The fortress is dead. For decades, cybersecurity was defined by perimeters, walls, and the illusion of inside versus outside. But ransomware actors have evolved faster than our defenses, exploiting a fundamental truth: the cloud didn't just move the perimeter—it vaporized it entirely.
Today's ransomware campaigns aren't just attacking endpoints or exploiting CVEs. They're weaponizing the unseen, unchecked, and unprotected communication pathways between cloud workloads—the massive blind spot that traditional security tools can't reach. While we focused on securing the edge, adversaries moved inside, exploiting implicit trust to move laterally, escalate privileges, and encrypt data undetected.
This is the architectural gap that defines the ransomware crisis of 2025.
In this inaugural edition of the Ransomware Roundup, we profile 10 threat groups exploiting cloud-native gaps in visibility, segmentation, and policy enforcement. These actors represent the new breed of cloud-aware adversaries—followed by guidance on how Aviatrix's Cloud Native Security Fabric (CNSF) stops them using the Unified Kill Chain.
What You'll Learn:
The names, tactics, and activities of major ransomware groups in H1 2025
The victims of each attack and common cloud weaknesses exploited
How Aviatrix's CNSF uses zero trust principles and Paul Pols' Unified Kill Chain framework to protect organizations from these attacks
Most Active Groups in 2025
These groups are driving the most incident volume in H1 2025. Their large affiliate bases and rapid exploitation of exposed services have made them dominant players in breach headlines and SOC escalations.
SafePay
Victims: 198+ (as of May 2025)
Attack Pattern: RDP/VPN brute-force, credential stuffing, double extortion
Business Impact: Causes widespread SaaS disruptions and SLA breaches; common in healthcare and logistics environments
RansomHub
Victims: 534+ confirmed as of late 2024
Notable Attack: Large-scale ransomware event affecting a U.S.-based healthcare and financial transaction platform
Business Impact: Triggered widespread disruption in claims processing, partner settlements, and patient services; underscored the fragility of hybrid infrastructure in regulated industries
Qilin
Victims: 50+ in May 2025 alone
Payload: Rust-based Agenda ransomware
Business Impact: Targets critical infrastructure and manufacturing; downtime leads to lost revenue and supply chain penalties
Cloud Infrastructure Specialists
These groups specialize in exploiting the architecture and trust boundaries of multicloud and hybrid environments. They target ESXi hypervisors, abuse native tools, and move freely through east-west traffic paths that traditional firewalls miss.
Play (PlayCrypt)
Tactics: CVE-2025-29824 (Windows CLFS zero-day); ESXi + IaaS exploitation
Business Impact: Encrypts large volumes of VMs and virtual desktops, paralyzing DevOps, backups, and business continuity plans
BianLian
CISA/FBI Alert: Nov 2024
Tactics: Data extortion using Azure Storage Explorer, no encryption
Business Impact: Silent data theft leads to damaging disclosures and regulatory fines; especially harmful to finance and legal sectors
RaaS and Persistence-Centric Threat Groups
These groups prioritize scale, stealth, and long-term persistence. They operate Ransomware-as-a-Service (RaaS) platforms and use legitimate admin tools to establish deep footholds in hybrid cloud networks.
Medusa
Victims: 300+ (as of Dec 2024, per CISA)
Tactics: RaaS model, AnyDesk + PDQ Deploy for lateral movement, double extortion
Business Impact: Frequent attacks on education, healthcare, and state/local agencies; compromises backups and encrypted data to stall recovery
Akira
Victims: 250+
Ransom Collected: $42M (since March 2023)
Business Impact: Targets cloud providers and IT services; customer impact leads to SLA penalties, breach-of-contract claims, and churn
Hunters International
Victims: 200+ global victims:
Tactics: Kickidler and similar admin tools; lateral movement to ESXi, stealthy backup compromise
Business Impact: Long dwell time makes remediation difficult; re-infection common even after cleanups, eroding internal trust in recovery plans
LockBit 3.0
Victims: Thousands globally
Notable 2024 Attacks: Boeing, ICBC
Business Impact: High-profile leaks drive media coverage and customer distrust; aggressive affiliate model leads to unpredictable targeting
Rhysida
Notable Attack: British Library (Oct 2023)
Tactics: Public leak sites, double extortion
Business Impact: Especially damaging to public institutions, where transparency obligations intensify reputational and donor fallout
The Unseen Attack Surface: Why Cloud Ransomware Succeeds
These ransomware groups consistently exploit what we call the architectural gap—the unmonitored, implicitly trusted communication pathways between cloud workloads that traditional security tools cannot reach:
Lack of east-west segmentation between VPCs, clouds, and accounts
Unrestricted egress enabling C2 channels and data exfiltration
Over-permissioned services like IAM roles, shared storage, and backups
Blind spots in cloud-native routing and telemetry
Ephemeral workload communications that bypass traditional network controls
This isn't just a configuration issue—it's a fundamental architectural problem. The cloud atomized the attack surface into hundreds of thousands of micro-perimeters, but security remained focused on the old fortress model.
