CyberCube Report Finds Ransomware Expanding to New Territories, LockBit Group Remains Highly Active

Executive Summary

A new report from cyber analytics firm CyberCube indicates a significant shift in the global ransomware landscape. The H2 2025 Global Threat Briefing reveals that ransomware attacks are no longer concentrated in a few well-defended markets. Instead, threat groups are actively expanding their operations into new geographic regions and industry verticals, particularly those with less mature security postures. This globalization of the ransomware threat means that organizations can no longer consider themselves at low risk simply based on their location or sector. The LockBit RaaS operation is highlighted as a major force behind this expansion.

Threat Overview

The report's key finding is that ransomware is becoming a more evenly distributed, global problem. Attackers are demonstrating a clear strategy of moving towards softer targets.

• Geographic Expansion: Threat actors are shifting focus away from heavily targeted and well-defended regions like North America and Western Europe, and increasing attacks in areas with developing cyber defenses.
• Industry Expansion: Similarly, industries that were previously considered lower-risk are now seeing an uptick in attacks. The report notes that while some sectors have strong security baselines, others show significant weaknesses, such as exposed remote services and unpatched software. The construction industry was cited as a prime example of a newly targeted sector.
• Key Threat Actor: The LockBit ransomware-as-a-service (RaaS) group continues to be a dominant and highly active player, driving much of the expansion into new territories and targeting a wide range of industries, including the public sector.

Technical Analysis

The trend described in the report is driven by the industrialization of cybercrime, epitomized by the RaaS model. RaaS platforms like LockBit provide affiliates with the tools, infrastructure, and support to launch sophisticated attacks, effectively lowering the barrier to entry.

• RaaS Model: This allows less-skilled actors to lease ransomware and launch attacks, leading to a higher volume and wider distribution of incidents. The core RaaS operators take a cut of the profits, incentivizing them to recruit affiliates in diverse geographic regions.
• Opportunistic Targeting: Many ransomware attacks are opportunistic. Attackers scan the internet for vulnerable systems, such as unpatched VPNs or exposed RDP ports (T1133 - External Remote Services). Organizations in less-targeted regions may have been slower to patch these vulnerabilities, making them easy targets as attackers broaden their scans.
• Varying Security Postures: The report emphasizes that security hygiene can vary dramatically even within the same industry. This means attackers can find vulnerable targets in almost any sector, rendering industry-based risk assessments less reliable.

Impact Assessment

• Increased Risk for All: The primary implication is that a far broader range of organizations must now consider themselves at high risk of a ransomware attack. Complacency based on geography or industry is no longer a viable stance.
• Insurance Market Pressure: This trend will put pressure on the cyber insurance market, as risk models will need to be adjusted to account for the more uniform global threat distribution.
• Need for Universal Baseline Security: The findings underscore the critical importance of implementing fundamental security controls for all organizations, regardless of size, sector, or location. The attackers are actively seeking out those who have failed to do so.

Detection & Response

Given the widespread nature of the threat, detection and response must focus on common ransomware TTPs rather than actor-specific indicators.

• EDR/XDR: Deploy and properly configure an Endpoint/Extended Detection and Response solution to detect common ransomware behaviors like rapid file encryption (T1486 - Data Encrypted for Impact) and deletion of volume shadow copies (T1490 - Inhibit System Recovery).
• Network Monitoring: Monitor for C2 beaconing and lateral movement activity via protocols like RDP and SMB.
• Active Directory Monitoring: Monitor for credential abuse and privilege escalation techniques within Active Directory, as this is a key step in most enterprise-wide ransomware attacks.

Mitigation

The report serves as a call to action for all organizations to strengthen their fundamental security hygiene.

• Patch Management: Aggressively patch internet-facing systems and critical vulnerabilities. This remains the single most effective defense against opportunistic attacks.
• Secure Remote Access: Disable RDP on internet-facing systems. All remote access should be protected by Multi-factor Authentication (MFA).
• Data Backup and Recovery: Maintain immutable, offline backups of critical data. Regularly test your ability to restore from these backups. This is the last line of defense and is crucial for recovery without paying a ransom.
• Network Segmentation: Segment networks to prevent a ransomware infection on a workstation from spreading to critical servers and backup systems.
• User Training: Train users to recognize and report phishing emails, which are a primary initial access vector for ransomware.