February sets record for highest number of ransomware attacks ever reported

A new report out today from S.C. Bitdefender SRL has revealed that February 2025 was the worst month on record for ransomware attacks, with an unprecedented 962 claimed victims.

The 962 ransomware victims in February marks a 126% year-over-year increase from February 2024, when 425 attacks were reported. The surge is noted as underscoring a growing ransomware crisis, with cybercriminals shifting tactics to exploit newly discovered software vulnerabilities at an alarming rate.

Through February, the Clop ransomware gang was the most proficient ransomware group and accounted for 335 of the recorded 962 ransomware attacks, a 300% jump from the previous month. The surge in Clop ransomware attacks is linked to the groups exploitation of two high-severity vulnerabilities, CVE-2024-50623 and CVE-2024-55956, in the Cleo file transfer software, which were rated 9.8 out of 10 in severity.

The vulnerabilities allowed Clop ransomware actors to execute remote commands on unpatched systems, leading to delayed but devastating attacks in February.

The Bitdefender report also highlights a significant shift in ransomware tactics, with threat actors found to be increasingly targeting edge network devices and software vulnerabilities rather than specific industries or organizations.

Attackers were also found to be targeting high-risk vulnerabilities with high Common Vulnerability Scoring System scores that allow remote code execution, affect internet-facing software and have publicly available proof-of-concept exploits.

In a notable shift, ransomware attackers are now also using a two-stage process that allows them to maximize their impact while evading early detection.

The first stage of the process involves automated scanning and exploitation, where the attackers rapidly scan the internet for exposed systems within 24 hours of a vulnerability being publicly disclosed. The attackers then use automated tools to identify and compromise unpatched devices, gaining initial access before security teams can respond.

Once they manage to get inside a given network, the ransomware attackers then move to the manual intrusion and ransomware deployment phase, which can often take weeks or even months. During this time, the attackers carefully analyze compromised networks, escalate privileges and use living-off-the-land techniques to blend in with normal system activity.

The stealthy approach allows the attackers to remain undetected until they launch a full-scale ransomware attack. The net result is that organizations may already be compromised long before any signs of an attack become visible.

To counter the increasing surge in ransomware, Bitdefender recommends that all organizations take proactive security measures to reduce the risk of exploitation.

The recommendations include the need to prioritize patching actively exploited vulnerabilities, including focusing on those listed in the Cybersecurity and Infrastructure Agency’s Known Exploited Vulnerabilities catalog. Organizations should also ensure that security updates are applied as soon as possible to prevent attackers from gaining initial access.

In addition to patching, proactive threat hunting and advanced detection solutions are noted as being essential in identifying hidden threats before they escalate. Bitdefender recommends that organizations deploy endpoint detection and response, extended detection and response solutions with security operations center, or managed detection and response support to help detect lateral movement within networks and stop ransomware attacks before they reach critical systems.

Image: SiliconANGLE/Ideogram