Darkweb

March 2025 Deep Web and Dark Web Trends Report

  • Apr 11 2025
March 2025 Deep Web and Dark Web Trends Report

Note

 

This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for accuracy.

 

 

 

Key Issues
 

 

 

1)     Ransomware

 

 

1. Overview
 

 

In March 2025, the ransomware ecosystem saw the emergence of new threat groups and the active operations of existing groups. In particular, the ransomware threat landscape saw rapid changes with the emergence of numerous new groups such as Chaos, RALord, Arkana Security, SecP0, 0X Thief, Frag, Crazy Hunter Team, Weyhro, VanHelsing, and Nightspire.

 

One notable trend is the increasing attacks against government agencies and critical infrastructures across a wide range of industries. Major government organizations such as the Baltimore City State’s Attorney’s Office in the US, the Ministry of Foreign Affairs in Ukraine, and a state-owned defense company in Argentina have fallen victim to ransomware attacks.

 

On the technical side, threat actors have been advancing their endpoint detection and response (EDR) evasion techniques. For instance, the Akira ransomware is employing a new technique that uses the webcam to bypass EDR solutions, and the Hellcat ransomware is making attempts to hide its encrypted communications. Additionally, the PE32 ransomware is utilizing advanced encryption techniques that combine AES-256 CTR, ML-KEM, Kyber1024, and RSA-4096. This shows that encryption technologies are also evolving.

 

 

2. Trends of Major Ransomware Groups
 

 

  •  Chaos

 

 

This group recently emerged as a new ransomware group and claimed itself to have attacked four U.S.-based companies. They are demonstrating a systematic approach in their attack methods and target selection, launching strategies to attack multiple companies in a short period of time.

 

 

 

  •  Hellcat

 

 

Cases of distributing new samples through Pastebin and FileHosting services and attempts to delete logs to conceal encrypted communications have been observed. The group has attacked *** LLC, a vehicle management solution company in the U.S., and *** Holdings, a mobile device manufacturer in China. They are also carrying out a global hacking campaign targeting Jira servers. There are also concerns about the possibility of breaches involving zero-day vulnerabilities.

 

 

  • RansomHub

 

 

A ransomware attack that utilizes the multifunctional backdoor Betruger has been identified. Some of the major affected companies include an automotive door moving system manufacturer in Korea, an industrial automation equipment manufacturer in Japan, a diesel engine and turbocharger manufacturer in Germany, a surfing and lifestyle brand in the U.S., a distributor of building and consumer goods in Indonesia, and a casino and hotel complex in the U.S. It is suspected that the threat actor is using advanced attack techniques, as evidenced by the fact that they are also using EDRKillShifter.

 

 

  • KillSecurity

 

 

They attacked the European branch of ***era, a Japanese document management solution provider, and *** Limited, a pharmaceutical company in India. They also target financial institutions, claiming to have attacked *** National Bank, a financial services company in the Cayman Islands.

 

 

  • Qilin

 

 

One of the most active groups this month, they attacked Japan’s Utsunomiya Central Clinic, a specialist cancer treatment clinic, Spain’s Los Madroños Hospital, the court in Cleveland, Ohio, USA, *** Corporation, an automation device specialized company in Japan, a US-based communication solution provider ***, Ukraine’s Ministry of Foreign Affairs, *** Auto Group, a US-based car sales group, and Gaines County, a local government in Texas. The group’s FTP server, previously located in Russia, has been moved to Hong Kong. The fact that this infrastructure change was detected indicates that they are in the process of changing their operational infrastructure.

 

 

  • Medusa

 

 

This group, first identified in 2021, has attacked over 300 key infrastructure organizations in the U.S. They recently targeted the city of Aurora, showing a pattern of particularly focusing on the public sector and core infrastructure.

 

 

  • CL0P

 

 

They attacked the U.S. multi-cloud solution provider *** Technology, a Japanese automotive parts manufacturer *** Holdings, and the Mexican branch of the U.S. home improvement retail company The Home ***. The threat actor is maintaining their strategy of continuously targeting global corporations.

 

 

  • Anubis

 

 

They are actively recruiting partners with access to corporate networks to expand their operations. There are also detected activities related to the BlackPanther and Louis ransomware families.

 

 

  • Babuk v2

 

 

The threat actor claimed to have attacked the Vietnamese Ministry of National Defense, the South Korean Ministry of National Defense, and China’s largest online shopping platform, Taobao. However, since cases of reusing leaked data have been identified, the actual breach status needs to be verified. They also claimed to have attacked the Indian Ministry of Defense, but the possibility of this being a false claim has been raised.

 

 

(3) Damages by Industry

 

 

  • Manufacturing

 

 

The manufacturing sector suffered the most damage this month as well, accounting for about 35% of all attacks. Various manufacturing fields were targeted, including automotive part manufacturers (P**, *** Holdings, *** Auto Products), industrial automation equipment manufacturers (*** Ltd., *** Corporation), and electronics component manufacturers (***sumi, *** Thailand). Asian manufacturing companies suffered particularly great damage, which is attributed to the threat actors’ strategic attack pattern of disrupting global supply chains.

※ For more information, please refer to the attachment.

Tags:
Previous Post

Next Post