Threat Research

Top 10 Ransomware Groups of 2025

SocRadar
Top 10 Ransomware Groups of 2025

The ransomware ecosystem in 2025 fragmented rather than collapsed: affiliates became more independent, groups blurred their boundaries, and operators shifted toward identity abuse, supply-chain compromise, and data-first extortion. Long dwell times, widespread exploitation of enterprise software, and high victim impact (with Fortinet reporting 73% of organizations hit and low full-recovery rates) show the threat evolved into quieter, more targeted campaigns. #ScatteredLapsusHunters #OracleEBS

Keypoints

  • The ransomware ecosystem fragmented in 2025: affiliates rotated between brands, reused tooling, and operated more independently, reducing dominance of single groups.
  • Identity abuse and social engineering scaled dramatically—Scattered Lapsus$ Hunters used vishing and OAuth-connected app abuse to bypass MFA and gain persistent SaaS access.
  • Supply-chain and high-impact vulnerability exploitation remained central: Cl0p used Oracle EBS zero-days and groups continued to leverage MOVEit, GoAnywhere, and other third-party flaws.
  • Traditional RaaS models lost influence while cartel-style and decentralized approaches (DragonForce, RansomHub dynamics) complicated attribution and disruption.
  • Attackers emphasized data-first extortion and prolonged access: many intrusions involved lengthy dwell times to map dependencies and exfiltrate data before extortion.
  • Victim impact stayed severe despite payments—Fortinet data showed only ~60% of data restored on average and only 4% of victims recovered all data after paying.

MITRE Techniques

  • [T1566 ] Phishing – Social-engineering at scale (voice and support-call lures) to obtain access and bypass human controls (‘polished vishing calls and guided through routine actions such as MFA resets or OAuth authorizations’)
  • [T1078 ] Valid Accounts – Use of stolen credentials, VPN and RDP exposure for initial access and lateral movement (‘gaining access through stolen credentials, VPN and RDP exposure’)
  • [T1190 ] Exploit Public-Facing Application – Exploitation of enterprise-facing CVEs to gain unauthenticated access and steal data (e.g., Oracle EBS zero-days) (‘exploited CVE-2025-61882 and CVE-2025-61884, two high-impact flaws that allowed unauthenticated access to core EBS components’)
  • [T1021 ] Remote Services – Abuse of remote management and admin tools (RDP, VPN, SimpleHelp RMM) to move laterally and deploy payloads (‘compromise MSP environments and push ransomware to downstream customers’ via CVE-2024-57726/57727/57728)
  • [T1059 ] Command and Scripting Interpreter (PowerShell) – Use of scripting for post-access actions, automation, and evasion (‘familiar tools such as PowerShell, Mimikatz, RDP, WinRAR, and Rclone’)
  • [T1003 ] Credential Dumping – Use of tools like Mimikatz to harvest credentials for lateral movement and persistence (‘familiar tools such as PowerShell, Mimikatz, RDP, WinRAR, and Rclone’)
  • [T1053 ] Scheduled Task/Job – Use of scheduled tasks and Group Policy to distribute payloads and maintain persistence (‘distributed payloads through mechanisms like Group Policy, scheduled tasks, and PsExec’)
  • [T1567 ] Exfiltration Over Web Service – Data theft and staging for double extortion using tools and cloud sync (Rclone, WinRAR archives, leak sites) (‘steals sensitive data and later encrypts systems, threatening public disclosure through its Dark Web leak site’)
  • [T1486 ] Data Encrypted for Impact – Ransomware encryption and public leak pressure as the impact mechanism (double extortion and leak sites across groups)
  • [T1550 ] Use of Alternate Authentication Material – Abuse of OAuth tokens and connected-app approvals to bypass MFA and obtain long-lived programmatic access (‘abusing connected-app approvals and long-lived OAuth tokens, the group bypassed MFA and gained persistent, programmatic access’)
  • [T1215 ] Kernel Modules and Extensions – BYOVD (Bring Your Own Vulnerable Driver) technique to disable antivirus/EDR at kernel level and facilitate encryption (‘loading legitimate but vulnerable kernel drivers to disable antivirus and EDR tools before encryption’)

Indicators of Compromise

  • [Ransomware / Threat Actor ] reported actor names and brands used in attribution – Scattered Lapsus$ Hunters, Cl0p, Qilin (Agenda), Akira, DragonForce, and 7 more groups
  • [Vulnerabilities / CVE ] exploited enterprise flaws used to gain access or move laterally – CVE-2025-61882, CVE-2025-61884 (Oracle EBS), and other CVEs including CVE-2021-44228, CVE-2020-1472, CVE-2023-3519 (and several more)
  • [Tools / Utilities ] common tooling observed in intrusions – Mimikatz, Rclone, PsExec, WMIC (and other remote/admin tools)
  • [Services / Software Targets ] targeted platforms and third-party services tied to compromises – Oracle E-Business Suite, Salesforce (SaaS), SimpleHelp RMM (and prior victims tied to MOVEit/GoAnywhere/Cleo)
  • [Forums / Platforms ] attacker coordination and disclosure channels – RAMP forum (affiliate recruitment) and Telegram (public pressure and leak promotion)

Read more: https://socradar.io/blog/top-10-ransomware-groups-2025/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint