Last year saw some big developments in the world of cyber threat actors, especially the underground ransomware economy. In February 2024, several countries participated in an international law enforcement operation against LockBit, one of the most prolific ransomware gangs in the world, seizing their infrastructure, stolen cryptocurrency, and even exposing their affiliates, as reported by Trend Micro. BlackCat, another major Ransomware-as-a-Service (RaaS) group and descendant of the infamous DarkSide gang, disappeared in what was likely an exit scam after collecting a $22 million ransom, The Hacker News reports. The absence of these two groups left something of a power vacuum in the RaaS economy, leading to new groups emerging to fill the space left by Lockbit and BlackCat. In addition to ransomware attacks, there were several major attacks by state-sponsored actors targeting western countries, as well as hacktivist groups aligned with nation-states arising in the midst of international conflicts.
Here is a (very) non-exhaustive list of some of the groups we may see play a dominant role in the threat landscape in 2025:
Ransomware-as-a-Service
Ransomware-as-a-Service (RaaS) groups provide access to their ransomware in exchange for payment, often in the form of a percentage of the ransom. Modern cyber attacks almost always involve multiple steps, with the deployment of ransomware coming after initial access. The use of RaaS allows other threat actors to focus on developing skills like phishing and exploiting vulnerabilities to gain initial access, while RaaS groups focus their time and resources on developing powerful ransomware, similar to the way legitimate businesses utilize third party services like cloud services to fulfill certain business needs. This is a dangerous symbiotic relationship that will certainly continue to be a major threat in 2025.
RansomHub
First seen in February 2024, RansomHub has rapidly made a name for itself, becoming a dominant player in the RaaS market. RansomHub employs double extortion: they exfiltrate a target’s data, and then encrypt the data on the target machine. Victims must face not only the business interruption from losing access to their data, but also the publication of the exfiltrated data if they do not pay the ransom.
While they claim to be made up of hackers from around the world, according to SOCRadar, RansomHub avoids targeting members of the Commonwealth of Independent States, a loose alliance of former Soviet nations. This may indicate RansomHub is of Russian origin, as hacking groups based in Russia usually avoid targeting CIS nations to avoid attracting attention from Russian authorities. SOCRadar also reported that RansomHub has been known to recruit affiliates off Russian darkweb forums.
CISA released an advisory on RansomHub, which contains a great deal of information such as IOCs and recommended mitigations.
Lynx
Another RaaS group similar to RansomHub, Lynx emerged in 2024 utilizing ransomware apparently based on the INC ransomware strain.
According to Fortinet, Lynx ransomware primarily targets Windows systems. The Lynx ransomware is easily identified on the victim machine. As it encrypts files, it renames them with a .lynx file extension, and displays a ransom note on the desktop background. It will even print the ransom note if there are connected printers. Similar to RansomHub, Lynx employs double extortion, demanding the victim pay the ransom in order to get their data back, as well as prevent it from being published online.
Lynx first appeared in mid-2024, and has since stolen and leaked data from at least 96 organizations, according to their public leak site.
Qilin
Another major ransomware gang is Qilin, a likely Russia based group. DarkTrace has a fantastic report on the Qilin group. According to their reporting, Qilin ransomware has been used in several major ransomware attacks, including an attack on the British National Health Service.
Although Qilin has been around since 2022, they were highly active in 2024, and continue to be so far this year. SecurityWeek reported on a ransomware attack on American Media Company Lee Enterprises in February 2025. In this attack, Qilin ransomware was used to encrypt systems and exfiltrate data. And just this month, SC Media reported Qilin ransomware was used in an attack on Japanese cancer treatment center, in which attackers encrypted the centers systems and exfiltrated 135 GB of data, including patient medical records and employee information.
FunkSec
Little is known about FunkSec’s origins. The group is very new, launching its data leak site in December of 2024. However, Check Point Research reports that it was the most prolific ransomware group that month, targeting at least 85 victims according to FunkSec’s leak site.
FunkSec ransomware is written in the Rust programming language, apparently by a relatively inexperienced developer based in Algeria. BleepingComputer reports that the group appears to be using generative AI to fill this skill gap and assist in developing the malware.
FunkSec will likely be an ongoing threat this year, but it also may mark the beginning of a new trend. With generative AI and Large Language Models making coding easier and faster, we may see more malware being produced by newer, less experienced threat actors.
