Spring and summer are the hottest seasons in the Northern Hemisphere, and unfortunately, they were also hot seasons for ransomware developers. Across the globe, we have been receiving news about successfully executed attacks. Some of them reached new heights of creativity, for example, the recently discovered AI-powered ransomware (even though it may still be an early-stage prototype). What does this mean for organizations that want to minimize the risks of being compromised? In this blog, we share what real companies across the world experienced in the past six months in terms of ransomware attacks.
All the data discussed comes from Nozomi Networks’ anonymized telemetry submitted by various sensors monitoring the endpoints as well as wired and wireless communications of our participating customers during the period between March 1 and August 28.
What Telemetry Tells Us
Let’s take a look at which ransomware families were the most prevalent during this period. Before we proceed, it is important to understand that not all alerts represent an ongoing active attack; some may be samples of once active malware that became visible to our sensors due to changes in network configuration which have not yet been cleaned up by the victim organizations. Additionally, attribution to an exact malware family is not always 100% precise as some less precise Indicators of Compromise (IoCs) like IP addresses may be reused by attackers for other types of attacks.
Top Ransomware Families
May was the most active month in terms of ransomware-related alerts raised by our sensors, with the BlackSuit ransomware family leading the chart. According to CISA, BlackSuit is the direct evolution of the Royal ransomware. Combined, the groups have received more than $370 million in ransomed payments. The Royal project itself is believed to be an offshoot of the earlier Conti group, which was also actively tracked and detected by Nozomi Networks Labs when it was active.
The US government performed a takedown operation for the Blacksuit ransomware family in July, which resulted in a decrease in the number of detections of this threat in August.
It is important to note that some of these detections did not originate from our network traffic monitoring sensors, but from our endpoint sensors deployed on HMI machines. These sensors allow us to monitor potentially malicious activity from a different perspective. This signifies the importance of following a layered approach when we talk about building a robust cybersecurity posture.
The second most active ransomware family over this time period was Cl0p/Clop, by the TA505 actor. Despite being about 2 years old, we still regularly see this malware in corporate networks. It serves as a reminder that once malware is released, it takes a significant amount of time to fully eradicate it. Two years ago, the group compromised multiple organizations targeting zero-day vulnerabilities in MOVEit Transfer, Accellion File Transfer Appliance and GoAnywhere solutions with notable victims including BBC, Boots, and British Airways.
Black Basta ransomware closes our top three chart, which, according to CISA, compromised more than 500 organizations up until the middle of last year. Their operations were exposed in a massive leak back in February this year. Even though it pushed the gang to lay low, already deployed ransomware modules continue to be detected all over the world.
Now, let’s take a look at the most targeted regions.
Top Targeted Countries
The top 3 most targeted countries where the companies produced the highest number of alerts associated with malware in the past 6 months were:
- United States (56.42%)
- UK (14.53%)
- Japan (6.7%)
The US leads, with over half of all ransomware actors prioritizing targets located in this country. According to our telemetry, it was also the most targeted country overall in the second half of 2024.
We strongly recommend all the organizations located in these countries to revise their cybersecurity posture to make sure they are prepared to handle ransomware attacks. And of course, those outside of these regions should still review their posture as ransomware knows no borders.
Finally, let’s see which industries were targeted the most by ransomware during this period.
主な対象産業
The top targeted industries were:
- Manufacturing (83.82%)
- Transportation (13.87%)
- Consumer Services (1.16%)
With over 83% of all ransomware detections targeting the Manufacturing sector, this is a wake-up call to organizations that they may be the next target for attackers. It is vital that the cybersecurity posture is clear and robust with comprehensive visibility powering all the strategic decisions.
The Transportation sector, associated with over 13% of detected ransomware incidents, follows Manufacturing. Given how vital transportation systems are to maintain the operations of our daily life, the importance of this fact can’t be overstated. In the latest edition of our semi-annual Security Report, we also saw it as the most targeted industry in the first half of 2025. Finally, Consumer Services organizations close the chart with ~1% of all ransomware-related alerts.
