Ransomware Gets Bolder: Palo Alto Networks Warns of Escalating Extortion Tactics and Threat Actor Alliances

Singapore, 5 June 2025 – The latest Extortion and Ransomware Trends Report from Palo Alto Networks’ Unit 42 reveals a worrying escalation in cybercriminal activity, as ransomware actors adopt increasingly aggressive tactics and form strategic alliances with state-linked groups to maximise their impact.

The January–March 2025 report highlights a growing trend of adversaries moving beyond traditional encryption attacks to more manipulative methods—such as fake extortion claims, insider involvement, and tools designed to neutralise security infrastructure. With ransomware campaigns showing no signs of slowing, organisations are being urged to bolster their cyber posture with layered defences and real-time visibility.

“We’re seeing a clear shift in how ransomware and extortion actors operate globally and across the Asia-Pacific and Japan region. Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods including false claims, insider access, and tools that disable security controls,” said Philippa Cogswell, Vice President and Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks. “These new and evolving tactics show just how critical it is for organisations to move beyond reactive defences and invest in security strategies that provide full visibility and rapid response across their environments.”

Ransomware Threat Landscape in JAPAC

Across Asia-Pacific and Japan (JAPAC), early detection capabilities are improving, with more organisations intercepting threats before threat actors achieve their objectives. However, this has prompted attackers to pivot toward more coercive methods, amplifying the psychological pressure on victims and increasing payout demands.

In Singapore, the report notes a significant uptick in ransomware activity. Despite modest progress in incident response readiness, gaps remain. Notably:

• Local companies have implemented only 70% of core cybersecurity measures.
• Just one in three organisations fully comply with at least three out of five Cyber Essentials categories, as defined under Singapore’s national cybersecurity framework.

“Ransomware threats in Singapore are evolving rapidly, with attackers now using increasingly aggressive and deceptive tactics to extort victims. Although organisations have improved in early detection and incident response, attackers continue to view Singapore as a viable and attractive target,” said Steven Scheurmann, Regional Vice President for ASEAN at Palo Alto Networks. “To stay ahead of these sophisticated threats, organisations must employ a defense-in-depth strategy and be prepared to encounter additional forms of pressure from these ransomware actors.”

Key Insights from Unit 42’s Q1 2025 Report

• Fake threats and physical intimidation: Threat actors have increasingly resorted to using falsified data in extortion campaigns, with some even delivering ransom notes to executives’ homes to escalate psychological pressure.
• Manufacturing remains the top target, followed by wholesale and retail, and professional and legal services—continuing a multi-year trend.
• Global targeting concentration: The majority of victims during the reporting period were headquartered in the US, Canada, the UK, and Germany.
• Endpoint and cloud systems under siege: Adversaries are deploying “EDR killers” to disable endpoint detection and response sensors while intensifying attacks on cloud platforms.
• AI-driven insider threats: Unit 42 flagged a disturbing rise in North Korean-affiliated operatives using AI-generated identities to pose as remote IT contractors—stealing source code and threatening to release it publicly unless paid.
• RansomHub’s rapid rise: Emerging as the most dominant ransomware variant of Q1 2025, RansomHub has surpassed other strains in volume and severity, marking a sharp increase since mid-2024.

Strategic Response Required

The report underscores the urgency for organisations to adopt proactive, multi-layered defences. A modern ransomware strategy must extend beyond perimeter protection to include:

• Threat intelligence integration
• Endpoint and cloud visibility
• Zero Trust access models
• Employee awareness and insider risk detection

With threat actors continually adapting their techniques and collaborating across borders, business leaders—especially CFOs and CISOs—must align on cyber investment priorities to protect data, assets, and brand reputation.