The June 2025 Threat Trend Report on Ransomware highlights a notable increase in new ransomware samples detected compared to the previous month, May 2025. This analysis is based on detection data from AhnLab and intelligence gathered from Dedicated Leak Sites (DLS) operated by ransomware groups. The report covers a six-month period, providing statistics on the total number of ransomware samples collected and a breakdown of companies affected by ransomware attacks as publicly disclosed on these leak sites. Although some data may be incomplete or delayed due to the nature of data collection from multiple ransomware groups, the report offers valuable insights into the evolving ransomware landscape. The report includes MD5 hashes of notable ransomware samples, which can be used for detection and blocking. The ransomware tactics, techniques, and procedures (TTPs) referenced include MITRE ATT&CK techniques such as T1489 (Service Stop), T1567 (Exfiltration Over Web Service), T1566 (Phishing), T1486 (Data Encrypted for Impact), and T1490 (Inhibit System Recovery), indicating that these ransomware campaigns employ a combination of initial access via phishing, data exfiltration, service disruption, encryption of data, and prevention of recovery mechanisms. The report does not specify particular ransomware families or threat actors but emphasizes the rise in ransomware-as-a-service (RaaS) operations and the use of Dedicated Leak Sites to pressure victims. No known exploits in the wild or CVEs are associated with this report, and no specific affected software versions are identified. The severity is assessed as medium, reflecting the ongoing threat posed by ransomware but without indication of novel or critical vulnerabilities exploited.

For European organizations, the increase in ransomware samples and attacks poses a significant risk to operational continuity, data confidentiality, and integrity. Ransomware attacks can lead to substantial financial losses due to ransom payments, downtime, regulatory fines (especially under GDPR for data breaches), and reputational damage. The use of Dedicated Leak Sites to publicly disclose victim companies increases pressure on organizations to pay ransoms, potentially exposing sensitive corporate and customer data. The referenced TTPs suggest attackers are not only encrypting data but also exfiltrating it, which raises the risk of data breaches and compliance violations. European entities in critical infrastructure sectors, healthcare, manufacturing, and finance are particularly vulnerable due to their strategic importance and potential impact on public safety and economic stability. The medium severity rating indicates that while the threat is serious, it does not currently involve zero-day exploits or widespread automated exploitation, allowing organizations some time to implement mitigations. However, the trend of increasing ransomware samples and leak site activity signals a persistent and evolving threat landscape that requires proactive defense measures.

European organizations should implement a multi-layered defense strategy tailored to the ransomware threat landscape described. Specific recommendations include: 1) Enhance email security to detect and block phishing attempts (T1566), including advanced sandboxing, URL rewriting, and user training focused on spear-phishing awareness. 2) Deploy endpoint detection and response (EDR) solutions capable of identifying ransomware behaviors such as service stoppage (T1489), encryption activities (T1486), and system recovery inhibition (T1490). 3) Implement robust data backup strategies with offline or immutable backups to ensure recovery without paying ransom. 4) Monitor network traffic for signs of data exfiltration over web services (T1567) using network detection tools and anomaly detection. 5) Restrict administrative privileges and segment networks to limit lateral movement and impact scope. 6) Regularly update and patch systems to reduce attack surface, even though no specific CVEs are noted, as ransomware often exploits known vulnerabilities. 7) Establish incident response plans that include ransomware-specific scenarios and coordinate with law enforcement and cybersecurity authorities. 8) Leverage threat intelligence feeds, including MD5 hashes from the report, to update detection signatures and block known ransomware samples. 9) Conduct regular tabletop exercises and penetration testing to assess readiness against ransomware campaigns. These measures, combined with continuous monitoring and user education, will help mitigate the medium-level ransomware threat effectively.