Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

A new report from Sophos found that ransomware attacks accounted for over 90% of incident response cases involving medium-sized businesses in 2024, as well as 70% of cases involving small businesses. “While the overall number of incidents in 2024 was slightly down—in part because of better defenses and the disruption of some major ransomware-as-a-service operators—ransomware-related crime is not fading away,” Sophos says.

Safepay is a newcomer to the ransomware landscape. Since its first published attack in October 2024, the group has attacked over 50 organizations worldwide. SafePay maintains a dark web blog and a presence on the TON network for victim communications. The group employs the increasingly common double extortion model, combining data encryption with the theft of sensitive information to pressure victims into payment.

In 2024, Cyjax observed the emergence of 72 extortion and ransomware group data-leak sites (DLSs). As of mid-April 2025, Cyjax has identified DLSs for 27 new groups this year, as noted in recent blogs on Morpheus, GD LockerSec, Babuk2, Linkc, Anubis, Arkana, Frag, and RALord.

Advanced Persistent Threat (APT) groups are not a new scourge. These sophisticated, state-sponsored cyber adversaries, with deep pockets and highly advanced technical skills, conduct prolonged and targeted attacks to infiltrate networks, exfiltrate sensitive data, and disrupt critical infrastructure.

Malware hasn’t just increased—it’s become harder to detect. Evasive techniques are reshaping the threat landscape and pushing traditional security models to their limits. Today’s advanced malware campaigns are consistently slipping past multiple layers of defense—from email and network to endpoints—challenging even the most robust infrastructures.

Researchers at Foresiet have analyzed a Remote Access Trojan (RAT) known as NetSupport Manager. Originally developed as a legitimate remote access and IT support tool, NetSupport Manager has a history spanning over two decades. It provides features such as file transfer, remote desktop sharing, chat support, screen monitoring, and inventory tracking. However, in recent years, threat actors have increasingly weaponized this tool in malicious campaigns.

Trustwave SpiderLabs continuously tracks a range of malicious activities originating from Proton66 ASN, including vulnerability scanning, exploit attempts, and phishing campaigns leading to malware infections. In this two-part series, SpiderLabs explores the malicious traffic associated with Proton66, revealing the extent and nature of these attacks.