Introduction

The rapid evolution of ransomware and its ability to disrupt operations through penetrating critical systems demands serious attention.

BlueVoyant found that the first half of 2025 in ransomware has been marked by new attack strategies, focus on high-pressure targets, and a high level of incidents. The total volume of ransomware attacks remained at a critically high level in the first six months of the year, with more than 3,000 ransomware incidents recorded. The overall threat has not diminished; it has become more unpredictable.

The trends are especially pertinent to the Asia Pacific region, as another study found that APAC accounts for over a third (34%) of all global cyberattacks in 2024, with ransomware being the most prevalent.

Disruption and Realignment In the Ecosystem

Following years of dominance by a few key players, the ransomware landscape has fragmented into a chaotic and highly competitive market defined by new leaders, divergent attack strategies, as well as a laser focus on high-pressure targets.

For years, the ransomware landscape was characterised by a stable, if dangerous, hierarchy. A few dominant Ransomware-as-a-Service (RaaS) groups, led by the prolific Lockbit operation, accounted for the majority of attacks. The ecosystem is now in a state of flux, defined by the fall of old leaders and an aggressive, chaotic race to establish new dominance.

Lockbit, once the most prolific ransomware-as-a-service (RaaS) platform, collapsed following a major infrastructure breach and law enforcement crackdown. Its demise created a power vacuum that fuelled fierce competition among emerging groups.

Agenda has emerged as the frontrunner, showing consistent month-over-month growth and deploying sophisticated tools like NETXLOADER.

Akira and Play have maintained high attack volumes, establishing themselves as reliable threats in the new ransomware order.

Ransomware groups are now operating under two primary models:

1. Marathon Runners (e.g., Agenda, Akira, Play): These groups focus on sustained, high-volume campaigns. Akira and Play have been workhorses, consistently delivering high victim counts month after month. Akira peaked at 61 victims in March, while Play peaked at 51 in April. Their steady performance has made them reliable and dangerous mainstays of the new landscape.
2. Sprinters (e.g., Clop, RansomHub): These actors execute short, high-impact bursts, often exploiting zero-day vulnerabilities to compromise hundreds of victims in days.

RansomHub group serves as a cautionary tale of market volatility. It exploded onto the scene with 100 victims in February, briefly becoming the most active group in the world, only to vanish completely by May.

Multiple Sectors at Risk

The manufacturing sector has been the most targeted industry by a wide margin, with attackers exploiting the high financial leverage of disrupting physical production lines. In March alone, there were 245 ransomware incidents in this sector. IBM’s data mirrors this finding for APAC, revealing that manufacturing is the region’s most targeted industry, accounting for 40% of all cyberattacks.

Other high-risk sectors include business services and retail, due to their broad attack surfaces and sensitive data. Critical uptime needs put the healthcare sector in the spotlight while the finance sector sees frequent targeting for high-value data and state-sponsored attacks.

How to Prevent Ransomware Attacks

A multi-layered, intelligence-led defence strategy to combat today’s ransomware threats:

• Embrace Intelligence-Led Defence – Static defences are no longer enough. Organisations must actively track the tactics, techniques, and procedures (TTPs) of emerging ransomware groups and initial access brokers to anticipate and block attacks before they escalate.
• Prioritise Agile Patch Management – Sprinter campaigns prove that the window to patch critical vulnerabilities is now measured in hours, not weeks. Rapid identification and remediation of exposed systems is essential. Organisations should also be concerned about the patch status of their third-party ecosystem and work with these vendors and suppliers to ensure they are patching.
• Invest in Human-Centric Security – Sophisticated social engineering remains a top threat vector. Continuous security awareness training, especially for high-privilege roles like help desk staff, is critical to reducing risk.

Lastly, assume a breach will happen. To protect against the volatile landscape and minimise the impact of successful attacks, it is imperative that APAC organisations focus on strengthening resilience and recovery strategies. Consider network segmentation, immutable backups and a well-rehearsed incident response plan. With the right intelligence and proactive defence strategy, organisations can stay ahead of the changing landscape and ensure business continuity.