Ransomware threats rise, attackers adopt quadruple extortion

A new cybersecurity report highlights the increasing complexity and destructiveness of ransomware attacks targeting businesses and organisations in 2025, with attackers employing advanced extortion tactics and expanding their methods.

Akamai has released a qualitative research report entitled "Building resilience amid a volatile threat landscape," which provides an analysis of the operations of prolific ransomware groups such as BlackCat/ALPHV, LockBit, Clop, and RansomedVC. The report explores how these groups have adapted their strategies in response to technological advancements and recent regulatory developments in the UK and elsewhere.

Quadruple extortion

The report identifies the emergence of quadruple extortion as a growing trend among cybercriminals. Traditionally, ransomware attacks followed a double extortion model, where attackers encrypted a victim's data and threatened to leak it publicly if a ransom was not paid. The new quadruple extortion tactics combine encryption with distributed denial-of-service (DDoS) attacks, public harassment, and threats of regulatory exposure, increasing the pressure on targeted organisations.

"Ransomware threats today aren't just about encryption anymore. Attackers are using stolen data, public exposure, and service outages to increase the pressure on victims. These methods are turning cyberattacks into full-blown business crises, and are forcing companies to rethink how they prepare and respond," said Steve Winterfeld, Advisory CISO at Akamai. 

The sophistication of ransomware groups has been enabled in part by affiliate models, which allow individuals with varying technical abilities to participate in large-scale campaigns. The research found that ideological motivations are also playing a greater role, with some groups driven by political or social causes in addition to financial gain. This complicates the attribution of attacks and presents new challenges for defenders.

GenAI and social engineering

Another major development highlighted by Akamai is the use of generative artificial intelligence (GenAI) and large language models (LLMs) to automate aspects of ransomware campaigns. The report notes that such technologies are making it easier for less technically skilled individuals to write ransomware code and enhance social engineering tactics. This has contributed to an increase in both the frequency and scale of attacks in the past year.

Hacktivist and ransomware hybrid groups have become more prominent, often utilising ransomware-as-a-service (RaaS) platforms to extend their reach. Dragon RaaS, which emerged in 2024 from the Stormous group, is cited as an example of this trend, having shifted its focus from large corporations to smaller organisations perceived as having weaker security defences.

Impact on nonprofits and education

The report also addresses the issue of cryptominers, which while distinct from ransomware actors, often use similar tactics and target sectors believed to be vulnerable. Akamai researchers found that nearly half of the cryptomining attacks examined targeted nonprofit and educational organisations, likely due to resource limitations in these industries.

In addition, the TrickBot malware family is identified as a major tool for ransomware deployment. Since 2016, TrickBot has been used by ransomware groups globally to extort more than USD $724 million in cryptocurrency from victims. The Akamai Guardicore Hunt Team recently linked this malware to suspicious activity on the systems of several customers.

Regulatory landscape

The report provides an analysis of current legal and regulatory efforts influencing how organisations respond to ransomware incidents. Akamai's Vice President and Chief Privacy Officer, James A. Casey, commented on the need for organisations to adopt comprehensive cybersecurity strategies in light of evolving threats and regulatory requirements.

Casey notes that while existing cybersecurity laws apply to ransomware, specific regulations focus on discouraging ransom payments. He also highlights the importance of robust cybersecurity measures, incident reporting, and risk management, as well as strategies like Zero Trust and microsegmentation, to build resilience against evolving ransomware threats. Casey stresses the necessity for organizations to stay informed and adapt to emerging threats.

The report presents several actionable recommendations for security teams looking to anticipate and counter attacker tactics in 2025. These include staying abreast of the latest threat actor techniques, investing in robust cybersecurity defences such as zero trust and microsegmentation, and ensuring timely incident reporting and risk management strategies are in place.

The detailed findings aim to provide organisations with the information they need to strengthen their resilience against ransomware, as threat actors continue to diversify their motives and approaches in a rapidly changing environment.