Ransomware Surge: 4 Cyber Threat Groups Wreaking Havoc in February 2025
The cybersecurity landscape continues to face relentless attacks from organized ransomware groups. In February alone, four major threat actors—Cactus, RansomHub, Play, and Medusa—have been particularly active, targeting organizations across various industries.
This data is collected from two of Alvaka’s cybersecurity partners, Cyber Guards USA and Cybolt. These findings match what Alvaka has seen in the past two months in our ransomware recovery practice. Below is a breakdown of the tactics and techniques these groups are employing.
Cactus – Targeting VPN and Firewall Vulnerabilities
- Victims: 14
- Primary Entry Point: Exploiting vulnerabilities in VPNs and firewalls
- Tactics & Techniques:
-
- Uses legitimate RMM (Remote Monitoring & Management) software (dwagent, ScreenConnect) to maintain persistence.
-
- Conducts network reconnaissance using netscan.
-
- Deploys Command & Control (C2) tools, primarily Chisel.
-
- Relies on Living Off the Land (LOTL) techniques, including RDP and SSH.
-
- Exfiltrates data using WinSCP and rClone.
Geographic Focus:
Cactus has been heavily targeting organizations on the U.S. West Coast and Canada. The attackers have also been observed emailing and calling employees of victim organizations, indicating a social engineering component.
RansomHub – A Ransomware-as-a-Service (RaaS) Operation
- Victims: 37
- Tactics & Techniques:
-
- Uses a variety of legitimate RMM software (AnyDesk, Atera, N-Able, ScreenConnect, Splashtop).
-
- Leverages Windows LOLBins (BITSadmin, PSExec) to execute malicious payloads.
-
- Exfiltrates data through WinSCP, rClone, and PSCP.
- Threat Model:
RansomHub is likely operating under a Ransomware-as-a-Service (RaaS) model, meaning multiple affiliates conduct attacks under a shared infrastructure. - Leak Site Activity:
This group has been actively updating their leak site daily, showcasing a consistent stream of new victims.
Play – Defense Evasion and Stealthy Exfiltration
- Victims: 30
- Tactics & Techniques:
-
- Uses defense evasion tools such as IOBit to avoid detection.
-
- Deploys offensive security tools like WinPEAS and Cobalt Strike to gain deep network access.
-
- Relies on LOLBins like PSExec and WinSCP for stealthy data exfiltration.
Play has shown a strong emphasis on remaining undetected for prolonged periods, making it one of the more difficult groups to mitigate.
Medusa – Phishing, Network Reconnaissance, and Destruction
- Victims: 26
- Primary Entry Point: Phishing attacks
- Tactics & Techniques:
-
- Uses PowerShell and Command Prompt to execute malicious commands.
-
- Conducts network reconnaissance with netscan.
-
- Maintains persistence through ScreenConnect.
-
- Uses BITSadmin and PSExec for lateral movement.
-
- Exfiltrates data over SSH on port 443, making detection more difficult.
-
- Post-Exfiltration Actions:
-
-
- Removes logs to erase evidence.
-
-
-
- Destroys backups.
-
-
-
- Executes final-stage ransomware encryption.
-
Medusa’s structured attack chain shows a high level of sophistication, especially in covering its tracks before deploying ransomware.
Key Takeaways & Defensive Measures
The patterns emerging from these attacks highlight three major security concerns:
- Exploitation of vulnerabilities in VPNs and firewalls (Cactus).
- Increased abuse of legitimate RMM software for persistence (RansomHub, Play, Medusa).
- Social engineering and phishing as primary attack vectors (Medusa, Cactus).
How to Defend Against These Threats:
- Patch and Update – Ensure VPNs, firewalls, and endpoint security software are regularly updated.
- Monitor RMM Activity – Identify unauthorized use of tools like AnyDesk, ScreenConnect, and Splashtop.
- Implement Multi-Factor Authentication (MFA) – Prevent unauthorized access even if credentials are stolen.
- Conduct Phishing Awareness Training – Educate employees to recognize and report suspicious emails.
- Enable Network Segmentation – Limit the ability of attackers to move laterally within an organization.
- Review Data Exfiltration Tools – Monitor for unauthorized use of WinSCP, rClone, and SSH-based transfers.
These four ransomware groups are refining their techniques and expanding their operations. As cybercriminals become more advanced, organizations must take a proactive approach to security by implementing strong defense mechanisms, monitoring network activity, and educating employees about emerging threats.
Need Immediate Assistance?
If your organization is experiencing a ransomware incident or needs cybersecurity support, Alvaka’s ransomware recovery team is available to help.
Alvaka is available 24×7 to assist you with any of your cybersecurity needs. Fill out the form on this page or call us at (949)428-5000!
Latest Cybersecurity Related Blogs
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
Smoke testing is a type of software testing performed by Alvaka after a software patching sequence to ensure that the system is working correctly and to identify any misconfigurations or conflicts within the patched system.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.
You want to enter in a fully burdened labor rate for this field. What that means is that you want to take the base hourly rate, plus 25-30% for employer payroll taxes, benefits, vacation/holiday time, etc.
Smoke testing is a term used to describe the testing process for servers after patches are applied.