TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

The organizational structure of ransomware threat actor groups is evolving before our eyes

Bill Siegel · 2025-05-01 · Read original ↗

ATT&CK techniques detected

24 predictions
T1190Exploit Public-Facing Application
99%
“attack vectors in q1 2025 during the first quarter of 2025, ransomware actors increasingly exploited known cve ’ s as the initial ingress method of their attacks. among the most targeted were : cve - 2025 - 0282 : a critical stack - based buffer overflow vulnerability in ivanti c…”
T1486Data Encrypted for Impact
98%
“the organizational structure of ransomware threat actor groups is evolving before our eyes table of contentsransomware evolutionpayment ratestypes of ransomwareattack vectorsttpsvictimology as we approach the one year anniversary of two prominent ransomware group collapses ( lock…”
T1486Data Encrypted for Impact
97%
“##ware negotiation infrastructure. perhaps the most consequential event of the quarter however occurred in late february, when a trove of black basta matrix chat logs was abruptly publicized and unceremoniously marked the closure of the infamous group. black basta emerged on the …”
T1486Data Encrypted for Impact
97%
“ransomware direction had become unpromising, low - converting, and extremely risky. ” the state of the union for ransomware in 2025 feels uncertain. while attacks are assuredly still occurring and new groups continue to spin up each month, the well - oiled ransomware machine that…”
T1486Data Encrypted for Impact
96%
“given the continued disturbance to all of the above, we expect affiliates have a growing reluctance to attach themselves to a business model whose supply chain is under constant threat of disturbance. these circumstances have driven out many players from the old ransomware market…”
T1657Financial Theft
94%
“as of q1 - 2025 is dominated by : ( 1 ) unaffiliated, lone operator extortionists, ( 2 ) a tranche of new - ish ransomware brands that blur the lines between traditional financially motivated cybercrime, espionage and hacktivism, and ( 3 ) a few surviving ransomware groups from a…”
T1068Exploitation for Privilege Escalation
93%
“own vulnerable driver ( byovd ) techniques to tamper with legitimately signed, but vulnerable drivers to disable protections or escalate privileges. these techniques indicate defense evasion is now a standard prerequisite for successful ransomware execution. impact [ ta0040 ] : i…”
T1486Data Encrypted for Impact
93%
“only name brand groups to hold double digit market share. however, at the time of writing, we are monitoring the abrupt disappearance of ransomhub after their infrastructure disconnected on / around april 2, 2025. while the disruption followed recent reporting linking ransomhub t…”
T1219Remote Access Tools
93%
“c2 ) was seen in 51 % of our cases, reinforcing the reliance of threat actors on persistent access infrastructure to orchestrate attacks. many adversaries are still leveraging legitimate remote monitoring and management ( rmm ) tools such as anydesk, simplehelp, and atera to bett…”
T1486Data Encrypted for Impact
92%
“c2 ) was seen in 51 % of our cases, reinforcing the reliance of threat actors on persistent access infrastructure to orchestrate attacks. many adversaries are still leveraging legitimate remote monitoring and management ( rmm ) tools such as anydesk, simplehelp, and atera to bett…”
T1486Data Encrypted for Impact
88%
“rather the impact of the incident that drives costs. ransom payment rates in q1 2025 the rate of companies that opted to pay a ransom, either to procure decryption keys or to suppress a threat actor from posting the breached data on their leak site, rose slightly in q1 2025. we n…”
T1486Data Encrypted for Impact
82%
“the public sector — including government agencies and educational institutions — represented 12. 5 % of total ransomware attacks, underscoring the persistent risk to essential public services. size of organizations impacted by ransomware in q1 2025 median company size 228 - 20 % …”
T1486Data Encrypted for Impact
81%
“as of q1 - 2025 is dominated by : ( 1 ) unaffiliated, lone operator extortionists, ( 2 ) a tranche of new - ish ransomware brands that blur the lines between traditional financially motivated cybercrime, espionage and hacktivism, and ( 3 ) a few surviving ransomware groups from a…”
T1486Data Encrypted for Impact
77%
“if we continue to see a trend of state actors from china and north korea step into the extortion space ( which has historically been dominated by russian - based groups ). in just the last six months, researchers have identified links between north korean state actors and not one…”
T1657Financial Theft
70%
“was not affiliated with the real bianlian extortion group, but marked the first ransomware - related phantom extortion of its kind ; this event further underscores the rise in phantom scams we ’ ve been tracking over the last 2 years as the victim landscape has narrowed and optio…”
T1210Exploitation of Remote Services
66%
“. lateral movement [ ta0008 ] : lateral movement was observed in 67 % of cases in q1, confirming it is still a key phase in an attack, as adversaries continue to focus on domain wide impact. common techniques include the use of internal remote desktop protocol ( rdp ) to jump fro…”
T1486Data Encrypted for Impact
62%
“was not affiliated with the real bianlian extortion group, but marked the first ransomware - related phantom extortion of its kind ; this event further underscores the rise in phantom scams we ’ ve been tracking over the last 2 years as the victim landscape has narrowed and optio…”
T1048Exfiltration Over Alternative Protocol
55%
“##bilities were frequently leveraged by ransomware groups, who will often employ multiple tactics such as phishing campaigns and exploiting unpatched systems to gain initial access. the cybersecurity and infrastructure security agency ( cisa ) has included these cves in its known…”
T1657Financial Theft
54%
“only name brand groups to hold double digit market share. however, at the time of writing, we are monitoring the abrupt disappearance of ransomhub after their infrastructure disconnected on / around april 2, 2025. while the disruption followed recent reporting linking ransomhub t…”
T1021.001Remote Desktop Protocol
42%
“. lateral movement [ ta0008 ] : lateral movement was observed in 67 % of cases in q1, confirming it is still a key phase in an attack, as adversaries continue to focus on domain wide impact. common techniques include the use of internal remote desktop protocol ( rdp ) to jump fro…”
T1657Financial Theft
40%
“rather the impact of the incident that drives costs. ransom payment rates in q1 2025 the rate of companies that opted to pay a ransom, either to procure decryption keys or to suppress a threat actor from posting the breached data on their leak site, rose slightly in q1 2025. we n…”
T1486Data Encrypted for Impact
40%
“own vulnerable driver ( byovd ) techniques to tamper with legitimately signed, but vulnerable drivers to disable protections or escalate privileges. these techniques indicate defense evasion is now a standard prerequisite for successful ransomware execution. impact [ ta0040 ] : i…”
T1486Data Encrypted for Impact
35%
“these conditions are beset with so many other challenges, it ’ s not clear that such conditions would actually enable them to prosper. average and median ransom payment in q1 2025 average ransom payment $ 552, 777 - 0. 2 % from q4 2024 median ransom payment $ 200, 000 + 80 % from…”
T1585.002Email Accounts
34%
“only name brand groups to hold double digit market share. however, at the time of writing, we are monitoring the abrupt disappearance of ransomhub after their infrastructure disconnected on / around april 2, 2025. while the disruption followed recent reporting linking ransomhub t…”

Summary

The Ransomware-as-a-service (RaaS) model has not recovered from law enforcement disruption, and the entrance of novice actors along with non-Russian state-linked cybercriminals has led to uncertain outcomes for victims.