CyberheistNews Vol 15 #30 [Heads Up] Ransomware is Back—and Smarter Than Ever in 2025: Trends | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

[Heads Up] Ransomware is Back—and Smarter Than Ever in 2025: Trends

By Roger Grimes

I’ve been following ransomware since the first one, the AIDS Cop Trojan, was released in December 1989. It locked up victim computers and asked for $300 to be sent to a Panama P.O. Box. A lot has changed since then.

The invention of cryptocurrencies, particularly Bitcoin in January 2009, was largely responsible for the explosion of ransomware by September 2013. This was when CryptoLocker ransomware was released to the world. Ransomware gangs have been making many billions of dollars per year ever since.

The “double extortion” phase of ransomware, where ransomware gangs first exfiltrated data and logon credentials, started in November 2019. Now, well over 90% of ransomware exfiltrates data. Forty percent (40%) of ransomware gangs only do data exfiltration (without the encryption threat) to get paid.

There was a slight “down year” in ransomware payments in 2022, and everyone wondered whether the world had finally started to get ransomware under control. But it was a one-year anomaly and ransomware payments were higher than ever in 2023. But then they fell again, significantly, in 2024 according to Chainalysis.

Are we starting to make a dent in ransomware? Possibly. There have been dozens of major successful law enforcement actions and sanctions against ransomware gangs and members. Collectively, this has literally blown apart many ransomware groups, resulting in infighting and dissolution within many of the remaining groups. Will this result in fewer attacks and lower ransom payments in 2025?

We will see.

While we wait, here are some notable ransomware trends in 2025:

• Ransomware gangs have been exploiting more software and firmware vulnerabilities over the last few years. (social engineering is still the number one initial access method by far, but a few percentage points less)
• Use CISA’s Known Exploited Vulnerability Catalog (https://www.cisa.gov/known-exploited-vulnerabilities-catalog) to make sure you are patched.
• Average ransom paid (if paid) was just over $500K. Median payment was under $250K
• Fewer victims are paying the ransomware than ever before. Payment rates that used to be near 70% of all ransomware victims are now down to 25%, and that is part of a long downward trend
• Ransomware gangs are morphing into data breach gangs, concentrating on compromising large amount of data for ransom or resale

[CONTINUED] Blog post with links:
https://blog.knowbe4.com/ransomware-trends-in-2025

[Live Demo] Ridiculously Easy AI-Powered Security Awareness Training and Phishing

Phishing and social engineering remain the #1 cyber threat to your organization, with 68% of data breaches caused by human error. Your security team needs an easy way to deliver personalized training—this is precisely what our AI Defense Agents provide.

Join us for a demo showcasing KnowBe4’s leading-edge approach to human risk management with agentic AI that delivers personalized, relevant and adaptive security awareness training with minimal admin effort.

See how easy it is to train and phish your users with KnowBe4′ HRM+ platform:

• SmartRisk Agent™ – Generate actionable data and metrics to help you lower your organization’s human risk score
• Template Generator Agent – Create convincing phishing simulations, including Callback Phishing, that mimic real threats. The Recommended Landing Pages Agent then suggests appropriate landing pages based on AI-generated templates
• Automated Training Agent – Automatically identify high-risk users and assign personalized training
• Knowledge Refresher Agent and Policy Quizzes Agent – Reinforce your security program and organizational policies
• Enhanced Executive Reports – Track user activities, visualize trends, download widgets and improve searching/sorting to provide deeper insights and streamline collaboration

See how these powerful AI-driven features work together to dramatically reduce your organization’s risk while saving your team valuable time.

Date/Time: Wednesday, August 6 @ 2:00 PM (ET)

Save My Spot:
https://info.knowbe4.com/kmsat-demo-2?partnerref=CHN

Thousands of Spoofed News Sites Are Pushing Investment Fraud Scams

Scammers are using over 17,000 phony news sites to push investment fraud, according to a new report from CTM360.

These websites, which the researchers call “Baiting News Sites (BNS),” spread via legitimate ad platforms such as Google or Meta. The sites impersonate well-known news providers, including CNN, the BBC, CNBC, News24 and ABC News. If a user clicks on one of these sites, they’ll be shown a fake news article about a well-known figure promoting a phony investment opportunity.

“Clicking the ad redirects to a fake news article designed to resemble CNN, Bloomberg, or local media outlets,” the researchers explain.

“These articles impersonate high-profile individuals and financial institutions, including central banks, and publish fabricated stories and quotes that suggest these entities endorse a platform called ‘Eclipse Earn,’ a supposed automated crypto investment system.”

Notably, the websites are tailored to target specific regions around the world. The phishing sites reference politicians, celebrities, and banks that are relevant to the users who see the ads. The attacks target users in more than fifty countries across the Americas, Europe, the Middle East, Africa, the Asia-Pacific and Oceania.

The sites are designed to trick users into sending money and handing over sensitive information that can be used in future attacks.

“Victims are lured into making an initial deposit of around $240 to ‘activate’ their trading accounts on fraudulent platforms such as Solara or Vynex,” the researchers write. “After payment, the platform simulates access to live trading dashboards, showing fake profit growth to reinforce legitimacy and encourage continued engagement.”

After making an initial payment, the phishing site displays phony excuses such as “system errors, pending verification, or processing limits” to trick victims into continuing to send money while being unable to withdraw their supposed profits.

KnowBe4 empowers your workforce to make smarter security decisions every day. Over 70,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.

Blog post with links:
https://blog.knowbe4.com/thousands-of-spoofed-news-sites-push-investment-scams

Boost Your Browsing Security: Integrate SecurityCoach with Microsoft Edge for Business

Managing the security gap between your technical defenses and user behavior just got easier!

Introducing KnowBe4 SecurityCoach for Microsoft Edge for Business integration. As one of the only human risk management platforms with a native reporting connector in Microsoft Edge for Business, SecurityCoach now transforms your browser into a real-time coaching platform.

It delivers immediate guidance when users engage in risky browser behavior, such as visiting suspicious websites, reusing passwords or attempting to bypass security warnings.

Why Risky Browser Activity is a Threat to Organizational Security

• Gartner predicts that by 2030, enterprise browsers will be the core platform for delivering workforce productivity and security software on managed and unmanaged devices for a seamless hybrid work experience.
• Attackers have evolved from conventional malware to more sophisticated techniques, such as malware that dynamically reassembles itself within browsers. This allows attackers to bypass traditional security measures while exploiting the fact that most organizations incorrectly treat browsers as trusted applications.
• Risky browser behaviors, including storing sensitive information, using weak passwords, installing untrusted extensions, falling victim to phishing attacks, using unsecured networks, and failing to clear cache and cookies, significantly increase security risks

Learn More
https://blog.knowbe4.com/boost-your-browsing-security-integrate-securitycoach-with-microsoft-edge-for-business

Phishing Trends: Spotify Returns to the Top Ten Most Impersonated Brands

Check Point has published a report on phishing trends in the second quarter of 2025, finding that Microsoft, Google and Apple were the top three most commonly impersonated brands last quarter. Interestingly, Spotify rose to claim a spot as the fourth most spoofed brand.

“In one of the quarter’s most notable campaigns, cyber criminals impersonated Spotify to lure users into a credential-harvesting trap,” Check Point says. “The phishing site was hosted at: premiumspotify, which redirects users to a malicious URL.

The malicious page replicated the official Spotify login experience, complete with authentic branding and design. Victims were asked to enter their usernames and passwords, which were then funneled to a fake payment page that attempted to steal credit card details as well.

This campaign marks Spotify’s first reappearance in phishing top charts since Q4 2019—and underscores how entertainment services are now being exploited just as aggressively as tech platforms.”

