{"id":5958,"date":"2025-11-26T07:00:00","date_gmt":"2025-11-26T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5958"},"modified":"2025-11-26T07:00:00","modified_gmt":"2025-11-26T07:00:00","slug":"alliances-between-ransomware-groups-tied-to-recent-surge-in-cybercrime","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5958","title":{"rendered":"Alliances between ransomware groups tied to recent surge in cybercrime"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

A seasonal surge in malicious activity combined with alliances between ransomware groups<\/a> led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware<\/a> paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports<\/a>.<\/p>\n

Sinobi and Akira followed with 15% of ransomware attacks rounding up the top three most active ransomware groups in October 2025.<\/p>\n

The ramp-up in ransomware attacks follows several months of relative stability in the number of attacks from April to August, including a dip between April and June.<\/p>\n

Activity began to pick up at the end of the Northern Hemisphere summer, with September recording a 28% month-on-month increase \u2013 momentum that has now accelerated into October\u2019s spike, NCC reports.<\/p>\n

The October surge indicates that threat actors are intensifying their operations ahead of what is typically the most active period for cyber crime. \u201cThe fourth \u2018golden quarter\u2019 of the year sees peak consumer spending from Black Friday, Cyber Monday, and Christmas, presenting greater opportunity for cyber threat actors,\u201d according to NCC.<\/p>\n

NCC Group\u2019s stats are derived from actively monitoring leak sites favoured by each ransomware group. Of the 594 attacks in October, industrials remained the most targeted sector, with 28% (167) of all attacks. Consumer discretionary (which includes automotive manufacturers, retail businesses, and leisure facilities) suffered 124 attacks. Healthcare moved to third place with 64 attacks.<\/p>\n

North America was hit hardest by ransomware attacks, suffering over half of these incidents (62%), compared to Europe (17%) and Asia (9%).<\/p>\n

An annual study<\/a> from Guidepoint Security found a 57% year-over-year increase in active ransomware groups. At the same time ransomware victim numbers have stabilized at approximately 1,500-1,600 per quarter since Q4 2024, according to figures from Guidepoint.<\/p>\n

Ransomware groups\u2019 alliances: axis of evil<\/h2>\n

New players and alliances between ransomware groups contributed to the overall increase in ransomware attacks in October.<\/p>\n

For example, the newly relaunched LockBit 5.0 group<\/a> has aligned itself with other prominent ransomware-as-a-service (RaaS) groups DragonForce and Qilin.<\/a><\/p>\n

Alliances between threat groups enable the sharing of tools, infrastructure and tactics to make their attacks more effective.<\/p>\n

\u201cThe alliance between LockBit, DragonForce and Qilin combines technical expertise, resources and infrastructure, creating a network capable of sustaining large-scale ransomware operations whilst complicating attribution and response for organisations and law enforcement,\u201d according to NCC.<\/p>\n

Although no coordinated attacks have been confirmed yet these loose alliances could act as a recruiting tool for affiliates.<\/p>\n

\u201cThe partnership is also likely aimed at rebuilding LockBit\u2019s reputation within the cybercrime community, reassuring affiliates of its continued relevance and operational capacity following the 2024 law enforcement disruptions,\u201d NCC adds.<\/p>\n

Elsewhere, new entrants in the form of The Gentlemen ransomware group<\/a> burst onto the threat landscape with 21 attack claims against healthcare, financial services and IT firms, among others.<\/p>\n

\u201cPart of the reason we are seeing more ransomware groups and variants in the landscape is the increasingly lowered technical barrier to entry for cyber crime,\u201d according to NCC. \u201cRansomware builders have been consistently leaked or released, meaning that threat actors with low levels of technical sophistication are still able to conduct effective campaigns.\u201d<\/p>\n

Ransomware groups change tactics to evade law enforcement<\/h2>\n

The latest quarterly study<\/a> from Rapid7 also found that newly forged alliances are leading to a spike in ransomware activity while adding that tactical innovations, from refined extortion to double extortion and use of zero day, are also playing a part in increased malfeasance.<\/p>\n

The quarter also saw 88 active ransomware groups, up from 65 in Q2 and 76 in Q1, signalling an increase in activity as well as highlighting the changing shape of a febrile threat environment.<\/p>\n

Groups such as Qilin<\/a>, SafePay, and WorldLeaks led a wave of alliances targeting industries like business services, manufacturing, and healthcare, Rapid7 reports.<\/p>\n

These same groups began experimenting with file-less operations, single-extortion data leaks, and affiliate service offerings such as ransom negotiation assistance, where a more senior member of the group partners with a less experienced player to extort the victim.<\/p>\n

Cyber extortion incident response firm Coveware reports that remote access compromise, phishing\/social engineering, and software vulnerability exploitation remain at the core of intrusion activity, but the distinctions between them are increasingly blurred.<\/p>\n

\u201cAdversaries increasingly obtain access not just by logging into a system, but by convincing someone else to provision it for them,\u201d Coveware explains. \u201cCampaigns that blurred these lines, such as those impersonating SaaS support teams or abusing help-desk processes to gain OAuth authorization, demonstrated how human trust can be engineered into a technical foothold.\u201d<\/p>\n

Credential-based intrusions through VPNs, cloud gateways, and SaaS integrations continued to serve as the prime vector of ransomware attacks.<\/p>\n

Coveware Q3 2025 ransomware study<\/a> identified Akira and Qilin as the two most prominent ransomware variants doing the rounds. Some ransomware groups are rebranding as data-theft-only outfit, ditching file encryption as an extortion tactic, Coveware adds.<\/p>\n

Review and reinforce cybersecurity measures<\/h2>\n

Matt Hull, head of threat intelligence at NCC Group, said more than 200 ransomware variants have been identified so far this year.<\/p>\n

\u201cAs ransomware activity accelerates and notable attacks continue to cause widespread economic and operational disruption, vigilance is more critical than ever. Organisations should use this moment to reinforce their security measures and test incident response plans,\u201d Hull said. \u201cProactive monitoring, staff awareness, and secure backups remain key as we move into the year\u2019s peak threat season.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

A seasonal surge in malicious activity combined with alliances between ransomware groups led to a 41% increase in attacks between September and October. Cybercriminal group Qilin continues to be the most active ransomware paddlers, responsible for 170 of 594 attacks (29%) in October, NCC Group reports. Sinobi and Akira followed with 15% of ransomware attacks […]<\/p>\n","protected":false},"author":0,"featured_media":5952,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5958","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5958"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5958"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5958\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5952"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5958"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5958"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5958"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}