The Democratization of Ransomware

Slicing up the cybercrime pie

Mar 12, 2025

Ransomware remains the attack of choice for many threat actors, and all signs point to its continued dominance. The risk-to-reward ratio heavily favors attackers, with the potential for massive payouts—2024 alone saw the largest recorded ransom payment of $75 million from a Fortune 50 company to the Dark Angels group.

The well-established ransomware-as-a-service (RaaS) model has lowered the barrier to entry, providing cybercriminals with easy access to ransomware software, intrusion tools, and even compromised IT environments via initial access brokers (IABs). With access for sale, even low-skilled attackers can deploy ransomware, fueling a crowded cybercrime ecosystem. This month alone, we tracked 238 data-leaking ransomware attacks. Let’s dive into the key incidents that shaped the threat landscape of February 2025.

The ransomware gang INC has added the City of McKinney, Texas, to its data leak site following a cyberattack that began in October 2024. The city issued a data breach notification as a result of the attack. The City of McKinney hasn't revealed details about the cyberattack or ransom involvement, but the ransomware gang INC has listed the city on its data leak site. This suggests the gang extracted sensitive data before encryption, a tactic to increase pressure and boost profits.

So far this year, four government entities have confirmed ransomware attacks, including the Qilin attack on West Haven and Akira targeting Laramie County

The data impacted by the breach is extensive and includes highly sensitive information such as SSNs, Driver's license numbers, Credit card information, Financial account information, and Medical/health insurance information. This exposure poses a significant risk to the affected individuals, potentially leading to identity theft, financial fraud, and other serious consequences.

This attack on the City of McKinney follows a string of recent ransomware attacks targeting government entities. So far this year, four government entities have confirmed ransomware attacks, including the Qilin attack on West Haven and Akira targeting Laramie County. These incidents underscore the growing threat of ransomware to critical infrastructure and the urgent need for robust cybersecurity defenses across all levels of government.

North Korean state-sponsored actors are increasingly deploying ransomware as a service (RaaS) in their operations. Specifically, a newly identified group, Moonstone Sleet (formerly Storm-1789), has been observed utilizing Qilin ransomware against select organizations since late February 2025.

State-sponsored actors are leveraging ransomware for both financial and strategic objectives.

Moonstone Sleet, tracked by Microsoft, is a sophisticated threat actor that combines familiar North Korean tactics with unique attack methodologies. Their objectives are twofold: financial gain and cyber espionage. To achieve these goals, they employ a variety of techniques, including:

They establish fictitious companies and job postings to engage with potential targets, primarily through platforms like LinkedIn, freelancing networks, Telegram, and email.
They distribute trojanized versions of legitimate tools, such as PuTTY, to compromise systems.
They develop and deploy custom malware loaders to deliver their payloads.
They create and distribute malicious games and npm packages to infect target systems.
They have developed and deployed new, custom ransomware.

The use of ransomware by North Korean state-sponsored actors is not a new phenomenon. Moonstone Sleet follows in the footsteps of other notorious groups:

Lazarus Group (2017): The U.S. and U.K. governments attributed the devastating WannaCry ransomware outbreak to the Lazarus Group, causing widespread disruption globally.

North Korean Hackers (2022): Microsoft and the FBI linked North Korean hackers to the Holy Ghost ransomware operation and Maui ransomware attacks, specifically targeting healthcare organizations.

Moonstone Sleet's activities highlight the evolving landscape of cyber warfare, where state-sponsored actors are leveraging ransomware for both financial and strategic objectives. The combination of social engineering, trojanized software, and custom malware demonstrates a high level of sophistication and underscores the need for organizations to remain vigilant against these persistent threats.

A new ransomware strain, dubbed NailaoLocker, has been discovered targeting healthcare organizations across Europe. This malicious payload is being deployed in attacks that exploit CVE-2024-24919 (CVSS: 7.5), a vulnerability in Check Point Security Gateways. The attackers are leveraging this exploit to gain initial access to targeted networks and subsequently deploy two malware families strongly linked to Chinese state-sponsored threat groups: ShadowPad and PlugX.

NailaoLocker: a combination of espionage-focused malware and ransomware

While NailaoLocker itself is considered a relatively basic ransomware variant – lacking features like process termination, advanced anti-debugging, sandbox evasion, and network share scanning – its presence alongside sophisticated malware like ShadowPad and PlugX paints a more complex picture. Researchers have observed NailaoLocker employing obfuscation and anti-debug techniques, as well as establishing communication with a remote server for persistent access. Evidence also suggests attempts at data exfiltration, including accessing the file system and creating ZIP archives.

The contrast in sophistication between NailaoLocker and the accompanying malware is notable. NailaoLocker sometimes even appears to mimic ShadowPad's loading techniques. This suggests a potential division of labor among the threat actors, with some focusing on the more complex intrusion and exfiltration while others deploy the simpler ransomware payload.

Although the exact motives behind this campaign remain unclear, the combination of espionage-focused malware and ransomware suggests a blended approach. While quick financial gain through ransomware payments may be a secondary objective, the primary goal could be long-term access to compromised systems for intelligence gathering or future disruptive operations. The campaign, even if opportunistic in some aspects, allows the threat actors to establish a foothold within targeted healthcare networks, potentially paving the way for further malicious activities.

The targeting of the healthcare sector is particularly concerning, given the sensitive nature of patient data and the critical importance of uninterrupted healthcare services.

Cytex continues to make headlines with key breakthroughs and global recognition. Here’s a look at our latest media highlights.

Cytex Recognized at UAE Ministry of Economy’s Future 100 Forum

As a guest of the UAE Ministry of Economy, Cytex Inc was honored to be a finalist in the Crimson Founders Demo Session at the prestigious Future 100 Forum at Investopia 2025. CEO Andrew Surwilo and CTO Taimur Aslam presented "AI-Driven Cyber Risk, Compliance, and GRC Unified Platform," highlighting how Cytex’s AI-powered resilience platform simplifies security challenges across compliance and governance. The event, held from February 24-28 in Dubai and Abu Dhabi, provided an incredible opportunity to engage with global leaders and innovators shaping the future of technology and security.

Cytex at Investopia, UAE - Future 100 Forum

We're incredibly grateful to Crimson Founders, MIT Startup Exchange, Ministry Of Economy, UAE, Investopia, Anoosheh Kalantari, Cristina Dolan, and AGCC for a truly engaging event!

Presenting Cytex at Crimson Elevate x DMCC Investor Night

As part of the Crimson Founders 2025 Cohort, Cytex Inc participated in Crimson Elevate x DMCC: AGCC Investors Night, hosted by DMCC AI Centre in Dubai. The evening featured startup presentations, insights from Belal Jassoma, Director of Ecosystems at DMCC, and a founders-investors dinner, fostering valuable discussions on the future of AI and cybersecurity. Cytex is proud to be part of this dynamic ecosystem driving technological advancement.

Cytex Shapes the Future of Smart City Security at MIT

Cytex Inc played a key role at the MIT Smart Cities and Urban Development Forum on February 13, 2025, where CEO Andrew Surwilo presented "Cytex: A Complete Cybersecurity Solution for Smart Cities." The discussion explored how cybersecurity underpins urban mobility, biodiversity, and community well-being. With cities increasingly reliant on digital infrastructure, Cytex’s innovations are shaping a more secure, connected future. Thanks to the Massachusetts Institute of Technology for recognizing Cytex as a leader in cybersecurity for smart cities.