January 2025 Threat Trend Report on Ransomware
Purpose and Scope
This report provides statistics on new ransomware samples, targeted systems, and targeted companies collected in January 2025, as well as major Korean and international ransomware issues worth noting. Other major issues and statistics on ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (ATIP).
Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time.
Key Statistics
1. Data Sources and Collection Methods
ATIP uses AhnLab Smart Defense (ASD) to monitor and analyze the following ransomware information.
l List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD)
l List of targeted businesses posted on ransomware groups’ DLS
The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”.
l Ransomware/Win.Magniber : Example file detection name
l Ransom/MDP.Magniber : Example behavior detection name
The detection names acquired at the time of detection may not allow for the identification of ransomware types (e.g. Generic, Agent, Edit, Decoy, and others), and some cases may be excluded from the ransomware statistics or be counted as a different ransomware type due to changed detection names after detection or a failed detection.
The statistics on targeted businesses are the values that have been organized based on the data accumulated through regular monitoring of ransomware groups’ DLS, where the groups reveal the targeted businesses. If the DLS page was inaccessible or the collection happened late, then the data may have been excluded from the statistics or have been considered to be collected at a time different from the exact date the victim was revealed.
Therefore, this report should be used as a reference to check the general trends of ransomware samples and targeted systems and to see which ransomware groups are actively engaged in attacks through the statistics on targeted businesses to gain a general understanding of trends
2. Overall Ransomware Statistics
The total number of new ransomware samples collected in the past six months is shown below.
The number of new samples collected in January was similar to, but slightly higher than, the figures in December 2024. The types of malware that made up the number of new samples in January will be examined in “3. New Samples by Ransomware”.
The table below shows the total numbers after removing duplicate data of ransomware files used in targeted systems and infection. (The term “targeted systems” was used for convenience, but it should be understood as systems where ransomware files and behaviors were detected or systems that were exposed to infections.)
Figure 2. Systems and files affected by ransomware
Magniber ransomware infection attempts have consistently maintained relatively high and even levels. In December, the average daily number of systems infected by Magniber was about 35, and in January, it was similar at 30. Refer to “Figure 6. Daily numbers of targeted systems by ransomware (January 2025)” below for the specific numbers.
The total number of ransomware behavior detection (MDP)-based targeted systems and blocked report cases are as follows. While the number of systems with behavior detections slightly increased compared to the previous month, there were no variants or redistributions of Magniber ransomware files.
Figure 3. Reports and targeted systems with ransomware behavior detections
3. New Samples by Ransomware
Below are the statistics showing the 412 new samples that were discovered in January, organized by ransomware. Only 20 ransomware strains with the most samples are shown.
Figure 4. Number of new samples per ransomware (January 2025)
In January, a number of ransomware under the Stop detection name were collected as new samples, but upon verification, they were found to be files that had been distributed 4 to 5 years ago. Overall, the total number of new samples does not show a significant difference in quantity compared to last December. A difference from last month is the collection of new ransomware such as FunkSec, TESLA, and Ramsil.
4. Targeted Systems by Ransomware
The top 20 cases with the highest number of files used in targeted systems and infection are as follows (duplicates have been excluded).
Figure 5. Number of targeted systems and files by ransomware (January 2025)
The number of systems/files affected by Magniber showed a pattern not significantly different from the previous month. The reason Magniber ranks first in the number of affected systems/files is believed to be due to an increase in simple modifications of Magniber files or attempts to distribute files that were not previously collected. The number of systems affected by other ransomware was similar to those in the previous month.
The following statistics show the daily number of affected systems from the top 12 ransomware out of all affected systems. The daily number of systems affected by Magniber consistently remained high. Similar to the previous month, an average of 30 systems were targeted by Magniber daily.
