February 2025 Threat Trend Report on Ransomware
Purpose and Scope
This report provides statistics on new ransomware samples, targeted systems, and targeted companies collected in February 2025, as well as major Korean and international ransomware issues worth noting. Other major issues and statistics on ransomware that are not mentioned in the report can be found by searching for the following keywords or via the Statistics menu at AhnLab Threat Intelligence Platform (ATIP).
Disclaimer: The number of ransomware samples and damaged systems is based on the detection names assigned by AhnLab, and statistics on targeted companies are based on the information published on the dedicated leak sites (DLS) of the ransomware group, also referred to as ransomware PR sites or PR pages, collected by the ATIP infrastructure over time.
Key Statistics
1. Data Sources and Collection Methods
ATIP uses AhnLab Smart Defense (ASD) to monitor and analyze the following ransomware information.
l List of malicious files and behaviors detected and collected by AhnLab Smart Defense (ASD)
l List of targeted businesses posted on ransomware groups’ DLS
The number of new ransomware samples and statistics on targeted systems were calculated based on the detection names designated by AhnLab. They were also limited to cases where the detected files and behaviors were diagnosed under the category of “Ransomware/” or “Ransom/”.
l Ransomware/Win.Magniber: Example file detection name
l Ransom/MDP.Magniber: Example behavior detection name
The detection names acquired at the time of detection may not allow for the identification of ransomware types (e.g. Generic, Agent, Edit, Decoy, and others), and some cases may be excluded from the ransomware statistics or be counted as a different ransomware type due to changed detection names after detection or a failed detection.
The statistics on targeted businesses are the values that have been organized based on the data accumulated through regular monitoring of ransomware groups’ DLS, where the groups reveal the targeted businesses. If the DLS page was inaccessible or the collection happened late, then the data may have been excluded from the statistics or have been considered to be collected at a time different from the exact date the victim was revealed.
Therefore, this report should be used as a reference to check the general trends of ransomware samples and targeted systems and to see which ransomware groups are actively engaged in attacks through the statistics on targeted businesses to gain a general understanding of trends.
2. Overall Ransomware Statistics
The total number of new ransomware samples collected in the past six months is shown below.
Figure 1. Number of new ransomware samples
The number of new samples collected in February decreased slightly compared to January. The types of malware that made up the number of new samples in February will be examined in “3) New Samples by Ransomware”.
The table below shows the total numbers after removing duplicate data of ransomware files used in targeted systems and infection. (The term “targeted systems” was used for convenience, but it should be understood as systems where ransomware files and behaviors were detected or systems that were exposed to infections.)
Figure 2. Systems and files affected by ransomware
Magniber ransomware infection attempts have consistently maintained relatively high and even levels. In January, the average daily number of systems infected by Magniber was about 30, and in February, it was similar at about 35. Refer to “Figure 6. Daily numbers of targeted systems by ransomware (February 2025)” below for the specific numbers.
The total number of ransomware behavior detection (MDP)-based targeted systems and blocked report cases are as follows. While the number of systems with behavior detections slightly increased compared to the previous month, there were no variants or redistributions of Magniber ransomware files.
Figure 3. Reports and targeted systems with ransomware behavior detections
