Increased Ransomware Activity in 2025, with Akira and Cl0p Leading RaaS Groups
Summary
Hide β²
Show βΌ
Ransomware attacks increased by 179% in the first half of 2025 compared to 2024, driven by the ransomware-as-a-service (RaaS) model. Akira and Cl0p are among the most active RaaS groups. The manufacturing and technology sectors remain primary targets, with the United States being the most affected country. The RaaS model has lowered the barrier to entry for threat actors, enabling less skilled individuals to launch attacks. The landscape is evolving with new tactics, including pure extortion without encryption and the use of AI in phishing and other operations.
Timeline
-
28.08.2025 21:49 π° 1 articles Β· β± 19d ago
Ransomware attacks surge by 179% in 2025, Akira and Cl0p lead RaaS groups
The first half of 2025 saw a 179% increase in ransomware attacks compared to the same period in 2024. Akira and Cl0p are among the most active RaaS groups. The manufacturing and technology sectors, along with the United States, are primary targets. New tactics, including pure extortion and AI integration, are emerging in the ransomware landscape.
Show sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
Information Snippets
-
Ransomware attacks surged by 179% in the first half of 2025 compared to the same period in 2024.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
The RaaS model has significantly contributed to the increase in ransomware attacks by enabling lower-skilled threat actors to launch campaigns.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
Akira and Cl0p are among the top five most active RaaS groups in 2025.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
The manufacturing and technology sectors are primary targets for ransomware attacks.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
The United States is the most targeted country for ransomware attacks in 2025.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
Some ransomware groups are adopting pure extortion tactics without encrypting victim systems.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
-
AI is being integrated into ransomware operations, with groups like Funksec using LLMs for phishing and other activities.
First reported: 28.08.2025 21:49π° 1 source, 1 articleShow sources
- Akira, Cl0p Top List of 5 Most Active Ransomware-as-a-Service Groups β www.darkreading.com β 28.08.2025 21:49
Similar Happenings
Chinese State-Sponsored Actors Targeting Global Critical Infrastructure
Chinese state-sponsored Advanced Persistent Threat (APT) actors, specifically the Salt Typhoon group, are conducting a sustained campaign to gain long-term access to critical infrastructure networks worldwide. These actors exploit vulnerabilities in routers and other edge network devices used by telecommunications providers, ISPs, and other infrastructure operators. The campaign targets telecommunications, transportation, lodging, government, and military networks. The actors employ tactics to evade detection and maintain persistent access, posing a significant threat to national and economic security. The advisory provides actionable guidance to help organizations strengthen their defenses and protect critical systems. The campaign has targeted at least 600 organizations across 80 countries, including 200 in the U.S. The advisory details how state-backed threat actors, including Salt Typhoon, penetrate networks around the world and how defenders can protect their own environments. The advisory tracks this cluster of activity to multiple advanced persistent threats (APTs), though it partially overlaps with Salt Typhoon. The advisory notes that the actors have had considerable success exploiting publicly known vulnerabilities, including Ivanti Connect Secure, Ivanti Policy Secure, Palo Alto Networks PAN-OS, and Cisco IOS XE vulnerabilities. The advisory suspects that the APT actors may target other devices, including Fortinet firewalls, Juniper firewalls, Microsoft Exchange, Nokia routers and switches, Sierra Wireless devices, and Sonicwall firewalls. The actors use multiple tactics to maintain persistence, including modifying Access Control Lists (ACLs), opening standard and non-standard ports, enabling SSH servers, and creating tunnels over protocols. The actors target protocols and infrastructure involved in authentication, such as Terminal Access Controller Access Control System Plus (TACACS+), to facilitate lateral movement across network devices. The advisory provides extensive recommendations for mitigating these threats, including monitoring network device configuration changes, auditing network services and tunnels, and checking logs for integrity. The advisory highlights a critical shift from Chinese state-sponsored activity from being purely espionage to gaining long-term access for potential disruption. 45 previously unreported domains associated with Salt Typhoon and UNC4841 have been discovered, dating back to May 2020. The oldest domain identified is onlineeylity[.]com, registered on May 19, 2020. The domains were registered using Proton Mail email addresses and fake personas. The domains point to high-density and low-density IP addresses, with the earliest activity traced back to October 2021. The domains are linked to Chinese cyber espionage campaigns, with potential overlaps between Salt Typhoon and UNC4841.