The technology industry is still the most popular target for phishing attacks, followed by social networks and retail. “The technology sector remains the top target for phishing campaigns,” Check Point says. “With platforms like Microsoft 365, Gmail, and iCloud central to users’ digital lives, attackers see these brands as gateways to everything from business credentials to personal data.

“Social networks (LinkedIn, WhatsApp, Facebook) and retail/travel platforms (Amazon, Booking.com) are also regularly spoofed, especially when attackers aim to exploit users’ trust in day-to-day services.”

The report warns of a surge in phishing attacks impersonating Booking.com to trick users with phony confirmation pages. “Another trend that stood out in Q2 was the sophisticated impersonation of Booking.com,” the researchers write.

“Check Point researchers detected over 700 newly registered domains using the format confirmation-id****[.]com — a number 100 times higher than in previous quarters.

“What made these scams particularly dangerous was the inclusion of personalized details (name, email, phone number) to make the booking confirmation pages appear authentic and urgent. All sites were short-lived and have since been taken down.”

Check Point has the story:
https://blog.checkpoint.com/research/phishing-trends-q2-2025-microsoft-maintains-top-spot-spotify-reenters-as-a-prime-target/

Check Out KnowBe4 at Black Hat 2025!

KnowBe4 is thrilled to be returning to Black Hat in a few short weeks, and this year we’re going BIG! Our brand-new booth #1661 is packed with incredible experiences, exclusive networking opportunities and unforgettable moments you won’t want to miss.

The highlight of the week? KnowBe4’s 15th Birthday Celebration. I plan to be there too!

Join us Wednesday, August 6th from 3-4pm at booth #1661 as we celebrate this major milestone with style. We’re talking drinks, cupcakes, a photo booth, amazing prizes and more!

But the excitement doesn’t stop there:

• Book a 1:1 product demo and enter to win exclusive AirTags
• Create a monogrammed luggage tag to keep your suitcase as safe as your data
• Enjoy exclusive after-party invitations and extended networking events
• Connect with industry leaders and cybersecurity innovators

Mark your calendar, bring your colleagues and help us make this 15th birthday one for the books.

Discover More!
https://info.knowbe4.com/blackhat-us

Let’s stay safe out there.

Warm regards,

Stu Sjouwerman, SACP
Founder and Exec Chair
KnowBe4, Inc.

PS: [BUDGET AMMO]The Rise Of Adaptive Security Training: Personalized Risk Management:
https://www.forbes.com/councils/forbestechcouncil/2025/07/23/the-rise-of-adaptive-security-training-personalized-risk-management/

PPS: The New APIsec University Training Modules Are Now Available in KnowBe4’s Diamond Library:
https://blog.knowbe4.com/new-apisec-university-training-modules-now-available-in-knowbe4s-diamond-library

You can read CyberheistNews online at our Blog
https://blog.knowbe4.com/cyberheistnews-vol-15-30-heads-up-ransomware-is-back-and-smarter-than-ever-in-2025-trends

Report: Attackers Are Using AI to Hide Phishing Sites

Threat actors are using AI-powered cloaking services to hide their phishing sites from security tools, according to a new report from SlashNext.

Commodity cloaking-as-a-service (CaaS) tools use fingerprinting and filtering techniques to show benign webpages to security scanners, while directing humans to malicious sites. These techniques aren’t new, but AI tools have made them much more effective.

“This dual-personality delivery is extremely effective at deceiving security tools,” SlashNext explains. “URL scanning bots and ad network crawlers report back that the website looks clean because they only saw the white page.

‘Meanwhile, actual victims get the scam content and potentially fall prey. It’s essentially selective camouflage, and AI-based cloaking services have elevated it to a science. By using JavaScript fingerprinting to profile devices (screen resolution, browser plugins, timezone, touch capabilities, and more) and continual machine learning analysis of what constitutes a normal vs suspicious visitor, cloakers can filter traffic with incredible granularity.”

