Ransomware remains one of the most disruptive cyber threats, with attackers continuously evolving their tactics and expanding their target base. Over the last six months (September 2024 to March 2025), major ransomware incidents have made headlines, affecting critical infrastructure, healthcare, telecommunications, government agencies, and cloud service providers.
These attacks highlight key trends in ransomware operations, including growing ransom demands, increased use of double extortion tactics, and targeted exploitation of supply chain vulnerabilities.
Notable Ransomware Attacks from September 2024 to March 2025
1. Medusa Ransomware Attacks on Critical Infrastructure (March 2025)
The Medusa ransomware group launched widespread attacks on over 300 organizations, including entities in healthcare, education, manufacturing, and insurance. Medusa typically gains access through phishing emails and unpatched software vulnerabilities before encrypting data and demanding a ransom. The group employs double extortion tactics, threatening to leak sensitive information if their demands are not met. Medusa ransomware attacks reinforce the growing trend of ransomware operators targeting essential services, increasing pressure on victims to pay ransoms to minimize disruption and resume operations quickly.
2. Rackspace Alleged Data Breach (March 2025)
In another high-profile incident, the Cl0p ransomware gang claimed to have breached cloud service provider Rackspace, alleging they had exfiltrated sensitive company data and uploaded it to the dark web. Cl0p stated that Rackspace refused to negotiate a ransom, leading to the release of stolen data. However, Rackspace denied the breach, stating that their security investigations found no evidence of compromise. While the full details remain uncertain at this point, the attack highlights the increasing focus on cloud service providers as high-value targets for ransomware groups.
3. DragonForce Ransomware Targets Saudi-based Organizations (February 2025)
DragonForce, a known ransomware-as-a-service (RaaS) organization, targeted real estate and construction firms in Saudi Arabia. The group set the ransom demand for February 27 — one day before the start of Ramadan —hinting at the group’s strategic planning efforts. Once the ransom deadline passed, DragonForce published 6TB of stolen data through a dedicated leak site that was separate from its primary platform.
4. Ascension Health Ransomware Attack (Discovered in Dec 2024)
Ascension, one of the largest healthcare providers in the U.S., was the victim of a ransomware attack attributed to the Black Basta group. The attack compromised the personal and medical records of nearly 5.6 million individuals. Healthcare organizations are particularly vulnerable to ransomware due to the critical nature of patient data and the potential for life-threatening disruptions. The incident underscores the urgent need for stronger cybersecurity defenses in the healthcare sector.
5. Salt Typhoon Cyberattack on U.S. Telecommunications (Late 2024)
Salt Typhoon, a state-sponsored hacking group, successfully infiltrated nine major U.S. telecommunications providers, including Verizon, AT&T, and T-Mobile. The attackers targeted critical infrastructure, including systems used for court-ordered wiretaps, compromising call and text metadata of over a million users, particularly in the Washington D.C. area. Unlike traditional ransomware attacks focused on financial extortion, this incident involved espionage tactics, demonstrating how nation-state actors are adopting ransomware-style operations to achieve strategic objectives.
6. Trinity Ransomware Attack on Spain’s Tax Agency (Dec 2024)
The Trinity ransomware group claimed responsibility for an attack on Spain’s Agencia Tributaria, alleging they had stolen 560GB of sensitive data. They demanded a ransom of $38 million, threatening to release the data if the government refused to pay. However, the Spanish tax agency reported no evidence of a security breach. This case highlights the increasing trend of ransomware groups targeting government institutions, which often hold vast amounts of sensitive citizen data.
Ransomware Attack Commonalities and Key Trends
Analyzing these attacks reveals several commonalities that provide insights into current ransomware trends and attack methods:
1. Targeting critical industries — Ransomware operators are increasingly focusing on industries where disruptions have significant consequences. The healthcare sector (Ascension Health), government institutions (Spain’s tax agency), telecommunications (Salt Typhoon), and cloud providers (Rackspace) were among the hardest hit. These industries store valuable data and provide essential services, making them prime targets for cybercriminals.
2. Double extortion as the new standard — Nearly all major ransomware groups now use double extortion tactics, in which they not only encrypt systems but also exfiltrate sensitive data. If the victim refuses to pay, attackers threaten to release the stolen data publicly, increasing the pressure to comply. Medusa, Black Basta, Cl0p, and Trinity all employed this method in recent attacks.
