Targeted social engineering is en vogue as ransom payment sizes increase

“Don’t say the “S…” word. But which adjective starting with the letter S are we talking about? Three specifically come to mind in Q2 as these groups were both prolific in the sheer volume of attacks and also using novel iterations of social engineering in their intrusion vectors. Below we dissect each one. 

Scattered Spider

Attack Approach: Targeted

Characterized By: Social Engineering; Severe Operational Disruption

Impact: Immediate

After a handful of arrests in Q4-2024 and a period of dormancy, Scattered Spider returned in earnest at the start of Q2-2025. The loosely affiliated cybercrime group focused their sights on the retail sector, first in the UK and then in the US, before pivoting to the insurance and aviation sectors. Unlike most traditional financially motivated cybercriminals who impact enterprises opportunistically, Scattered Spider tends to focus on clusters of companies in a single vertical and attack in rapid succession. There is no clear pattern on which sectors attract their attention or in what order, but what the impacted entities do have in common is being large, well-known household name brands whose operational disruption can be seen by consumers on the ground floor. 

In today’s cyber risk climate, social engineering may be the premiere threat by non-Western and domestic threat actors alike, but just a few years ago, Scattered Spider was arguably the only extortion group using it successfully and at scale. Being comprised of native English speakers gave them an advantage the Russian-operated ransomware affiliates lacked, and is perhaps one reason why the technique took longer to gain traction in the non-native-English speaking extortion space.

There is ample literature available on the nuances of the Scattered Spider attack path, so we won’t take up time rehashing those here. What we will examine is the unique flavor of identity attacks they utilize, and how these are distinguishable from identity-based attacks leveraged by other prominent crime groups.

Scattered Spider social engineering efforts are focused on impersonating real employees and convincing HelpDesk technicians to provision them with new credentials to the employees accounts (in some cases, provisioning their own devices with corporate VPN, MFA, etc.), which are then used to pivot access to the corporate environment. The callers are patient, amiable, and armed with the right arsenal of information to impersonate their target. Once footholds are established, the bad actors are quick to escalate and maintain such prolific and vicious persistence that the victim’s only option to contain the environment is to proactively shut operations down - this self-inflicted disruption is often necessary, but it does come at a cost and effectively guarantees the attack will be swiftly picked up in the media. Scattered Spider is known for many things, but subtlety is not one of them, which makes the other subjects of this review all the more interesting.

Silent Ransom

Attack Approach: Targeted

Characterized By: Data Theft Only; No Operational Disruption

Impact: Delayed

Silent Ransom (aka “Luna Moth”) has been in the picture since 2022. Aside from Scattered Spider, they are the only other e-crime group that has been exclusively reliant on social engineering for initial access during their tenure. However, their techniques are distinctly unique.

Unlike Scattered Spider who impersonates an employee to socially engineer the Helpdesk, Silent Ransom takes the reverse approach. The target of the social engineering efforts is the employee, and the bad actor poses as a Helpdesk/IT support person who convinces the employee to download remote assistance software. Once ZohoAssist/QuickAssist/Anydesk is willingly installed, the threat actor has hands-on-keyboard access to the victim’s workstation to pillage for sensitive data. The sessions often last only minutes, and the victim may not even realize something nefarious has taken place.

One of the most unusual aspects of Silent’s approach is the focus on a single workstation and the absence of lateral movement. Admittedly we saw this slightly evolve in 2025 wherein a few attacks involved the successful targeting of 2-3 workstations (sometimes weeks or months apart), but the framework is still markedly distinct from Scattered Spider in that they do not establish widespread or long-term persistence and their impact does not disrupt company operations. Many victim companies don’t even know a security incident has taken place until Silent announces themselves weeks or months later with an extortion threat. 

All that said, a key similarity between these two groups is that their attacks are targeted. Scattered Spider focuses both on specific sectors and specific enterprises within those sectors; Silent Ransom historically focuses on the professional services sector, with a particular emphasis on law firms (large and small). We can’t overstate how antithetical this approach is to the previous decade of financially motivated cybercrime, which has been overwhelmingly and consistently opportunistic and sector-agnostic. The fact that these groups who take a targeted approach are not outliers, but in fact keepers of significant market share in Q2 is a stark indicator of things to come.

Shiny Hunters

Attack Approach: Targeted

Characterized By: Data Theft Only; No Operational Disruption

Impact: Delayed

This brings us to our final S. You may have caught the headlines recently announcing the five prominent arrests in France of alleged administrators of BreachForums, including “ShinyHunters” and “IntelBroker”. Whether this will permanently disrupt the recent rampage of ShinyHunters extortions remains to be seen, but they have certainly been an active participant in data theft extortions in Q2 right in lockstep with Scattered Spider. 

ShinyHunters operates in a few different avenues (sometimes direct extortion, sometimes extortion-as-a-service with other actors), but most recently we have observed a trend of attacks that align with the threat cluster identified by Mandiant as UNC6040. These attacks leverage social engineering tactics against the target organization’s Business Process Outsourcing (BPO) personnel with a specific focus on accessing Salesforce environments. Like Silent Ransom, these actors take the approach of posing as IT support, and coerce the employee into completing a set of tasks that enables the threat actor to gain legitimate access to their Salesforce instance. 