State Sponsored Groups
Espionage has long been a tool used by nations both in war and peace, but the internet brings spying (and sabotage) capabilities to another level. Advanced Persistent Threat (APT) groups are powerful threat actors that are funded by, and work on behalf of, a nation state. Hostile nations such as Russia, China, North Korea, and Iran often employ hacking groups to target enemy nations for the purpose of espionage, disrupting their enemies infrastructure, stealing intellectual property, or simply spreading fear. The advantage state funded groups have over financially motivated groups is that they have unlimited funding and resources to achieve their goal, so they can continue attacking a target until they are successful. The threats posed by these groups are highly intertwined with geopolitical situations, and as global tensions rise over the War in Ukraine, the Israel-Hamas conflict, and trade disputes with China, the threat of APTs will likely continue to rise.
Salt Typhoon
China has been particularly aggressive in cyberspace. Crowdstrike reports that a 150% increase in cyber espionage was mostly the result of Chinese operations. One of the most active APT groups in 2024 was Salt Typhoon, a group sponsored by the Chinese government
Unlike most other threat actors, Salt Typhoon does not appear to be financially motivated. Trend Micro reports that Salt Typhoon’s (which they refer to as Earth Estries) activities appear focused on gathering information and gaining a foothold in government, military, and telecommunications networks around the world.
Salt Typhoon’s compromise of telecom companies was one of the biggest cybersecurity stories of 2024. As reported by The Register, Salt Typhoon’s attacks are not only quite advanced, they are ongoing. As recently as January 2025, Salt Typhoon was utilizing vulnerabilities in internet facing Cisco devices such as routers and firewalls. Patches for the vulnerabilities were released in 2023, but devices on some networks remained unpatched, and were exploited.
Salt Typhoon is very high on the list of threats to the national security of the US and its allies. Its targeting of US telecommunications networks put it in the position to intercept communications of millions of Amerericans, possibly even sensitive government communications. It will likely continue to be so in 2025.
Fancy Bear
Fancy Bear is a Russian APT group known for launching sophisticated attacks against critical infrastructure. Crowdstrike has been tracking this group for years. As they discuss on their site, Fancy Bear is likely associated with Russian military intelligence agencies, and their targets often align with enemies of the Russian government, particularly military, government, and energy sectors in Western nations.
Fancy Bear has been in the headline many times. Crowdstrike reports that they compromised the Democratic National Committee in 2016. They were most recently in the headlines for a complex, novel Wi-Fi attack. Dark Reading discussed the attack, where hackers at Fancy Bear compromised a businesses wireless network from the other side of the world, by compromising a neighboring business’s laptop and using that device to access the victims Wi-Fi network.
Fancy Bear’s attacks have shown it to be an advanced and determined attacker, and with tensions between the west and Russia at near Cold War levels, we can expect to see more activity from Russian threat actor groups.
Lazarus
North Korea is another nation with advanced cyber capabilities, and they have been launching attacks on western nations for some time. One of the most prominent North Korean threat groups is Lazarus.
Lazarus has been around for a long time. Trend Micro discussed the history of the Lazarus Groups (known) operations. According to Trend Micro, Lazarus was responsible for the infamous 2014 hack of Sony Pictures in retaliation for a film lampooning North Korea’s leader Kim Jong-Un, as well as several other major attacks.
NCC Group reports that Lazarus, unlike most other state funded APT groups, is financially motivated. Part of their agenda appears to be to bring in foreign cash for the North Korean economy. Their advanced capabilities and financial motivations have resulted in massive, sophisticated thefts and ransomware attacks. Most recently, Lazarus perpetrated the largest crypto theft in history, stealing $1.5 billion in cryptocurrency in February 2025, The Hacker News reports. The Lazarus group has also committed several other cryptocurrency thefts in recent years.
The Lazarus group is an advanced threat group working on behalf of a hostile nation-state. North Korea will in all likelihood continue to launch cyberattacks to undermine western cyber defenses and to bring in money for the cash strapped regime.
