across the victim’s network.
- FunkSec releases a new tool: FunkSec is a ransomware group that has caught the attention of the cybersecurity community due to its rapid growth, use of AI, and expanding partnerships. The group recently announced the release of a Wolfer tool, which is an infostealer. Once it is dropped to a victim’s machine, commands are input into Command Prompt to use the tool. Wolfer interacts with a Telegram bot to output details about the target such as system information, network connections, processes, software on the system, and Wi-Fi passwords.
- Cactus is identified as a group linked to Black Basta: Researchers uncovered that Cactus uses tactics similar to Black Basta in their ransomware campaigns. This includes the use of social engineering tactics that abuse Quick Assist and Teams and the BC Module. Cactus leverages the BC module QBackConnect to maintain persistence and perform reconnaissance tasks. The module has characteristics that are also associated with the QakBot loader.
- New ransomware groups emerge: Anubis and Run Some Wares are two of several groups that were recently discovered. Both groups employ double extortion tactics and have their own data leak sites.
Top 10 Ransomware Families
Bitdefender’s Threat Debrief analyses data from ransomware leak sites, where attacker groups publicise their claimed number of compromised companies. This approach provides valuable insights into the overall activity of the RaaS market. However, there is a trade-off: while it reflects attackers’ self-proclaimed success, the information comes directly from criminals and might be unreliable. Additionally, this method only captures the number of victims claimed, not the actual financial impact of these attacks.
Top 10 Countries
Ransomware gangs prioritise targets where they can potentially squeeze the most money out of their victims. This often means focusing on developed countries. The top 10 countries that took the biggest hit from these attacks are – in order – the US, Canada, UK, Denmark, France, Australia, Brazil, Mexico, Italy, and Sweden.