> **来源:[研报客](https://pc.yanbaoke.cn)** # Ransomware Overview 2025 Summary ## Core Content Ransomware has evolved into a structural threat that combines economic, strategic, and political interests, impacting both individuals and organizations globally. It is no longer just a technical issue but a key challenge for national security, organizational resilience, and economic stability. The report highlights the growing convergence of IT and OT networks, especially in Europe and Latin America, which has increased the vulnerability of critical infrastructures to ransomware attacks. ## Main Points ### 1.1 Introduction: Ransomware as a Structural Threat - Ransomware is a type of malware that encrypts data and demands a ransom, typically in cryptocurrency. - It has become a tool in hybrid warfare, used by both criminal groups and state-aligned APTs to achieve strategic objectives. - APT groups such as APT44 (Russia), Moonstone Sleet (North Korea), and ChamelGang (China) have used ransomware to support geopolitical agendas and fund state activities. - The threat is not only about data loss but also includes the risk of data leaks, operational shutdowns, and reputational damage. ### 1.2 Emerging Risks in Industrial Environments - Ransomware attacks have shifted from IT to OT environments, especially in manufacturing and critical infrastructure. - The convergence of IT and OT networks, along with the use of legacy systems and insufficient protections, has created new vulnerabilities. - Groups like RansomHub, LockBit, Play, and Akira have been particularly active in targeting manufacturing, while others like Hunters International have shown interest in health and other sectors. ### 1.3 Conclusion of the Block - Combating ransomware requires a comprehensive strategy that includes technological prevention, user education, proactive detection, and international collaboration. - The report emphasizes the need for understanding the evolving nature of ransomware to anticipate future threats and mitigate their impact. ## 2024: The Fall and Rise of New Groups ### 2.1 Reconfiguring the Criminal Ecosystem - The ransomware ecosystem in 2024 was marked by high volatility, with the dismantling of dominant groups and the rise of new ones. - The RaaS model continues to expand, allowing non-technical users to participate in attacks through code rental and affiliate structures. - The fall of groups like LockBit and BlackCat has led to the migration of affiliates to new platforms, such as RansomHub. ### 2.2 Ransomware and Its Evolution - Figure 1 shows the global ransomware victim count for 2023, 2024, and Q1-2025, highlighting the decline of LockBit and the rise of RansomHub. - The top ransomware groups in 2024 were RansomHub, LockBit, Play, Akira, and Hunters International. - The manufacturing sector remains the most targeted globally, followed by health and construction. ### 2.3 Global Casualty Data for 2024 - The United States was the most affected country, with over 53% of global ransomware casualties. - Other top countries included Canada, the UK, Germany, Italy, and Brazil. - The manufacturing sector accounted for 14% of the global ransomware impact, while the health sector had 8%. ### 2.4 Impact Groups in EU Member States - EU countries with the highest ransomware casualties were Germany, Italy, France, Spain, Belgium, the Netherlands, Sweden, and Poland. - LockBit and RansomHub were the most active groups in the EU, with RansomHub gaining significant traction in the second half of the year. - The most affected sectors in the EU were manufacturing, health, and construction, with a notable percentage of "Other" sectors. ### 2.5 Impact Groups in Latin America - The top five countries affected by ransomware in Latin America were Brazil, Mexico, Argentina, Colombia, and Peru. - RansomHub and LockBit had a significant presence in the region, though RansomHub showed greater activity. - ArcusMedia emerged as a notable group in Latin America, and others like APT73, FunSec, and Sarcoma also had a significant impact. - The most affected sectors were manufacturing, retail, and health, with government institutions also being targeted, indicating possible political motives. ### 2.6 Emerging Impact Groups During 2024 - **RansomHub**: Emerged in February 2024, surpassed LockBit in attack volume after the latter's dismantling. Operates under the RaaS model, targets Windows, Linux, and ESXi systems, and uses double extortion tactics. It exploits vulnerabilities like Citrix ADC and Fortinet FortiOS. - **FunkSec**: An emerging group linked to hacktivism, particularly aligned with movements like Free Palestine and Ghost Algeria. Uses AI to develop malware and employs double extortion. It has targeted the United States, Spain, and other countries, possibly due to political alignment. - **Lynx**: Evolved from the INC Ransom group, targeting Windows systems and using double extortion. It has attacked sectors like energy, manufacturing, and telecommunications, including the Romanian electricity supplier Electrica Group in December 2024. ## 2025 Trends ### 3.1 Ransomware During 2025 First Quarter - RansomHub continues to be a major player, with a significant increase in victims. - The report suggests that the ransomware threat is likely to remain high, with new groups emerging and existing ones adapting to countermeasures. ### 3.2 Changes During April 2025 - The ransomware landscape shows continued volatility, with shifts in group activity and new strategies being employed. - The report indicates that the threat is becoming more sophisticated and harder to trace, especially with the use of AI and cryptocurrency. ### 3.3 Countries with the Highest Number of Victims - The United States remains the most affected country, followed by Canada, the UK, Germany, Italy, and Brazil. - The report highlights the increasing threat to critical infrastructure and the need for robust protection measures. ### 3.4 Most Affected Sectors and Operational Technology (OT) - Manufacturing, health, and construction are the most targeted sectors globally. - The convergence of IT and OT networks has made critical infrastructure more vulnerable to ransomware attacks. - The report stresses the importance of securing OT environments to prevent disruption of essential services. ## Protection and Response ### 4.1 Essential Recommendations to Protect Yourself from Ransomware - Implement strong encryption and regular backups. - Conduct regular security audits and patch management. - Train employees on phishing and social engineering risks. - Establish a clear incident response plan. ### 4.2 Specific Solutions to Cover the Whole Cycle - The report suggests using AI and advanced analytics for threat detection and response. - Collaboration between governments, businesses, and cyber intelligence centers is emphasized. - The use of RaaS requires a multi-layered defense strategy, including network segmentation and access control. ### 4.3 Comprehensive Defence Strategy - A full-cycle approach is recommended, covering prevention, detection, containment, and recovery. - The strategy should include both technical and geopolitical considerations, as ransomware is increasingly used as a tool for political and economic influence. ## Conclusions - Ransomware is a growing and evolving threat that requires a multifaceted response. - The report highlights the importance of international cooperation and a proactive, comprehensive cybersecurity strategy. - Emerging groups like RansomHub, FunkSec, and Lynx are changing the landscape, with new tactics and targets. - The convergence of IT and OT environments poses a significant risk to critical infrastructure, especially in Europe and Latin America. ## About S2GRUPO - S2GRUPO is a cybersecurity company that provides professional analysis and expert knowledge on ransomware. - The report is prepared by LAB52, a team within S2GRUPO, focusing on the strategic and technical aspects of ransomware. - The report is intended for professional and institutional use and is protected by intellectual property rights.