The 2025 cyber-extortion epidemic reached record levels driven by a rise in encryptionless extortion—attackers increasingly steal data (often via zero-days or supply-chain weaknesses) and threaten leaks instead of using encryption. This trend coexists with persistent ransomware activity and the rapid expansion of actors such as Akira and Qilin following the disruption of LockBit and RansomHub. #Snakefly #OracleEBS
Keypoints
- 2025 saw a record number of claimed ransomware attacks (4,737) and, when including encryptionless extortion, a total of 6,182 extortion attacks—a 23% increase on 2024.
- Encryptionless extortion (data theft without file encryption) has surged, pioneered by Snakefly (aka Cl0p) using large-scale zero-day exploits against enterprise software.
- Snakefly exploited a critical zero-day (CVE-2025-61882) in Oracle E-Business Suite (EBS) enabling unauthenticated remote code execution; other actors like ShinyHunters targeted Salesforce instances.
- The ransomware landscape shifted after the collapse/disruption of LockBit and RansomHub, with Akira, Qilin, Safepay and newcomer DragonForce gaining market share among affiliates.
- Most attacker toolchains rely on legitimate software (living-off-the-land and dual-use tools) rather than bespoke malware; PowerShell and PsExec are widely used for initial actions and lateral movement.
- Dual-use remote access and RMM tools (AnyDesk, ScreenConnect, PDQ, Splashtop) and utilities like NetScan and Rclone are commonly abused for persistence, lateral movement and exfiltration.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used to gain initial access via zero-day vulnerabilities; ‘Snakefly exploited a critical zero-day vulnerability (CVE-2025-61882) in EBS that allowed unauthenticated attackers to remotely execute code on vulnerable systems.’
- [T1059.001 ] PowerShell – Command-and-scripting interpreter abused as a living‑off‑the‑land tool; ‘PowerShell is the most frequently exploited living-off-the-land tool, used in 25% of all ransomware attacks investigated by the Threat Hunter Team.’
- [T1021 ] Remote Services (lateral movement) – Remote execution tools used to move laterally across networks; ‘PsExec (22% of all attacks)… The tool is primarily used by attackers to move laterally on victim networks, executing commands on other machines on the network.’
- [T1218 ] Living Off The Land Binaries – Adversaries rely on legitimate system and admin tools to minimize detection; ‘Living off the land – using tools that are readily available on the target’s network to advance an attack – has been adopted to some degree by nearly all ransomware actors.’
- [T1567 ] Exfiltration Over Web Service / Cloud Storage – Use of remote backup and sync utilities to steal data; ‘Rclone, a remote backup utility that is often used for data exfiltration (10%).’
Indicators of Compromise
- [Vulnerability ] Exploited zero-day in enterprise software – CVE-2025-61882 (critical RCE in Oracle E-Business Suite)
- [Threat actors / RaaS operations ] Named groups and operators linked to extortion activity – Snakefly (aka Cl0p), ShinyHunters (and other operators such as Akira, Qilin, Safepay, DragonForce)
- [Tools / Dual-use software ] Legitimate/admin utilities observed in attacks – PowerShell, PsExec, and other abused tools like NetScan, Rclone, AnyDesk (and several more dual‑use packages)
- [Affected products / services ] Targeted enterprise platforms and cloud services – Oracle E-Business Suite (EBS), Salesforce instances
Read more: https://www.security.com/threat-intelligence/ransomware-extortion-epidemic