ShinyHunters attacks are focused on data extortion and lack the on-the-ground operational disruption that is characteristic of Scattered Spider. However, there is striking overlap in the sectors impacted by both groups, and given the collective known as “The Com” that both have been linked to, it’s unlikely this sector overlap is sheer coincidence. One of the most distinguishing features of ShinyHunters attacks (aside from the TTPs) is the months-long delay between attack and actual extortion.

It’s clear that identity-based social engineering attacks are now mainstream, and they are not isolated to just native English speaking e-crime groups. 

The continued demise of the RaaS model has had a significant impact on the market share held by traditional opportunistic ransomware groups. A handful still prevail, but it seems every other week we see another group shutter operations or fall victim to another insider leak. While small and middle market businesses have historically suffered a disproportionate volume of attacks when the RaaS model was at its height, we do believe the risk to the large enterprise market will rapidly escalate as groups shift their attack approaches away from convenient/bulk-purchased attack vectors and invest more resources in compromising fewer high profile entities. Further fueling this shift towards more targeted victimology is the entrance of state sponsored actors leveraging certain ransomware variants for their own objectives (sometimes financial gain, but also for general disruption or cover for potential espionage). 

Average and Median Ransom Payment in Q2 2025

The Average Ransom Payment: $1,130,070 (+104% from Q1 2025) and Median Ransom Payment: $400,000 (+100% from Q1 2025), jumped substantially in Q2 2025 versus the prior quarter. We attribute this increase to an increase in payments by larger organizations impacted by data-exfiltration-only incidents. While the quarterly increase is dramatic, we note that similar jumps quarter to quarter have occurred in the past and do not yet believe these metrics to be an inception of a trend.

Overall, the percentage of organizations that opted to pay a ransom regardless of impact remained relatively low at 26%.  We are encouraged that the overall rate of payment has not shown regression over the prior quarters. As compared to years past, companies are generally better prepared to defend themselves against extortion attacks, and are getting better prepared at navigating the nuances of cyber incidents via IR preparedness. 

The payment rate on data exfiltration only matters increased in Q2 and remains in a stubbornly high bracket. Some threat actors are increasingly focusing on data exfiltration only as they feel the effort-impact / payout economics are more favorable to the encryption attacks. Encryption attacks do still cause the most impact and urgency though.

Most Common Ransom Variants in Q2 2025 

Akira remained the top Ransomware-as-a-service brand in Q2 2025 with Qilin jumping one spot to second place. Lone wolf attacks remain highly prevalent though, and we note that most of these attacks are not lone individuals carrying out an attack for the first time. They are seasoned cyber extortionists that are making a conscious decision to carry out a certain attack on a non-attributed basis. This involves the use of generic tactics, and unbranded tool kits (i.e. NOT a branded ransomware variant). It is highly likely that many of these lone wolves carry out other attacks under branded RaaS programs as well. 

Most Common Ransomware Initial Attack Vectors in Q2 2025

Initial access trends in Q2 continue to be shaped by the most active threat actors, who drive the evolution of tactics quarter over quarter. Despite fluctuations, the foundational pillars remain consistent: remote access compromise, phishing and social engineering in all their evolving forms, and the exploitation of software vulnerabilities. 

Credential-based intrusions dominate, with groups like Akira regularly exploiting exposed VPNs and remote services using stolen or weak credentials, often sourced from infostealers or successful phishing campaigns. Social engineering also continues to mature, with actors leveraging trusted communication channels like Microsoft Teams for vishing, SEO poisoning to deliver malware, and deceptive scripts masked behind fake security prompts or CAPTCHAs. These tactics bypass technical controls by targeting human behavior, a trend exemplified by groups like Scattered Spider, whose tailored impersonation techniques make help desks the front line of compromise.

Software vulnerability exploitation, while slightly down from Q1, remains a critical vector, particularly in targeted intrusions. High-profile vulnerabilities in Ivanti, Fortinet, VMware, and Windows services were actively leveraged, often shortly after public disclosure. Readily available exploit kits and proof-of-concept code have lowered the technical bar, allowing even mid-tier actors to breach enterprise infrastructure. The real risk lies in persistent patch lag, driven by operational complexity, downtime concerns, and under-resourced IT teams. Even well-managed environments remain exposed through third-party systems or vendor-managed appliances that quietly fall behind. 

Lastly, insider and third-party access risks, though a smaller slice of overall initial access, showed an uptick in Q2, particularly involving business process outsourcing (BPO) partners, contractors, and IT service providers. These external parties often hold privileged access but operate outside core security oversight, making them a growing vector of exploitation for credential misuse or social engineering.