3. Exploiting unpatched vulnerabilities and phishing — Attackers continue to exploit software vulnerabilities and use phishing campaigns to gain initial access. The Medusa and Black Basta attacks involved unpatched security flaws and phishing emails. Organizations that fail to implement timely security patches or educate employees about phishing risks remain highly vulnerable.
4. Growing ransom demands — Ransom demands continue to rise, with some attackers seeking multi-million-dollar payouts. The Trinity attack on Spain’s tax agency involved a staggering $38 million ransom demand. While the full financial impact of other attacks is not always disclosed, ransomware groups are increasingly targeting large entities capable of paying substantial sums.
5. Increased attacks on cloud and Managed Service Providers (MSPs) — Cloud providers like Rackspace and MSPs are becoming primary targets. By compromising a single cloud or MSP, attackers gain access to multiple downstream clients, amplifying the impact. Organizations relying on these services must ensure they have their own robust security measures in place, including strong access controls and preventative measures.
6. Geographic targeting patterns — Ransomware attacks are primarily concentrated in Western nations, with North America and Europe being the most frequently targeted regions:
- North America industries remain a primary target – The U.S. has seen some of the most high-profile attacks, particularly on healthcare (Ascension Health), telecommunications (Salt Typhoon), and cloud providers (Rackspace). The financial and regulatory landscape makes U.S. businesses lucrative targets.
- European governments and institutions under attack – The Trinity ransomware attack on Spain’s tax agency is part of a broader trend where European government entities are being increasingly targeted, likely due to the vast amounts of citizen data they hold.
- A global spread, but a Western focus – While ransomware is a global issue, Western organizations, particularly in the U.S. and Europe, face most attacks due to their financial resources, regulatory pressures, and valuable data.
Fortifying the Shield with Anti-Ransomware Capabilities
Ransomware attacks are no longer just a possibility—they’re an inevitability for businesses that lack robust, proactive defenses. From crippling critical infrastructure to exfiltrating sensitive customer data, ransomware has evolved into an existential threat that demands a more advanced and holistic approach to cybersecurity.
While many solutions claim to protect against ransomware, most rely on outdated, reactive methods that leave businesses vulnerable to zero-day threats, fileless attacks, and increasingly sophisticated ransomware techniques.
Organizations generally rely on a single solution for protection against malware attacks, including ransomware. With ransomware groups becoming increasingly sophisticated and targeted, a defense in depth approach, complemented by a dedicated anti-ransomware solution, can fortify the security stack.
The Morphisec Anti-Ransomware Assurance Suite takes a comprehensive, multi-phase approach to ransomware protection. By addressing vulnerabilities before an attack, neutralizing threats in real time, and ensuring rapid recovery post-attack, Morphisec provides businesses with unparalleled resilience against modern ransomware.
It’s a prevention-first solution engineered to neutralize ransomware threats before they can execute. Unlike traditional tools, Morphisec’s approach encompasses prevention, real-time neutralization, and post-attack resilience to deliver comprehensive protection across the entire ransomware attack lifecycle. With this multi-phase defense model, Morphisec doesn’t just promise results—it delivers them.
Morphisec backs its solutions with the Ransomware-Free Guarantee, an industry-first commitment that ensures businesses are protected. In the unlikely event of a ransomware breach, Morphisec will:
- Refund 100% of your subscription fees for up to six months.
- Provide expert incident response to contain and recover from the attack.
This level of accountability is unmatched in the cybersecurity industry.
Get Ahead of Ransomware Attacks
The past six months have demonstrated that ransomware remains a serious and evolving threat that requires preemptive defense.
Attacks are increasingly targeting critical infrastructure, using double extortion tactics, and demanding higher ransoms. As attackers and well-funded ransomware gangs refine their methods, organizations must take proactive steps to bolster their security, including strengthening access controls, improving employee awareness, and ensuring robust backup and recovery strategies.
By staying vigilant and implementing preemptive cyber defense, businesses can better defend against ransomware and mitigate its potentially devastating impact.
Download the Comprehensive Checklist for Anti-Ransomware Assurance to test your organization’s ransomware readiness.
Stay up-to-date
Get the latest resources, news, and threat research delivered to your inbox.