Two of the most popular cloaking tools, Hoax Tech and JS Click Cloaker, are ostensibly meant to help online marketers, but cybercriminals are making extensive use of them. Hoax Tech uses a custom AI engine called Matchex to analyze patterns common to advanced bots, learning over time as the bots improve.

JS Click Cloaker uses machine learning to analyze website visitors against a massive database in order to detect bots. “Cybercriminals are effectively treating their web infrastructure with the same sophistication as their malware or phishing emails, investing in AI-driven traffic filtering to protect their scams,” SlashNext says.

“It’s an arms race where cloaking services help attackers control who sees what online, masking malicious activity and tailoring content per visitor in real time. This increases the effectiveness of phishing sites, fraudulent downloads, affiliate fraud schemes, and spam campaigns, which can stay live longer and snare more victims before being detected.”

KnowBe4 empowers your workforce to make smarter security decisions every day.

SlashNext has the story:
https://slashnext.com/blog/how-threat-actors-use-ai-to-hide-malicious-sites/

How Hackers Exploit Microsoft Teams in Social Engineering Attacks

Attackers are using Microsoft Teams calls to trick users into installing the Matanbuchus malware loader, which frequently precedes ransomware deployment, according to researchers at Morphisec.

Matanbuchus malware-as-a-service offering that allows threat actors to install additional payloads onto infected Windows systems. “Over the past nine months, Matanbuchus has been used in highly targeted campaigns that have potentially led to ransomware compromises,” Morphisec says.

“Recently, Matanbuchus 3.0 was introduced with significant updates to its arsenal. In one of the most recent cases (July 2025), a Morphisec customer was targeted through external Microsoft Teams calls impersonating an IT helpdesk. During this engagement, Quick Assist was activated, and employees were instructed to execute a script that deployed the Matanbuchus Loader.”

The threat actors use social engineering to walk the employee through the download of a malicious file, which results in malware installation.

“Victims are carefully targeted and persuaded to execute a script that triggers the download of an archive,” the researchers write. “This archive contains a renamed Notepad++ updater (GUP), a slightly modified configuration XML file, and a malicious side-loaded DLL representing the Matanbuchus loader.

“In previous campaigns from September 2024, an MSI installer was downloaded, which ultimately led to a similar flow of Notepad++ updater sideloading execution.”

“Once the malware is installed, it creates a stealthy foothold to maintain persistence on the infected system. “To continuously dial home, Matanbuchus needs to create persistency; this is achieved by scheduling a task,” Morphisec says. “While it sounds simple, Matanbuchus developers implemented advanced techniques to schedule a task through the usage of COM and injection of shellcode.”

Morphisec has the story:
https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up/

[New Whitepaper] Best Security Practices for AI Prompting and Building Agent Systems

Bob Fabien wrote on X: “While some are still paying over a grand for AI courses, the biggest players are giving away high-value resources at no cost. From prompt engineering to agent frameworks, it is all here.”

And here is a little present from me to you. I grabbed the new Agent Mode of OpenAI and told it to create an executive summary of the best practices in all the below guides and documents. Then I ran an edit over it for readability and completeness.

I also included Case Study: Building a Cybersecurity Incident Classifier.

Hoping this saves you a bunch of time. Here is it as a 21-page PDF, great for your next lunch and learn. Enjoy!

Here is the blog post with the link:
https://blog.knowbe4.com/new-whitepaper-best-security-practices-for-ai-prompting-and-building-agent-systems

What KnowBe4 Customers Say

“Hi Nichol, I just wanted to reach out to give feedback on Aariel. She is absolutely awesome. I come from a support background and have a very high standard. She is nothing short of exceptional. I can’t begin to tell you the value add she provides with her continuing assistance of our deployment of KnowBe4. Take care of her!”

– J.C. Associate Director, Head of IT