Key Ransomware Group Activities – January 2025
This report summarizes the key activities of prominent ransomware groups in January 2025, based on available cybersecurity intelligence.
Medusa
Medusa ransomware attacks showed a significant increase in January 2025, with almost twice as many attacks observed compared to the same period in 2024. Symantec’s Threat Hunter team tracked this increased activity, noting that the group, also known as Spearwing, operates as a Ransomware-as-a-Service (RaaS). In January 2025, Medusa targeted a healthcare organization in the U.S., infecting several hundred machines. Overall, Medusa claimed over 40 victims in the first two months of 2025. Their tactics include double extortion, data theft followed by encryption, and ransom demands ranging from $100,000 to $15 million.
Akira
Akira emerged as a significant ransomware threat in January 2025, leading the landscape with 72 reported victims globally. Their activity surged by 60% compared to the previous month. The manufacturing sector was a primary target, but Akira also impacted finance and IT sectors.
Clop
While February 2025 saw Clop claiming a record number of attacks, their activity in January 2025 showed a slight decline of 12% compared to December 2024. However, Clop remained a prevalent threat, being the most active ransomware group based on data published on “shame sites”. Notably, in late January 2025, Clop exploited zero-day vulnerabilities (CVE-2024-50623 and CVE-2024-55956) in Cleo file transfer products (Harmony, VLTrader, and LexiCom), impacting over 4,200 organizations globally. They claimed to have gained complete access to Cleo’s networks and sensitive information and announced they would focus on these new breaches.
LockBit
Although LockBit’s infrastructure was disrupted in February 2024, the group was reportedly teasing a comeback in 2025. In January 2025, a new ransomware group named ‘Mora_001’ with suspected links to LockBit was identified exploiting authentication bypass vulnerabilities (CVE-2024-55591 and CVE-2025-24472) in Fortinet security appliances. The ransomware deployed, named SuperBlack, is based on LockBit 3.0’s leaked builder, indicating a connection between the groups.
Other Ransomware Groups
- Lynx experienced a sharp increase in activity in January 2025, with a surge of 200%.
- RansomHub was observed utilizing Python-based malware in their operations.
- FunkSec, an emerging group first seen in December 2024, was active in January and ranked among the top ransomware groups based on victim postings.
- New ransomware groups MORPHEUS and Gd Lockersec emerged in January 2025.
- KillSec was reported as being responsible for the highest number of ransomware attacks in January 2025 according to one source.
- The Space Bears ransomware group claimed an attack on Atos in early January 2025.
Overall, January 2025 demonstrated a consistent and evolving ransomware threat landscape, with both established and new groups actively targeting various sectors globally. The exploitation of vulnerabilities in widely used software like Cleo and Fortinet highlights the importance of timely patching and robust security measures.
Post Comment