Ransomware Trends: Top Tactics, Active Gangs, and How to Stop Attacks Instantly

The average cost of a ransomware attack hit $4.91 million last year, with ransomware-associated costs expected to reach $57 billion globally in 2025. But rising costs aren’t the only troubling ransomware trend – from opportunistic phishing campaigns to calculated data extortion operations, today’s attacks unfold faster and do more damage than ever. Meanwhile, ransomware gangs are outpacing traditional security solutions, leaving defenders stuck playing a constant game of catch-up.

To help security teams stay insulated against a booming ransomware economy, we’ll explore five key trends shaping today’s threat landscape and unpack what they tell us about next-gen ransomware protection.

1. Active Ransomware Groups Are Multiplying 

In the first quarter of 2025 alone, ransomware groups targeted 2,028 known victims – a 100%+ increase over the same period in 2024. The rise isn’t driven by a single gang but by dozens of competing crews. There are currently 65 active ransomware groups operating, up from 47 a year ago (a 38% increase).  

How Do Ransomware Gangs Operate?  

Ransomware gangs typically operate through a division-of-labor model. Their campaigns may begin with purchased access via compromised credentials from initial access brokers, or by exploiting vulnerabilities in exposed systems. Once inside the network, attackers move laterally, escalate privileges, and map high-value targets. 

Ransomware groups operate under a hierarchical structure with roles like developers, operators, affiliates, and negotiators. This operational structure allows gangs to launch widespread, coordinated attacks that are stealthy, persistent, and ruthlessly effective across unsegmented and flat networks.  

Top Ransomware Gangs 

Today’s most active ransomware gangs are Cl0p, Akira, and RansomHub, which collectively claimed 770 victims in the first three months of this year alone.  

• Cl0p: Best known for exploiting the MOVEit Transfer vulnerability, Cl0p focuses on large-scale data theft and extortion. Their tactics are precise: exploit, exfiltrate, then publicly shame. 
• Akira: This gang favors stealth. Often using valid credentials and remote tools to bypass defenses, Akira typically moves laterally undetected in enterprise networks before deploying ransomware. 
• RansomHub: A relative newcomer, RansomHub has claimed hundreds of victims since early 2024; this gang is particularly notable for its aggressive use of leak sites to pressure non-paying targets. 

What to Do About It 

While cyber adversaries are multiplying, security teams are stretched thin. To stay secure against the current onslaught of ransomware gangs, you’ll need:  

• Automated, adaptive security policies that dynamically evolve and scale alongside network changes – no manual effort required. 
• Holistic microsegmentation and identity-based access controls that make it impossible for attackers to move laterally, even if they manage to breach the network. With these controls in place, security teams don’t need an army of cyber pros chasing down alerts to stop intruders; instead, it happens automatically.  
• A layered defense that combines NGFWs with granular network segmentation, capable of self-healing as quickly as attackers target it.  

2. Ransomware Attackers Outsmarting Endpoint Defenses 

Sophisticated attackers have an easy time blinding – or even disabling – traditional defenses like EDR. Supply chain attacks are one clear case of this: using this tactic, cybercriminals can easily spread ransomware since most security tools won’t detect the threat lurking within the legitimate software.  

The recently trojanized RVTools software which distributed Bumblebee malware is just one example of a supply chain attack skirting defenses, but it’s far from an isolated incident – these threats have surged by more than 400% since 2021.  

Ransomware attackers are also increasingly leveraging tools known as “EDR killers” to sidestep defenses. While not always effective, these tools are just one more way attackers can evade traditional security solutions; even when endpoint defenses aren’t blinded or disabled, they can still be circumvented.  

For example, insecure remote OT/IoT assets leave openings for ransomware gangs to exploit, even when EDR effectively secures other parts of the network.  

Real-World Example: Akira Ransomware Attack  

In this recent ransomware attack example from one of today’s most active ransomware gangs, we see how easily attackers bypass solutions like EDR.   

The Akira ransomware gang initially exploited exposed remote access solutions to gain network access, and while the attack was first blocked by the defenders’ EDR solution, Akira then pivoted, identifying an unsecured webcam as an opportunity to bypass EDR systems.  

What to Do About It  

In an era where ransomware gangs have learned to evade EDR tools, it’s time to shift away from reactive defenses and embrace a proactive security posture, achieved through:  

• Least privilege access rules implemented across the network to ensure traffic is limited to what’s operationally necessary by default.  
• Microsegmentation to securely and proactively isolate every asset before cyber adversaries gain initial network access.  
• Just-in-time MFA applied to every privileged port and protocol, making it far more difficult for attackers to gain access in the first place – and far harder to escalate privileges if they do.  

3. Faster, Stealthier Ransomware Attacks: from Compromise to Data Exfiltration in Hours  

The mean time to identify a ransomware attack is 211 days – from there, it takes another 73 days to contain, on average. In nearly 50% of ransomware attacks, the adversaries themselves alert organizations to their intrusion rather than waiting to be discovered. Meanwhile, one in five ransomware attacks now achieves data exfiltration within the first hour of compromise.  

In other words, defenders don’t have months to detect and respond to ransomware attacks – they don’t even have days. Worse still, attackers aren’t just executing ransomware attacks faster than ever before, they’re also blending in with network traffic more effectively. 