概要
Despite significant advancements in proactive detections and improved threat intelligence sharing across the community, there are still multiple challenges that need to be overcome. Organizations often still believe that they have a good cybersecurity posture only because they have yet to be successfully compromised. Instead, we recommend investing in robust network and endpoint visibility, implementing layered cybersecurity and following vulnerability management best practices to drastically reduce the chances of a compromise, and enabling efficient response when the worst happens to prevent or minimize associated losses.
Nozomi Networks Labs constantly stays on top of the ever-changing ransomware landscape to ensure our customers are thoroughly protected against both known and future strains of ransomware through our platform with Threat Intelligence and the TI Expansion Pack, Powered by Mandiant Threat Intelligence.
IoCリスト
- 105.69.155[.]85
- 109.196.164[.]79
- 116.203.186[.]178
- 122.10.82[.]109
- 139.60.161[.]161
- 140.82.48[.]158
- 147.78.47[.]224
- 149.28.200[.]140
- 150.129.218[.]231
- 152.89.247[.]50
- 155.138.246[.]122
- 156.96.62[.]58
- 162.33.177[.]56
- 162.55.38[.]44
- 172.93.184[.]62
- 174.138.62[.]35
- 185.141.63[.]120
- 185.143.223[.]69
- 185.17.40[.]178
- 185.174.101[.]69
- 185.190.24[.]103
- 185.219.220[.]175
- 185.220.100[.]240
- 185.220.101[.]149
- 185.238.0[.]233
- 186.86.212[.]138
- 188.130.137[.]181
- 190.193.180[.]228
- 192.42.116[.]191
- 193.106.31[.]98
- 193.111.153[.]24
- 193.162.143[.]218
- 193.183.98[.]66
- 193.188.22[.]25
- 193.201.9[.]224
- 193.37.69[.]225
- 194.165.16[.]55
- 197.204.247[.]7
- 197.207.181[.]147
- 197.94.67[.]207
- 198.144.121[.]93
- 206.188.196[.]20
- 206.188.197[.]22
- 209.141.36[.]116
- 217.25.93[.]106
- 23.106.122[.]192
- 23.106.223[.]97
- 31.107.255[.]255
- 37.1.212[.]18
- 37.120.193[.]123
- 37.120.238[.]107
- 38.180.81[.]153
- 41.109.11[.]80
- 45.120.53[.]214
- 45.147.228[.]91
- 45.182.189[.]229
- 45.61.136[.]47
- 45.61.138[.]99
- 45.66.248[.]150
- 45.84.0[.]164
- 45.90.59[.]131
- 46.8.16[.]77
- 47.87.229[.]39
- 5.188.86[.]195
- 5.252.23[.]116
- 5.39.222[.]67
- 5.44.42[.]20
- 5.45.65[.]52
- 51.254.25[.]115
- 61.166.221[.]46
- 62.112.11[.]57
- 64.176.219[.]106
- 77.73.133[.]84
- 79.132.135[.]149
- 79.141.160[.]43
- 80.82.67[.]221
- 81.184.181[.]215
- 81.19.135[.]219
- 83.97.73[.]87
- 87.243.113[.]104
- 87.98.175[.]85
- 88.119.175[.]70
- 88.214.27[.]100
- 88.231.221[.]198
- 88.245.168[.]200
- 89.108.65[.]136
- 91.191.209[.]46
- 91.218.114[.]26
- 91.218.114[.]77
- 91.218.114[.]79
- 92.51.2[.]22
- 92.51.2[.]27
- 93.190.139[.]223
- 94.103.91[.]246
- 95.181.173[.]227
- 95.213.145[.]101
- 95.216.196[.]181
- hourlyprofitstore[.]com
- provincial-gaiters-gw.aws-use1.cloud-ara.tyk[.]io
