Threat actors get bolder: Palo Alto Networks highlights escalating ransomware tactics

Unit 42 reports that cybercriminals are using more aggressive extortion methods for bigger payouts, urging organisations to stay vigilant, track ransomware developments, and adopt comprehensive, layered cybersecurity strategies to mitigate growing threats

Palo Alto Networks has published its Unit 42 Extortion and Ransomware Trends report for January–March 2025, highlighting a sharp evolution in cybercriminal tactics. The report points to a rise in aggressive extortion methods, increased collaboration among threat actors—including suspected state-backed groups—and the use of sophisticated scams to extract higher ransom payments. With India and the wider Asia-Pacific and Japan (JAPAC) region experiencing a surge in such attacks, the findings emphasize the urgent need for organisations to adopt intelligence-led, proactive cybersecurity strategies.

Encouragingly, many organisations in the JAPAC region are improving their security posture, with a growing number detecting intrusions early in the attack lifecycle—often at the network access stage—before major damage is done. However, ransomware and extortion campaigns continue to prove effective. According to Unit 42’s incident response data, threat actors are responding by intensifying their pressure tactics to secure faster and larger payouts. The report urges organisations to stay informed of emerging ransomware trends and adopt a layered, defence-in-depth approach to cybersecurity.

"We’re seeing a clear shift in how ransomware and extortion actors operate globally and across the Asia-Pacific and Japan region. Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods including false claims, insider access, and tools that disable security controls,” said Philippa Cogswell, Vice President and Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks. “These new and evolving tactics show just how critical it is for organisations to move beyond reactive defences and invest in security strategies that provide full visibility and rapid response across their environments.”

In India, ransomware and malware remain severe threats, with nearly 1 million ransomware detections reported in the past year alone. The report also highlights there is 1 ransomware incident per 595 detections and one malware incident per more than 40,000 detections, highlighting the scale and frequency of these attacks. The ransomware landscape has undergone a significant transformation over the past two years, with threat actors adopting sophisticated and strategic tactics to target organisations of all sizes, from startups to large-scale enterprises.  According to the Ransomware Retrospective 2024, ransomware attacks remain a major concern for the Indian manufacturing sector, which has been a persistent target in recent years.

Huzefa Motiwala, Senior Director, Technical Solutions, India and SAARC, Palo Alto Networks, says, “In a rapidly transforming country like India, organisations are navigating a complex mix of modern and legacy changes. As mentioned above, the manufacturing sector, in particular, has been a persistent target for ransomware attacks over the past couple of years. The rapid adoption of AI has empowered organisations and threat actors alike. This highlights the urgent need for organisations to bolster their cybersecurity framework and incorporate comprehensive security measures to fortify their defences against complex ransomware campaigns.

Key findings of the report include:

·       Attackers are lying to get paid: Unit 42 observed a growing number of cases of extortion scams using fake data and even physical ransom notes sent to executives’ homes.

·       Manufacturing remains the top ransomware target, continuing a trend that has persisted for several years. The second most impacted industry is wholesale & retail, followed by professional & legal services.

·       Ransomware activity by location headquarters: The most targeted regions for attackers are the United States, Canada, UK, Germany.

·       Cloud and endpoint security are under siege: Attackers are increasingly using “EDR killers” to disable endpoint security sensors and targeting cloud systems more aggressively than ever before.

·       AI-generated insider threat extortion on the rise: North Korean operatives using AI-generated identities to post as remote IT workers have extorted companies by stealing proprietary code and threatening public leaks.