Cybercriminals are intensifying their methods, departing from conventional data encryption tactics to adopt a more aggressive form of extortion known as quadruple extortion. This concerning development is detailed in the latest Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape, published today by Akamai, a prominent player in cybersecurity and cloud computing.
The report highlights that while double extortion—where attackers encrypt data and threaten to leak it if a ransom is not paid—remains prevalent, the rise of quadruple extortion incorporates additional pressures. This includes employing Distributed Denial-of-Service (DDoS) attacks to disrupt a victim’s operations, as well as targeting third parties such as customers and media, thereby amplifying the pressure on the victim for payment.
“Ransomware threats are no longer solely about data encryption,” stated Steve Winterfeld, Advisory CISO at Akamai. He underscored that attackers are now exploiting “stolen data, public exposure, and service outages to heighten the pressure on victims,” transforming cyberattacks into significant business crises.
The Akamai report further examines notable trends in cybercrime. The emergence of generative AI and large language models (LLMs) facilitates the targeting of individuals with limited technical skills, enabling them to create malicious code and refine their social engineering tactics. Groups like Black Basta and FunkSec, along with various Ransomware-as-a-Service (RaaS) platforms, are quickly integrating AI into their extortion strategies.
Additionally, hybrid groups that merge hacktivist motives with ransomware operations are increasingly leveraging RaaS platforms. These platforms permit individuals or groups to rent ransomware tools and infrastructure, enhancing their effectiveness for various political, ideological, and financial motivations. A notable example is Dragon RaaS, which surfaced in 2024 from the Stormous group and now targets smaller, less secure organizations.
The research indicates particular sectors are disproportionately affected by cyber threats. Nearly half of cryptomining attacks, which involve unauthorized use of a victim’s computer resources for cryptocurrency mining, have assaulted non-profit and educational institutions. This vulnerability can largely be attributed to such organizations typically having fewer resources allocated for cybersecurity measures.
TrickBot: The Malware Behind Hundreds of Millions in Crypto Extortion
For years, TrickBot malware has been notorious for hijacking cryptocurrency transactions, with the financial ramifications of these activities becoming increasingly evident. This malware family, widely utilized by ransomware groups, has been responsible for extorting over $724 million in cryptocurrency from victims since its inception in 2016.
Although TrickBot’s infrastructure was dismantled in 2020, Akamai’s Guardicore Hunt Team recently observed suspicious activity associated with it on several client systems, signaling its enduring impact.
How Does TrickBot Infect a Device
TrickBot predominantly spreads through phishing emails designed to appear as legitimate correspondence from banks, delivery services, or government entities. These emails often include malicious attachments, such as Word or Excel files, or links to compromised websites. Upon opening these attachments, users may be prompted to enable macros, which, if activated, execute harmful scripts that silently install TrickBot on the system.
Beyond phishing, TrickBot can capitalize on unpatched software vulnerabilities. If a system is not updated with the latest security fixes, the malware can exploit these weaknesses to gain access or spread within a network. Often, TrickBot is also delivered alongside other malware, especially Emotet or QakBot, which serve as loaders to set the stage for TrickBot’s subsequent infection.
Once TrickBot infiltrates a system, it collects login credentials, maps connected systems, and infects additional machines. This chain of infection enables it to gather more data and occasionally deploy ransomware, exacerbating the impact on the victim.
James A. Casey, Akamai’s Vice President and Chief Privacy Officer, emphasized the necessity of robust cybersecurity protocols, incident reporting, and effective risk management strategies, such as Zero Trust and micro-segmentation, to defend against these evolving threats. He urged organizations to remain vigilant and adapt their defenses to counter the changing tactics employed by cyber extortionists.