State-Aligned Hacktivism
Hacktivism is hardly new. For almost as long as the web has existed, hackers with political or ideological motives have defaced websites and leaked data of their targets. Anonymous is probably the biggest, most well known hacktivist group, having targeted corporations, governments, and even terrorist groups around the world. However, what is new is a surge in hacktivist groups aligned with specific nation states. These are groups that, while they may not be directly supported by any government, they sympathise with that government and focus their efforts on targeting enemies of that government. Writing for The Hacker News, Diana Selck-Paulsson discussed the rise of state-aligned hacktivism since Russia’s invasion of Ukraine in 2022. Geopolitical tensions in other areas of the world, especially the middle east, have created more incentive for these state aligned groups, considering how ideologically and religiously sensitive many of these conflicts are. These hacktivist groups often use more simplistic attacks like DDoS and website defacement to disrupt their targets, but sometimes utilize ransomware to cause more damage.
NoName057
This pro-Russian hacktivist group emerged in 2022 shortly after Russia launched its invasion of Ukraine. According to CyberAngel, this group focuses on simple, yet effective attacks such as DDoS attacks, usually targeting Ukrainian infrastructure or the infrastructure of nations providing support to Ukraine. In their manifesto, they express their opposition to western nations, claiming that the west is engaged in an “information war” against Russia, and target nations viewed as hostile to Russia. In October 2024, NoName057 was one group that took credit for DDoS attacks against the ruling Japanese political party, claiming it was in response to joint Japanese-American military drills near Russia’s border, The Record reports. In January 2025, this group launched DDoS attacks against Italian military, government, and banking targets in response to the Italian government’s continued support of Ukraine, SCMedia reports.
CyberVolk
CyberVolk is a hacktivist group with pro-Russia leanings which uses DDoS and their own ransomware variant against their targets, according to SentinelOne. Originating in India in 2024, this group’s ransomware appears to be based on malware developed by AzzaSec, another pro-Russian hacktivist group. Using leaked AzzaSec ransomware code, CyberVolk has also launched its own RaaS operation, as well as developing a Python based infostealer, SentinalOne found.
Numerous Pro-Palestinian, Pro-Russian, and Anti-Western hacktivist groups
Since the war in Ukraine, and the October 7 terror attacks in Israel, a number of hacktivist groups expressing sympathies for Palestine and Hamas and opposition to Israel, and groups supporting Russia and opposing Ukraine and NATO, have arisen. Many like the ones listed are well known, but many more are not. According to The Cyber Express, shortly after the attacks on October 7, 35 pro-Hamas hacktivist groups launched cyberattacks against Israeli targets. In this tense geopolitical environment, it’s safe to say that ideological, state aligned hacktivism will continue to be a threat.
Defending Against these Groups
Again, this is far from an exhaustive list. The threat actor ecosystem is broad, diverse, and of course evolving. There are many more groups with a wide range of goals, motivations, and capabilities.
Any organization can be targeted by these groups. Large enterprises, especially in critical industries like healthcare, energy, and transportation are at particular risk. Attackers target critical industries with ransomware in the hopes that the importance of their systems and data make them more likely to pay the ransom. Energy, transportation, communications, and government entities are also at higher risk from state sponsored groups seeking to disrupt enemy nations’ infrastructure. Disruptions in these sectors can have disastrous results, and as such they are bigger targets, and must have a more vigilant security posture.
Tracking threat actor Tactics, Techniques, and Procedures (TTPs)
Threat actors are continuously evolving their capabilities and tactics to evade defensive measures. It is essential that organizations utilize threat intelligence to track threat actor TTPs. Keeping track of the methods used by threat actors groups is vital for defending against them. For example, Salt Typhoons is known for exploiting vulnerabilities in networking equipment like firewalls and routers. Given this knowledge, organizations concerned about Chinese espionage through Salt Typhoon should implement rigorous patch management policies to keep equipment secure.
Implement basic defenses
Defending against new and evolving ransomware is difficult. Traditional antivirus software is not always enough to stop them. Given this, the best defense against ransomware is to keep frequent, secured, offsite backups of essential data, so that if access to it is lost due to ransomware, the organization can continue to function.
Some general defense measures that help prevent, or at least mitigate, a wide variety of attacks:
- Implement network security monitoring using tools like Endpoint Detection and Response (EDR), System Information and Event Management (SIEM), and log management software to watch for any anomalous behavior that can indicate an attack.
- Keep backups of important data.
- Require strong authentication (strong passwords, multi-factor authentication, etc.).
- Train users to catch and avoid phishing attempts.
- Keep systems patched and up to date
- Implement proper network segmentation. This makes it more difficult for threat actors to move throughout the network to find more targets.
