Annual report: Nastiest Malware 2025

From ransomware that grinds operations to a halt to stealthy attacks that drain resources and erode trust, today’s malware is built to cause maximum damage. This Nastiest Malware 2025 report exposes the top offenders you need to watch out for so you can outsmart attackers before they strike.

Qilin

 

• Persona: Digital dragon chimera, coiled around servers and computers, glowing with sinister energy.
• Alias: "Qilin"
• Type: Ransomware (volume leader)
• Why scary: Most active ransomware group of 2025 (over 200 attacks in Q2), alarmingly aggressive toward healthcare, public sector, and large enterprise. Specializes in exploiting recent vulnerabilities and extorts massive sums.
• Notable fact: Overtook all competitors after law enforcement takedowns; possible ties to state-affiliated hackers.
• Key tactics: Advanced exploitation, double-extortion, rapid development of new encryptors.
  
  

Akira

 

• Persona: Shadowy ninja/samurai figure with code “blades” and enterprise firewall shields.
• Alias: "Akira"
• Type: Ransomware (persistent operator)
• Why scary: Holds 14–19% of ransomware market, perfectly balanced between stealth and impact—targets global manufacturers, retailers, and constructors with surgical extortion.
• Notable fact: Keeps out of the headlines by rarely targeting hospitals—prefers high-value business targets.
• Key tactics: Reliable infrastructure, disciplined affiliate model, avoids attracting law enforcement.
  
  

Scattered Spider

 

• Persona: Gigantic, glowing-eyed spider, spinning webs of code, baiting human victims.
• Alias: "Scattered Spider" (UNC3944)
• Type: Social engineering syndicate
• Why scary: Masters of vishing, SIM-swapping, and social engineering—able to bring entire companies to a halt in days.
• Notable fact: High-profile attacks involve collaboration with other elite cybercrime groups (including ShinyHunters).
• Key tactics: Credential theft, targeted vishing, impersonation, exploiting VPNs and remote access.
  
  

Play Ransomware

 

• Persona: Eerie jester/harlequin pulling marionette strings on locked computers, glowing stage.
• Alias: "Play"
• Type: Ransomware (steady consistency)
• Why scary: Third most active ransomware threat this year, excels at exploiting vulnerable servers and moving laterally for maximum IT/OT disruption.
• Notable fact: Keen focus on supply chain and IT providers makes them a force multiplier for other attacks.
• Key tactics: Intermittent encryption, ESXi targeting, quiet consistency.
  
  

ShinyHunters

 

• Persona: Hooded treasure hunter with spectral hands holding stolen data and digital keys.
• Alias: "ShinyHunters"
• Type: Data extortion group
• Why scary: The face of cloud/SaaS data extortion—leads exfiltration-driven ransoms (Salesforce, Google, etc.), often partners with other social engineering groups.
• Notable fact: Their breaches hit major enterprises, exposing millions of business and consumer records.
• Key tactics: Exfiltration, public shaming, delayed extortion, cross-group collaboration.
  
  

Lumma Stealer

 

• Persona: Ghostly wraith emerging from a compromised laptop, swirling credentials into a digital void.
• Alias: "Lumma Stealer" (plus new variants like Rhadamanthys)
• Type: Infostealer-as-a-Service
• Why scary: Even after law enforcement shutdowns, quickly returns with smarter delivery, fueling access for countless ransomware attacks.
• Notable fact: Over 394,000 infections in two months pre-takedown; core supplier to extortion and ransomware groups.
• Key tactics: Credential theft, stealer delivery innovation, rapid variant evolution.
  
  

Ghastly goings-on: 2025’s most sinister cyber trends

• Targeted social engineering: Widespread use of vishing, deepfakes, and personalized attack lures.
• Infostealer supply chains: Credential theft as the “front door” for ransomware—access sold or reused.
• Enterprise and infrastructure attacks: Manufacturing, energy, and cloud services hit hardest.
• Fast-changing tactics: Groups mutate their malware rapidly, recycling brands, attack routines, and infrastructure.
• State actor involvement: Evidence that North Korean and Russian groups increasingly leverage ransomware for revenue.

Survival tips: How to stay out of the crosshairs

• Lock down remote desktop protocol (RDP): Disable if not needed; use strong controls and monitoring.
• Patch or die: Update operating systems, network devices, SaaS apps, and endpoints without delay.
• Multi-factor authentication (MFA) everywhere: Especially for SaaS, VPN, and privileged accounts.
• Employee training: Run frequent, realistic phishing and social engineering tests.
• Back up smart: Follow the 3-2-1 rule—three copies, two different media, one offsite and immutable.
• Incident response plan: Develop and regularly test a playbook tailored to ransomware and cloud breach scenarios.
• Password managers and hygiene: Enforce long, unique passwords for everyone.
• Secure IoT and smart devices: Change defaults, update firmware.
• Limit social sharing: Prevent oversharing of business and personal info online.

Want to stay ahead of 2025’s nastiest malware by attending our webinar?