Darkweb

April 2025 Deep Web and Dark Web Trends Report

  • May 14 2025
April 2025 Deep Web and Dark Web Trends Report

Disclaimer

 

This trend report on the deep web and dark web of March 2025 is sectioned into Ransomware, Data Breach, DarkWeb, CyberAttack, and Threat Actor. Please note that there are some parts of the content that cannot be verified for ac

 

 

Key Issues
 

 

 

1)     Ransomware

 

 

 

1. Overview
 

 

In April 2025, the ransomware ecosystem saw the emergence of new groups and the rebranding and tactical changes of existing groups. The rebranding of RALord to NOVA and the emergence of new groups such as Gunra, Silent Team, BERT, Devman, and Crypto24 were particularly noticeable. In particular, the reintroduction of the RansomBay RaaS program by DragonForce, through the white-label model, is noteworthy. Qilin has seen rapid growth and carried out precision attacks targeting industries across the board, launching active attacks against targets such as the operating company of a Malaysian airport, a construction material distribution company in Fiji, and a major corporation in South Korea.

 

 

Ransomware groups targeted a variety of industries including manufacturing, logistics, finance, IT, and public institutions. The infrastructures of global security companies were also targeted. Geographically, the Asia-Pacific region and the Middle East emerged as new focal points for attack. Technically, the evolution of various infiltration techniques was observed, such as the proliferation of AI-based attack tactics, exploitation of the CrushFTP server vulnerability, use of the Windows CLFS zero-day vulnerability, and distribution of disguised IT tools using the ClickFix method. New revenue models, such as double extortion strategies and strategies to encourage insider collaboration, are also being adopted.

 

 

 

2. Trends of Major Ransomware Groups

 

 

  • Akira
     

 

They attacked the server of H*** V***, an IT service provider in the United States, and also targeted T*** N***, a global security communication and printing solutions company based in Singapore, and F*** Hotels and Resorts, a hotel chain also based in Singapore. Although they experienced technical issues with their DLS (Dedicated Leak Sites), they have declared that their activities will continue.

 

 

 

  • DragonForce

 

 

They are expanding the ransomware cartel as a white-label model and have re-launched the RansomBay RaaS program on the RAMP forum, announcing that they will provide operational support. They attacked the P*** Automotive Group in Grove City, Oklahoma. At the end of April, a major infrastructure failure occurred in DLS, and they announced that they would move to a new file server, which would lead to a large-scale leak. They also announced that RansomHub would be moved to DragonForce’s dark web infrastructure, showing a high level of connectivity.

 

 

 

  • Interlock

 

 

They are launching a type of dual extortion attack that targets both the medical and educational sectors as well as public institutions. They attacked US kidney dialysis company D*** and indoor entertainment company A*** I*** K*** & G***. They utilized an advanced attack method that employs the ClickFix technique to distribute disguised IT tools and breach systems.

 

 

 

  • Medusa

 

 

This threat actor is reemerging with AI-based attacks. AI-based attacks are adaptive attacks that automatically generate sophisticated phishing emails using AI technology and send follow-up emails based on the recipient’s response. They are targeting high-profile organizations, such as a U.S. motorsports governing body N***, and are demonstrating the ability to bypass defense systems using advanced AI.

 

 

 

  • Qilin

 

 

This group, which is the most active, has been consecutively attacking global conglomerates. Companies that have suffered damages include M*** A*** H*** Berhad, the airport operator in Malaysia, R***, a hardware and construction material distribution company in Fiji, C*** LLC, a motor vehicle manufacturer in the U.S., a Korean conglomerate, B***, a Thailand-based security equipment installation company, H***, a U.S.-based silicon wafer manufacturer, A***, an industrial equipment sales and leasing company in Singapore, and A***, a U.S.-based H*** service provider. The group has rapidly risen to fame by employing a precision strike strategy that targets a wide range of industries.

 

 

 

  • RALord/NOVA

 

 

After RALord rebranded to NOVA, they began operating their partnership program. They attacked the Saudi Arabian water treatment company R*** and their holding company A*** Group. They introduced a new partnership panel called NOVA and enhanced their operation methods, launching a concentrated attack on the Middle East.

 

 

 

  • New Ransomware Groups

 

 

New ransomware groups such as Gunra, Silent Team, BERT, Devman, and Crypto24 have emerged. In particular, Crypto24 attacked the Vietnamese ICT company C***, and Devman targeted the Singaporean branch C*** of a Chinese state-owned construction company and the Spanish fashion e-commerce platform F***. These new groups are rapidly establishing their foundations and targeting various regions and industries.

 

 

 

3. Damages by Industry
 

 

  • Manufacturing and Logistics Industries

 

 

The global Japanese logistics company K*** suffered server failures and operational disruptions due to a ransomware attack. The American motor vehicle manufacturer C***, the Indian health and personal hygiene product manufacturer M***, and the Malaysian logistics and transportation company M*** also experienced damages. In particular, global logistics companies were heavily targeted, which can be seen as an effective pressure tactic through supply chain disruptions.

 

 

Tags:
Previous Post

Next Post