Breaking the Chain: Aviatrix + The Unified Kill Chain
The Unified Kill Chain (UKC), developed by Paul Pols, is a modern attacker lifecycle model that captures how ransomware campaigns persist, move laterally, and create long-term impact within cloud infrastructure. Unlike endpoint-focused models, UKC maps perfectly to the distributed, workload-centric nature of cloud environments.
Why Traditional Security Fails Against Cloud Ransomware
Ransomware isn't a malware file—it's a kill chain involving multiple stages:
Reconnaissance - Scanning cloud resources and mapping trust relationships
Payload delivery - Exploiting cloud services and API endpoints
Privilege escalation - Abusing cloud IAM and service permissions
Lateral movement - Moving between workloads, VPCs, and cloud accounts
Data exfiltration - Accessing cloud storage and databases
Encryption - Targeting cloud workloads and backup systems
Persistence and reinfection - Maintaining access across cloud environments
Each stage exploits the unseen, unchecked, unprotected communication pathways between cloud workloads—gaps that traditional perimeter security cannot address.
How Aviatrix CNSF Enforces Zero Trust at Every Stage
Aviatrix doesn't just detect threats—we disrupt the kill chain by embedding enforcement directly into the cloud runtime fabric:
Reconnaissance → ThreatIQ + ThreatGuard detect scan patterns, block malicious IPs, and alert on suspicious DNS queries across all cloud workloads
Delivery/Exploitation → In-line traffic steering to NGFWs enables DPI and policy enforcement at cloud ingress points, while distributed gateways inspect east-west traffic
Lateral Movement → Cloud-native micro-segmentation blocks unauthorized east-west traffic across clouds, accounts, and workloads in real-time
Command & Control → Dynamic egress policies + DNS filtering prevent C2 beaconing, reverse shells, and tunneling across all cloud environments
Exfiltration/Impact → High-Performance Encryption (HPE) secures data in motion while enriched flow logs detect mass exfiltration patterns across workload communications
The CNSF Advantage: In the Data Path, By Design
Unlike security tools that operate around the edge or as afterthoughts, Aviatrix operates in-line—directly within the cloud runtime. This enables:
Real-time, agentless policy enforcement across multi-cloud and hybrid environments
Unified visibility into the previously unseen communication pathways between workloads
Dynamic segmentation that automatically adapts to ephemeral cloud workloads
Policy-driven Zero Trust enforcement that turns strategy into executable reality
We don't rely on agents, proxies, or hoping attackers hit our detection signatures. We control the pathways where ransomware moves.
From Fortress to Fabric: The New Security Architecture
The cloud native security crisis requires a cloud native security solution. Aviatrix CNSF represents a fundamental architectural shift—from protecting perimeters to securing the fabric of cloud workload communications. Key Differentiators:
Cloud Consistent, Not Cloud Specific: Uniform policy enforcement across AWS, Azure, GCP, and OCI
Developer-Ready & IaC-Native: Deep integration with Terraform and cloud-native constructs
Ecosystem Integration: We activate your existing security investments by extending them into the cloud runtime
Aviatrix doesn't replace your security stack; we activate it by providing the missing enforcement layer where traditional tools cannot reach.
Final Word: The Architectural Imperative
Stopping modern ransomware means accepting a fundamental truth: the fortress is dead, and the fabric is the future. These threat groups succeed because they exploit the architectural gap between traditional security models and cloud reality. Aviatrix CNSF enables your team to:
See everything moving inside and between cloud environments
Enforce policy before malware spreads across workload communications
Maintain performance while applying Zero Trust principles at cloud scale
Turn zero trust from aspiration into enforcement across the entire cloud runtime
The next breach won't stem from a missed CVE. It will exploit the unseen, unchecked, unprotected pathways between your cloud workloads. The question isn't whether you need cloud workload security—the breaches prove you do. The question is whether you'll build it proactively or reactively.
Secure your cloud now with zero trust—before ransomware makes you the next headline.
Want to learn more ways to defeat ransomware and defend your network?
Take a free security assessment to learn how you can strengthen your cloud network security.