Utilities, Remote Access, and Admin Tools Create Vulnerabilities  

Lateral movement is key to any successful ransomware attack; one of attackers’ favorite tactics for moving East-West while avoiding detection is living-off-the-land.  

Utilities, tunnelers, and remote control and administration tools are observed in 57% of ransomware attacks. That means legitimate, everyday tools like PsExec, SSH, RDP, and WinRM are shielding attackers from view.  

What to Do About It 

Don’t wait for disaster to strike by over-relying on detection – avert it entirely and ensure hackers have nowhere to hide. Block ransomware attacks instantly and make living-off-the-land a thing of the past by:  

• Closing all privileged ports by default and ensuring they only open dynamically and temporarily for verified users by applying network-layer MFA.  
• Enforcing just-in-time MFA for any remote connection to eliminate VPN vulnerabilities and ensure consistent policy enforcement across environments.  
• Implementing identity-aware microsegmentation to cut off attackers’ hidden pathways. 

4. The Ransomware-as-a-Service (RaaS) Business Is Booming  

In a malicious twist on startup culture, RaaS operators maintain ransomware code, infrastructure, and leak portals, then let affiliates do the dirty work. In return, the RaaS developer collects a portion of the profits while the affiliate keeps the lion’s share. This division of labor significantly lowers the barrier to entry.   

As automation and AI help cyber adversaries execute faster ransomware attacks, RaaS is just one more way ransomware gangs are streamlining operations.   

Real-World Example: Medusa Ransomware Gang Phishing Campaign

The RaaS Medusa variant has been operating since 2021, claiming over 300 victims across critical infrastructure sectors; last year, CISA, the FBI, and MS-ISAC released a joint advisory highlighting the ongoing, widespread phishing campaign. As a textbook RaaS operation, this campaign is notable for both its scope and its structure.  

The campaign has targeted a broad range of organizations, with affiliates customizing their techniques based on sector-specific weaknesses. This campaign showcases how RaaS lowers the barrier for threat actors while increasing operational scale, allowing Medusa to run a decentralized but tightly controlled extortion enterprise.  

What to Do About It  

Protecting your organization against RaaS is much like protecting it against any other ransomware attack – you should embrace ransomware prevention best practices like:  

• Network segmentation to cut off the access attackers need to propagate.  
• MFA to minimize the impact of stolen or misused credentials – closing privileged ports and protecting every asset on the network.  
• Zero Trust to prevent unauthorized access and proactively cut down on ransomware risks.

5. Ransomware Whale Hunting: Fortune 500 Companies Under Attack  

Fortune 500 companies have become primary targets for ransomware gangs, not only because of their deep pockets, but also because their networks are often sprawling, complex, and riddled with technical debt. Decades of shadow IT, hybrid infrastructures, and thousands of third-party connections create a vast and often opaque attack surface. 

This, plus the fact that large enterprises have greater resources to tap for ransom, is likely why ransomware gangs are targeting Fortune 500 organizations more heavily. The collective financial profile of the 10 biggest ransomware targets so far in 2025 is 61% higher than the previous year.  

Importantly, ransomware attacks on global enterprises can mean cross-industry supply chain disruptions. What’s more, ransomware gangs’ ability to successfully target the largest and most well-resourced organizations in the world sends a clear message: the traditional strategies for blocking ransomware aren’t working.  

Real-World Example: DaVita Dialysis Ransomware Attack 

In one real-world example of a ransomware attack on a Fortune 500 company, DaVita Dialysis was targeted by the ransomware group Interlock in April 2025. The attack encrypted parts of DaVita’s network and disrupted internal operations; system outages forced the organization to rely on manual processes while restoring critical services. 

After ransom negotiations failed, Interlock leaked a portion of the sensitive data it exfiltrated, leading to multiple class-action lawsuits. The incident reflects how even high-profile organizations are vulnerable to sophisticated attacks. 

What to Do About It  

Threat containment should be built in at the architectural level to automatically stop ransomware from spreading if attackers breach the network. Here’s what you need to do:  

• Isolate every asset in its own secure zone with microsegmentation to prevent lateral movement by default – and by design.  
• Create, enforce, and adapt access policies based on identity and behavior with robust, deterministic automation that keeps you a step ahead of attackers.  
• Build a network underpinned by least privilege principles, ensuring every asset, identity, and connection has only the necessary permissions.   

Block Ransomware in Real Time with Zero Networks  

As ransomware gangs proliferate and their tactics grow speedier, stealthier, and more sophisticated, it’s time for security teams to embrace a containment-first ransomware prevention strategy – one that blocks ransomware by default, isolates hackers to individual assets, and neutralizes ransomware attacks without any manual effort.  

Zero Networks’ identity-aware microsegmentation automatically secures every asset in a click – no agents, no manual configuration, and no years-long implementation. Our solution:  

• Orchestrates host-OS firewalls to achieve granular segmentation without disrupting operations. 

• Creates precise network rules and policies with a deterministic automation engine that speeds implementation and streamlines ongoing management. 

• Combines identity segmentation with network-layer MFA to make privilege escalation and identity-based attacks nearly impossible.  

With Zero, it’s easy to build a network architecture that blocks ransomware by design – take a self-guided product tour to see for yourself.