Most Common Tactics, Techniques and Procedures Threat Actors used in Q2 2025

Exfiltration [TA0010]

Exfiltration topped the charts again in Q2, appearing in 74% of Coveware cases and reinforcing its central role in modern extortion operations. While once considered a precursor to encryption, exfiltration has become the main event in many attacks. Extortion-only and multi-extortion campaigns now often prioritize data theft over encryption, leveraging stolen information as leverage for ransom demands even in cases where encryption never occurs. This trend reflects a continued strategic shift: threat actors are optimizing for pressure, not disruption, and the data itself is often the most valuable hostage.

Lateral Movement [TA0008]

Lateral movement, observed in 60% of cases, remains a tactical staple despite a slight drop from Q1. It continues to underpin most ransomware operations, enabling threat actors to escalate privileges, map environments, and position payloads for maximum impact. Common techniques include the use of native protocols like RDP and SSH, along with tools like PSExec to traverse networks undetected. Because it’s nearly always present, lateral movement offers a consistently valuable detection window, if organizations are watching in the right places.

Impact [TA0040]

Impact returned to the Top 3 in Q2, appearing in 47% of cases, though encryption was confirmed in 90%, highlighting a recurring visibility gap in forensic telemetry. This is especially pronounced in environments like ESXi, where administrators are often locked out post-encryption and critical forensic artifacts are wiped. While file encryption remains the primary impact tactic, actors continue to evolve their methods for operational disruption, especially within backup infrastructure. Threat actors are increasingly targeting backups as part of their playbook, knowing that undermining recovery amplifies extortion pressure. Even in environments with immutable storage, actors are moving upstream and modifying backup policies, tampering with schedules, and deleting or redirecting backup objects to create continuity gaps. These actions are often subtle and blend into routine operations, but their downstream effect is severe: when recovery fails, payment pressure skyrockets. Organizations must treat backup infrastructure not just as a recovery tool, but as a primary target requiring the same vigilance and hardening as production systems.

Defense Evasion [TA0005]:

Defense evasion remained a top tactic in Q2, appearing in 47% of cases. Threat actors continue to rely on techniques such as tampering with EDR agents, deleting logs, disabling protections, and using obfuscated or renamed binaries to bypass detection. While overall dwell times are shortening, these tactics still provide enough cover for attackers to reach their objectives quickly and quietly. Their success, however, is often less a reflection of novel tradecraft and more an indictment of security controls that have decayed over time. Without regular maintenance and tuning, endpoint defenses lose their edge. Outdated detection rules, misconfigured policies, and unmonitored alerts all create blind spots. The effectiveness of defense evasion techniques is directly tied to this entropy, making the upkeep of security tooling as critical as the tools themselves.

Discovery [TA0007]

Discovery tactics re-entered the Top 5 in Q2, observed in 42% of cases, a reflection of how methodical and targeted extortion operations have become. Before exfiltrating or encrypting data, attackers invest time in mapping networks, enumerating assets, and identifying the most valuable systems or datasets. This reconnaissance phase often relies on legitimate admin tools or built-in OS commands, making it difficult to detect without contextual analysis. However, it also presents a critical opportunity: discovery activity frequently precedes overt malicious actions, offering defenders a chance to catch the threat early. Organizations that monitor for anomalous enumeration or employ deception technologies, such as decoy credentials, honeyfiles, or fake infrastructure, can turn this phase into an early warning system, transforming reconnaissance into a detection and containment advantage.

Most Common Industries Impacted by Ransomware in Q2 2025

Ransomware attacks disproportionately impact certain industries, with Professional Services facing the highest share at 19.7%. Consumer Services and Healthcare follow closely at 13.7% each, highlighting how data-rich, service-oriented sectors are prime targets due to their reliance on sensitive information and operational continuity. The Public Sector (9.4%) and Financial Services (7.7%) also face significant risk, likely due to their critical infrastructure and data value. We further note that unlike some RaaS groups who avoid Public Sector for fear of regulatory retribution in the form of sanctions, Qilin does not seem to share this aversion and consistently impact this vertical, along with extremely vulnerable entities in the healthcare and emergency services sectors. Given Qilin’s growing market share, we assess these impacts will continue and potentially worsen. In contrast, industries like Real Estate and Utilities see minimal impact (0.9%), possibly due to lower digital exposure or stronger defenses. The data suggests that attackers prioritize sectors where disruption can be quickly monetized, particularly those handling personal, financial, or health-related data.

Size of Organizations Impacted by Ransomware in Q2 2025

Ransomware attacks most commonly affect small to mid-sized organizations, with companies ranging from 11 to 1,000 employees making up a combined 64% of incidents. This suggests that attackers often target firms that are large enough to offer a potential payout but may lack the robust cybersecurity infrastructure of larger enterprises. Mid-sized organizations (1,001 to 10,000 employees) account for 17% of attacks, showing that as companies grow, they remain attractive targets. Interestingly, very large enterprises—with over 25,000 employees—make up just 8% of incidents, indicating that scale may offer better protection through more mature security programs. At the smallest end, companies with fewer than 10 employees represent only 4%, likely due to limited assets or lower visibility. Overall, the data highlights a ransomware "sweet spot" in the small to mid-sized range, where vulnerabilities are more common and defenses often underfunded.