Executive Summary

A new threat intelligence report from KELA, titled "Escalating Ransomware Threats to National Security," reveals a dramatic escalation in ransomware attacks against critical infrastructure. Between January and September 2025, attacks on these sectors surged by 34% compared to the same period in 2024. Critical industries were the victims in 50% of the 4,701 total ransomware incidents recorded globally. The United States was the most impacted nation, suffering approximately 1,000 attacks. The report underscores a significant trend where a small number of prolific ransomware groups, including Qilin, Clop, Akira, Play, and SafePay, are responsible for a disproportionate share of the attacks, indicating a consolidation of power in the cybercrime ecosystem.

Threat Overview

The report paints a grim picture of the current ransomware landscape. The total number of attacks rose from 3,219 in 2024 to 4,701 in 2025 for the same nine-month period. Of these, 2,332 targeted critical infrastructure sectors. The manufacturing sector was hit hardest, with a 61% increase in attacks, highlighting its vulnerability to operational disruptions. Other heavily targeted sectors include healthcare, energy, transportation, and finance. KELA's analysis suggests these incidents should be treated as threats to national security, not just financial crimes, due to their potential to disrupt essential services and erode public trust. The geographical distribution of attacks shows a clear focus on Western nations, with the U.S. followed by Canada, Germany, the U.K., and Italy as the most targeted countries.

Technical Analysis

While the report focuses on trends rather than specific TTPs, the activities of the top groups provide insight into common attack methods:

• Initial Access: Prolific groups like Clop are known for exploiting zero-day vulnerabilities in widely used software, such as the MOVEit Transfer flaw (T1190 - Exploit Public-Facing Application). Other groups like Akira and Qilin frequently gain access through stolen VPN credentials (T1078 - Valid Accounts) or phishing campaigns.
• Impact: The core of these attacks is T1486 - Data Encrypted for Impact. This is almost always coupled with data theft for double extortion, where attackers threaten to leak stolen data if the ransom is not paid.
• Defense Evasion: Ransomware operators frequently use techniques to disable security software and inhibit system recovery, such as T1562.001 - Disable or Modify Tools and T1490 - Inhibit System Recovery by deleting volume shadow copies.

Impact Assessment

The 34% surge in attacks on critical infrastructure has profound implications for national security and economic stability. A successful ransomware attack on a manufacturing plant can halt production, causing supply chain disruptions. An attack on a hospital can lead to canceled surgeries and risk to patient lives. An attack on an energy provider could cause power outages. The financial costs are immense, including ransom payments, recovery expenses, and regulatory fines. The report's finding that five groups are responsible for 25% of attacks suggests that focused threat intelligence and law enforcement action against these key players could have a significant impact on reducing the overall threat.

Cyber Observables for Detection

General observables for ransomware activity include:

Detection & Response

1. Behavioral Analysis: Deploy EDR solutions that use behavioral analysis to detect ransomware activities. This includes monitoring for rapid file encryption, deletion of shadow copies, and attempts to disable security tools. This is a core function of D3-PA: Process Analysis.
2. Decoy Files: Place decoy files (honeypots) on file shares and endpoints. Use file integrity monitoring to create a high-priority alert if these files are modified or encrypted, as no legitimate process should ever touch them. This is a form of D3-DO: Decoy Object.
3. Network Segmentation: Monitor traffic between network segments. A sudden increase in SMB/RPC traffic from a workstation to multiple servers can be an indicator of a ransomware worm spreading. This falls under D3-NTA: Network Traffic Analysis.

Mitigation

• Data Backup and Recovery: The most critical defense is a robust backup strategy. Maintain offline and immutable backups of critical data so that you can recover without paying a ransom. Regularly test your restoration process. This is the primary goal of D3-FR: File Restoration.
• Patch Management: Proactively patch vulnerabilities, especially on internet-facing systems, to prevent the initial access methods used by groups like Clop (M1051 - Update Software).
• Multi-Factor Authentication (MFA): Enforce MFA on all remote access points, such as VPNs and RDP, to defend against stolen credential attacks (M1032 - Multi-factor Authentication).
• Network Segmentation: Segment networks to contain the spread of ransomware. Prevent workstations from communicating directly with each other and restrict server-to-server communication to only what is necessary (M1030 - Network Segmentation).