US-headquartered Palo Alto Networks, one of the leading providers of AI-enabled and cloud-conscious network security & networking solutions the world over, has released the ‘Unit 42 Extortion and Ransomware Trends January-March 2025’ report, which reveals that threat actors are evolving their tactics – collaborating with state-backed groups and using extortion scams to extract payments. The Palo Alto Networks Unit 42 is a special purpose group (within Palo Alto Networks) that collects and analyzes data so that threats are detected, and accordingly, responded on time.
The report points out a surge in aggressive strategies, heightened collaboration among threat actors and sophisticated scams aimed at milking higher payouts. With India and the broader Asia-Pacific and Japan (JAPAC) region facing an increasing volume of attacks, the findings underscore an urgent need for organisations to adopt proactive, intelligence-driven cybersecurity measures.
“We’re seeing a clear shift in how ransomware and extortion actors operate globally and across Asia-Pacific & Japan region. Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods including false claims, insider access, and tools that disable security controls,” says Philippa Cogswell, Vice President & Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks.
We’re seeing a clear shift in how ransomware and extortion actors operate globally and across Asia-Pacific & Japan region. Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods including false claims, insider access, and tools that disable security controls.
Philippa Cogswell
Vice President & Managing Partner, Unit 42, Asia-Pacific & Japan
Palo Alto Networks
“These new and evolving tactics show just how critical it is for organisations to move beyond reactive defences and invest in security strategies that provide full visibility and rapid response across their environments,” views Cagswell.
In India, ransomware and malware remain severe threats, with nearly one million ransomware detections reported in the past year alone. The report also highlights there is one ransomware incident per 595 detections and one malware incident per more than 40,000 detections. The ransomware landscape has undergone a significant transformation over the past two years, with threat actors adopting sophisticated and strategic tactics to target organisations of all sizes, from startups to large-scale enterprises. According to the Ransomware Retrospective 2024, ransomware attacks remain a major concern for the Indian manufacturing sector, which has been a persistent target in recent years.
Huzefa Motiwala, Senior Director, Technical Solutions, India & SAARC, Palo Alto Networks, says, “In a rapidly transforming country like India, organisations are navigating a complex mix of modern and legacy changes. As mentioned above, the manufacturing sector, in particular, has been a persistent target for ransomware attacks over the past couple of years.”
“The rapid adoption of AI has empowered organisations and threat actors alike. This highlights the urgent need for organisations to bolster their cybersecurity framework and incorporate comprehensive security measures to fortify their defences against complex ransomware campaigns,” adds Motiwala.
Organisations across the Asia-Pacific and Japan (JAPAC) region are putting their security posture first, and many are now detecting intrusions early in the attack lifecycle, before attackers can execute their objectives. This has led to an increase in incident response cases that are contained at the network access stage.
However, despite progress, ransomware and extortion campaigns continue to succeed at significant rates. The Unit 42 researchers found that in response, threat actors are intensifying their tactics, using more aggressive methods to pressure victims and secure higher, more consistent payouts. Organisations therefore must stay aware of trends in ransomware and employ a defence-in-depth strategy for protection to remain prepared for ransomware attacks.
Key findings:
Attackers are lying to get paid: Unit 42 observed a growing number of cases of extortion scams using fake data and even physical ransom notes sent to executives’ homes. Manufacturing remains the top ransomware target, continuing a trend that has persisted for several years. The second most impacted industry is wholesale & retail, followed by professional & legal services.
Ransomware activity by location headquarters: The most targeted regions for attackers are the United States, Canada, UK, Germany.
Cloud and endpoint security are under siege: Attackers are increasingly using ‘EDR killers’ to disable endpoint security sensors and targeting cloud systems more aggressively than ever before.
AI-generated insider threat extortion on the rise: North Korean operatives using AI-generated identities to post as remote IT workers have extorted companies by stealing proprietary code and threatening public leaks.
RansomHub emerges as top ransomware variant: RansomHub became the most prolific ransomware observed during the reporting period. This marks a sharp rise from mid-2024, when it was first identified as an emerging threat to watch.
Qaisar
