Palo Alto Networks, a global leader in AI-driven cybersecurity, has released the latest Unit 42 Ransomware Report. The “Extortion and Ransomware Trends January-March 2025” report reveals a significant evolution in threat actor tactics. Specifically, attackers are now collaborating with state-backed groups and using aggressive extortion scams to extract payments from organizations worldwide.
While organizations across the Asia-Pacific and Japan (APJ) region are improving their security posture, the threat landscape continues to shift. Many companies now detect intrusions early in the attack lifecycle. This often happens before attackers can execute their main objectives. Consequently, there has been an increase in incident response cases that are successfully contained at the network access stage. Despite this progress, however, ransomware and extortion campaigns continue to succeed at alarming rates.
In response, threat actors are intensifying their methods. The latest Unit 42 Ransomware Report found that attackers are using more aggressive tactics to pressure victims. This, in turn, helps them secure higher and more consistent payouts. Therefore, organizations must stay aware of these trends. They need to employ a defense-in-depth strategy to remain prepared for sophisticated ransomware attacks.
Expert Insight on the Shifting Threat Landscape
“We’re seeing a clear shift in how ransomware and extortion actors operate globally and across the Asia-Pacific and Japan region,” stated Philippa Cogswell, Vice President and Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks. “Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods. These include false claims, leveraging insider access, and using tools that disable security controls. Ultimately, these new and evolving tactics show just how critical it is for organisations to move beyond reactive defences. Instead, they must invest in security strategies that provide full visibility and rapid response across their environments.”
The Ransomware Threat in the Philippines
In the Philippines, ransomware continues to pose a serious threat to both public and private organizations. These attacks have caused major disruptions to online services. They have also encrypted sensitive data across critical systems, often halting operations until ransoms are paid or systems are restored.
With millions of cyber threats detected daily in the country, the risk of ransomware demands urgent and coordinated action. In fact, the Philippines’ National Cybersecurity Plan 2023–2028 prioritizes the protection of critical information infrastructures. The plan specifically adopts a proactive defense posture. This includes ransomware readiness and incident response capabilities. However, to stay ahead of these attacks, organizations must also invest in proactive threat detection, adopt AI-powered security tools, and strengthen collaboration across sectors.
Key Trends from the Unit 42 Ransomware Report
The latest report identifies several critical trends that businesses and security professionals need to be aware of.
Attackers Are Lying to Get Paid
Unit 42 observed a growing number of extortion scams. In these cases, threat actors use fake data to pressure victims. They have even sent physical ransom notes to executives’ homes, escalating the psychological pressure.
Manufacturing Remains the Top Target
Continuing a multi-year trend, the manufacturing sector remains the industry most frequently targeted by ransomware attacks. The second most impacted industry is wholesale & retail, followed by professional & legal services.
Cloud and Endpoint Security Are Under Siege
Attackers are increasingly using sophisticated tools known as “EDR killers.” These tools are specifically designed to disable endpoint security sensors. Furthermore, attackers are targeting cloud systems more aggressively than ever before.
AI-Generated Insider Threats Are on the Rise
The report highlights a disturbing new trend. Specifically, North Korean state-backed operatives are using AI-generated identities. They pose as remote IT workers to gain insider access. Once inside, they have extorted companies by stealing proprietary code and threatening public leaks.
RansomHub Emerges as Top Threat
The Unit 42 Ransomware Report identifies RansomHub as the most prolific ransomware variant observed during the reporting period. This marks a sharp rise for the group, which was first identified as an emerging threat in mid-2024. News outlets like BleepingComputer have also been tracking its rapid escalation.
To get all the details and data, you can read the full “2025 Extortion and Ransomware Trends” report.
Read the full report here: https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/
