In July 2025, AhnLab reported an increase in ransomware activity including a major attack on Korea’s largest financial institution and the rise of new groups such as BEAST, Payouts King, D4rk4rmy, and Sinobi. The report provides trend statistics on ransomware detections, targeted companies from leak sites, and industry/region impacts collected by ASEC and ATIP. #BEAST #PayoutsKing
Keypoints
- July 2025 featured a major attack on the largest financial institution in Korea.
- New ransomware groups observed: BEAST, Payouts King, D4rk4rmy, and Sinobi.
- Existing ransomware groups remain active, often operating under rebranded names.
- ASEC/ATIP compiled statistics on ransomware samples, affected systems, and targeted companies from DLS sources.
- Report includes four statistical categories: group-by-country, affected industries, top-10 group trends (3 years), and DLS/detection stats (3 years).
- Coverage includes industry-specific and regional damage trends and new threat trends.
- Data on samples and affected systems are based on AhnLab detection names; targeted companies are based on ransomware leak sites.
MITRE Techniques
- [T1588 ] Acquire Infrastructure – Ransomware groups use and maintain dedicated leak sites (DLS) and PR pages to publish targeted companies and ransomware information. Quote: ‘…statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group…’
- [T1499 ] Endpoint Denial of Service – Large-scale attacks caused significant disruption to a major financial institution in Korea, indicating disruptive impact on critical systems. Quote: ‘…a major attack on the largest financial institution in Korea…’
- [T1587 ] Develop Capabilities – Emergence of new ransomware families and rebranding by existing groups demonstrates continued development and evolution of capabilities. Quote: ‘…new groups also became active, including BEAST, Payouts King, D4rk4rmy, and Sinobi. Meanwhile, existing groups continued their operations through rebranding.’”
Indicators of Compromise
- [File/Signature ] ransomware detection names and samples – ASEC-collected new ransomware samples in July 2025 (examples not listed in article; report references sample counts).
- [Leak Sites/Domains ] targeted company disclosures – Information sourced from ransomware dedicated leak sites (DLS) used to identify targeted companies (specific domains not provided).
- [Affected Systems ] impacted hosts and systems – statistics on the number of affected systems based on AhnLab detection names (exact host identifiers not provided).
Read more: https://asec.ahnlab.com/en/89646/