February 2025 Deep Web and Dark Web Trends Report
Note
This trend report on the deep web and dark web of February 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. We would like to state beforehand that some of the content has yet to be confirmed to be true.
Main Issues
1) Ransomware
(1) Overview
In February 2025, the ransomware ecosystem saw significant changes. While traditional major ransomware groups continued their activities, new groups such as Run Some Wares, Anubis, Kraken Group, and Linkc entered the market. These new groups have been introducing tactics that set them apart from the existing groups, accelerating the diversification of the ransomware ecosystem. Even after the attack in January this year, where over 500 companies were affected, the threat actors have been continuing their attack activities. Additionally, while the ransomware revenue decreased in 2024, the damage cost (which reached a record high of 5,263 cases) increased, and the total ransomware payment decreased by 35% compared to the previous year, totaling $813 million.[1] This shows that the improvement of organizations’ threat response capabilities and the pressure from law enforcement agencies are producing visible results.
It is worth noting that internal conflicts among ransomware groups are surfacing. The internal chat leak of Black Basta revealed a division within the group, and a decrease in their activities was observed as a result. Furthermore, the arrest of the Phobos ransomware gang leader through Operation Phobos Aetor and the seizure of the 8Base website had a significant impact on the ransomware ecosystem.
(2) Trends of Major Ransomware Groups
- Anubis
They have emerged as a new ransomware group, claiming to have attacked four companies and operating a multi-tiered profit model. They also threatened an attack on the U.S. casino resort Two Kings Casino. The operators are active in the RAMP forum (‘superSonic’), XSS forum (‘Anubis__media’), and X (Formerly Twitter), and given that all posts are in Russian, it is highly likely that the operators are from Russia or a Russian-speaking country.
This group has introduced a new type of affiliate program on RAMP and stated that they operate a multi-tiered profit model that includes not only RaaS but also Data Ransom and Access Monetization. This shows a higher level of sophistication in the business model of ransomware operations.
- Black Basta
On February 11, 2025, a large amount of internal Matrix chat logs of the Black Basta ransomware gang were leaked.
The reason for the leak has not been disclosed, but it is highly likely to be related to the attack on Russian banks by Black Basta. The leaked chat records include the internal chat messages of Black Basta from September 18, 2023, to September 28, 2024.
Black Basta is a ransomware-as-a-service (RaaS) group that emerged in April 2022. The group has attacked numerous major companies worldwide and extorted a total of $100 million in ransom. Due to internal conflicts earlier this year, Black Basta largely halted its operations. It has been reported that some operators received ransom payments from victims but did not provide the decryption keys, engaging in fraudulent behavior. This leak shows similarities to the 2022 Conti ransomware group’s case of internal chat and source code leak.
- Cl0p
This group shows the most systematic and sophisticated activities. They regularly update the list of 182 CLEO victim companies and have advanced their attack management. They have been continuously targeting global manufacturers, including Marelli Holdings, a multinational automotive parts manufacturer based in Japan, and are assumed to be pursuing a supply chain disruption strategy.
- Fog
The threat actor’s tactics also evolved, such as changing their attacks to source code leakage attacks on the affected companies’ GitLab instances and adopting a method of exposing the IP addresses of the affected companies when releasing data. The attack on VMO Holdings, a Vietnamese IT outsourcing company, shows their intention to target the IT service supply chain in Asia.
- Kraken Group
It seems that the HelloKitty group has rebranded itself as a new ransomware group and is now operating the DLS of the Kraken group. They have posted and leaked data of three new companies in the United States.
- Lockbit
They maintained a showy and provocative communication strategy, such as posting public messages to FBI Director Kash Patel on DLS. These actions are interpreted as an intention to directly confront law enforcement agencies.
- Medusa
They are showing a pattern of actively attacking the public sector and have targeted the Benton Police Department in Arkansas, USA, and HCRG Care Group, a healthcare company in the UK. This is seen as a strategic approach of prioritizing attacks on social service providers.
- RansomHub
This group has attacked targets across five continents, including Pakistan (Macter), the United Arab Emirates (NAGA Architects), Taiwan (Transcend Information, Inc.), South Africa (SAWS), and Germany (Escada). These attacks demonstrate an opportunistic vulnerability-based pattern without regional focus.
- Run Some Wares
They claimed to have attacked 4 companies in the U.S. and Thailand (retail, investment advisory, manufacturing, and accounting services) as a new ransomware group.
(3) Damage by Industry
- Manufacturing Industry
