Table of Contents
The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.
While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.
Review Q1’s research here.
Video Transcript
Ransomware
Ransomware activity continues to climb in the first quarter of 2025, with 2461 attacks carried out by 74 active groups. This is a 4% increase over last quarter, which was the previous period with the highest volume of attacks on record.
At the forefront of this quarter is Cl0p, which was responsible for 398 attacks, roughly 16% of the total. Cl0p achieved this by chaining two vulnerabilities together in Cleo Harmoney and VLTrader for a huge impact. These vulnerabilities are listed under
- CVE-2024-50623
- CVE-2024-55956
This campaign peaked in February with 331 attacks, the highest monthly total ever recorded by a single group.
Other top actors included RansomHub, Akira, Babuk2, and Qilin. Surprisingly, Lockbit, once a dominant force, dropped to 24th place with only 23 attacks. Exploitation of unpatched systems continues to be a favored technique for initial access among ransomware groups.
BlackBasta
In February 2025, a major leak of internal chat logs exposed the inner workings of the BlackBasta ransomware group. The leak discusses their target preferences, tactics, and tools.
Target Selection
Black Basta prioritized organizations with low tolerance for downtime, including healthcare, financial services, and critical infrastructure. These sectors were targeted strategically, given the high stakes and pressure to restore operations quickly, factors that increase the chance of ransom payments.
Exploitation Tactics
The group typically exploited known vulnerabilities rather than expensive zero-days. However, they did purchase at least one high-value exploit for use against CVE-2024-26169, used for privilege escalation on Windows systems. Microsoft patched it in March 2024, but evidence suggests Black Basta had access prior to its public disclosure, dating back as early as December 2023.
Tools and Techniques
Two tool variants linked to the group were uncovered by Symantec. One, compiled in December 2023, is publicly available on VirusTotal. The second, from February 2024, appears to have been privately tested. The leak also confirmed extensive credential harvesting operations—key to initial access and lateral movement. A link to the VirusTotal analysis is available in the full report.
Underground Forum
Logs indicate the group actively used platforms like exploit.in to acquire or trade vulnerabilities.
Conclusion
This leak gives us a behind-the-scenes look at a major ransomware group. It highlights the groups clear focus on exploiting vulnerabilities in critical sectors and leveraging credential harvesting to facilitate their attacks. As always, proactive patching, credential protection, and a hardened defense strategy are needed to stay ahead of these tactics, especially for organizations in critical sectors.
Bybit
In February 2025, the Bybit cryptocurrency exchange suffered one of the largest crypto thefts to date—400,000 ETH, worth $1.5 billion. The attack has been attributed to the Lazarus Group, a North Korean state-sponsored threat actor known for targeting digital assets.
Lazarus exploited Safe{Wallet}, a third-party multi-signature wallet platform designed to enhance transaction security. The attackers compromised a developer’s workstation at Safe{Wallet}, injecting malicious JavaScript into its frontend interface.
This clever move allowed them to disguise an unauthorized transfer as a legitimate transaction. Exploiting user behavior—specifically the tendency to rapidly click through approval prompts—they bypassed the multi-signature protection and triggered a massive transfer from Bybit’s cold wallet without raising alarms.
Once the theft was complete, Lazarus laundered the stolen ETH through multiple intermediary wallets, swapping tokens and using cross-network services to obscure the funds’ origins. The stolen assets currently sit dormant across multiple wallets.
The big takeaway here is that even the most secure systems can be undermined by third-party vulnerabilities and user complacency.
Chainalysis
In 2024, ransomware attacks reached record levels, especially in the fourth quarter. But in a surprising twist, ransomware payments actually fell. According to Chainalysis, victims paid $813 million in crypto, down 35% from $1.25 billion in 2023.
This unexpected decline comes as Q4 2024 marked the most active quarter ever for ransomware. The drop in payouts signals a shift in how organizations are responding to these threats.
So, what are the reasons for this decline?
First, companies are improving their cybersecurity, with stronger defenses and better backups, so that many can now recover without paying.
Second, regulatory pressure is rising. Governments are discouraging ransom payments to avoid fueling criminal activity.
And third, there’s greater awareness. Organizations now better understand the long-term consequences of paying ransoms, encouraging repeat attacks.
Add to that a global law enforcement crackdown—seizing crypto, arresting operators, and dismantling gangs—and the result is a ransomware ecosystem that’s getting harder to profit from. However, with ransomware numbers continuing to climb it also suggests that while payment volumes have decreased, the overall threat of ransomware continues to grow.
Oracle Health
In early 2025, Oracle Health, formerly known as Cerner, suffered a major data breach affecting multiple U.S. hospitals and healthcare providers. The breach stemmed from unauthorized access to legacy data migration servers using compromised customer credentials, with activity traced back to late January.
Sensitive patient data from electronic health records was exfiltrated, though the full scope remains unclear. Oracle Health discovered the breach in February and began notifying affected clients in March.
Adding to the complexity, an individual calling themselves “Andrew” has attempted to extort healthcare providers, threatening to release the stolen data. “Andrew” isn’t linked to any known ransomware group, suggesting a possible lone actor or emerging threat.
This breach highlights two critical vulnerabilities: outdated legacy systems and inadequate credential protections.
Q1 Conclusion
Security teams must prioritize patch management and ensure that critical vulnerabilities are addressed promptly. Organizations should also emphasize credential protection, implementing multi-factor authentication (MFA) and monitoring for compromised accounts.
