According to experts at Bitdefender Labs, February 2025 was a record-breaking month. Ransomware attacks increased by 2024 percent compared to February 126. Attacks continued to target vulnerabilities with high CVSS risk ratings.
For their analysis as part of the monthly Bitdefender Threat Debrief, Bitdefender experts evaluated the dark web data breach websites – dedicated leak sites (DLS) – and publicly available information (OSINT) operated by over 70 ransomware gangs. Compared to 425 victims in February 2024, the number rose to 2025 in February 962 – an increase of 126 percent. A key reason for this increase is increasingly opportunistic, automated scans of known vulnerabilities. These are then followed by manually executed attacks, often after several weeks of preparation.
USA and Europe in the focus of the attackers
597 of the documented attacks found their victims in the USA. Germany ranks fourth with 27 affected companies – behind number two Canada (58 attacks) and Great Britain (36), and ahead of France with 16 attacks.
The reason for these rising numbers lies in a shift in attacker strategy, which, according to Martin Zugec, Technical Solutions Director at Bitdefender, "still surprises many: Instead of focusing on individual companies or industries, some ransomware groups are becoming increasingly opportunistic, targeting newly discovered software vulnerabilities in edge network devices."
Regardless of whether they are financially motivated or state-supported hacker groups, the actors focus on vulnerabilities:
- who have a high CVSS risk score;
- that allow hackers to gain remote control over a system;
- concerning software accessible via the Internet; and
- for which an exploit developer or other malicious actor has already published a Proof of Concept (PoC).
To gain initial access through a vulnerability, attackers often launch scans within 24 hours, searching for vulnerable systems. The subsequent manual hack, often disguised from the hackers using living-off-the-land techniques, takes longer. Ransomware attacks therefore typically occur with a delay of weeks or months.
Clop (CI0p) group most active
The Clop (CI0p) group, which was the most active in February and was responsible for 335 of 962 attacks, demonstrates this pattern. It exploited the vulnerabilities CVE-9,8-2024 and CVE-50623-2024 in the file transfer software Cleo, each rated 55956. The vulnerabilities were disclosed in October and December 2024, respectively. Three months later, the hackers' laborious manual work is bearing delayed fruit.
More at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de