Ransomware Surge: 4 Cyber Threat Groups Wreaking Havoc in February 2025
The cybersecurity landscape continues to face relentless attacks from organized ransomware groups. In February alone, four major threat actors—Cactus, RansomHub, Play, and Medusa—have been particularly active, targeting organizations across various industries.
This data is collected from two of Alvaka’s cybersecurity partners, Cyber Guards USA and Cybolt. These findings match what Alvaka has seen in the past two months in our ransomware recovery practice. Below is a breakdown of the tactics and techniques these groups are employing.
Cactus – Targeting VPN and Firewall Vulnerabilities
- Victims: 14
- Primary Entry Point: Exploiting vulnerabilities in VPNs and firewalls
- Tactics & Techniques:
-
- Uses legitimate RMM (Remote Monitoring & Management) software (dwagent, ScreenConnect) to maintain persistence.
-
- Conducts network reconnaissance using netscan.
-
- Deploys Command & Control (C2) tools, primarily Chisel.
-
- Relies on Living Off the Land (LOTL) techniques, including RDP and SSH.
-
- Exfiltrates data using WinSCP and rClone.
Geographic Focus:
Cactus has been heavily targeting organizations on the U.S. West Coast and Canada. The attackers have also been observed emailing and calling employees of victim organizations, indicating a social engineering component.
RansomHub – A Ransomware-as-a-Service (RaaS) Operation
- Victims: 37
- Tactics & Techniques:
-
- Uses a variety of legitimate RMM software (AnyDesk, Atera, N-Able, ScreenConnect, Splashtop).
-
- Leverages Windows LOLBins (BITSadmin, PSExec) to execute malicious payloads.
-
- Exfiltrates data through WinSCP, rClone, and PSCP.
- Threat Model:
RansomHub is likely operating under a Ransomware-as-a-Service (RaaS) model, meaning multiple affiliates conduct attacks under a shared infrastructure. - Leak Site Activity:
This group has been actively updating their leak site daily, showcasing a consistent stream of new victims.
Play – Defense Evasion and Stealthy Exfiltration
- Victims: 30
- Tactics & Techniques:
-
- Uses defense evasion tools such as IOBit to avoid detection.
-
- Deploys offensive security tools like WinPEAS and Cobalt Strike to gain deep network access.
-
- Relies on LOLBins like PSExec and WinSCP for stealthy data exfiltration.
Play has shown a strong emphasis on remaining undetected for prolonged periods, making it one of the more difficult groups to mitigate.
Medusa – Phishing, Network Reconnaissance, and Destruction
- Victims: 26
- Primary Entry Point: Phishing attacks
- Tactics & Techniques:
-
- Uses PowerShell and Command Prompt to execute malicious commands.
-
- Conducts network reconnaissance with netscan.
-
- Maintains persistence through ScreenConnect.
-
- Uses BITSadmin and PSExec for lateral movement.
-
- Exfiltrates data over SSH on port 443, making detection more difficult.
-
- Post-Exfiltration Actions:
-
-
- Removes logs to erase evidence.
-
-
-
- Destroys backups.
-
-
-
- Executes final-stage ransomware encryption.
-
Medusa’s structured attack chain shows a high level of sophistication, especially in covering its tracks before deploying ransomware.
Key Takeaways & Defensive Measures
The patterns emerging from these attacks highlight three major security concerns:
- Exploitation of vulnerabilities in VPNs and firewalls (Cactus).
- Increased abuse of legitimate RMM software for persistence (RansomHub, Play, Medusa).
- Social engineering and phishing as primary attack vectors (Medusa, Cactus).
How to Defend Against These Threats:
- Patch and Update – Ensure VPNs, firewalls, and endpoint security software are regularly updated.
- Monitor RMM Activity – Identify unauthorized use of tools like AnyDesk, ScreenConnect, and Splashtop.
- Implement Multi-Factor Authentication (MFA) – Prevent unauthorized access even if credentials are stolen.
- Conduct Phishing Awareness Training – Educate employees to recognize and report suspicious emails.
- Enable Network Segmentation – Limit the ability of attackers to move laterally within an organization.
- Review Data Exfiltration Tools – Monitor for unauthorized use of WinSCP, rClone, and SSH-based transfers.
These four ransomware groups are refining their techniques and expanding their operations. As cybercriminals become more advanced, organizations must take a proactive approach to security by implementing strong defense mechanisms, monitoring network activity, and educating employees about emerging threats.
Need Immediate Assistance?
If your organization is experiencing a ransomware incident or needs cybersecurity support, Alvaka’s ransomware recovery team is available to help.
Alvaka is available 24×7 to assist you with any of your cybersecurity needs. Fill out the form on this page or call us at (949)428-5000!
Latest Cybersecurity Related Blogs
Smoke testing is a term used to describe the testing process for servers after patches are applied. 
Estimating an average time for patching servers and PCs can be a bit tricky. It can vary from one month to the next, depending upon the number and complexity of the patches released by your software vendors. You must consider all versions of operating systems and have a complete inventory of all your application software to do this job correctly. Our experience has shown that manual patching of systems takes on average of about 1.5 hours each.
This is a basic cost calculator for you to compute your typical monthly cost for patching your servers, PCs, laptops, tablets and associated application software. It also forms the basis for you to begin calculating your Return on Investment for software patching, or for comparison with alternatives to the manual process of patching operating systems and application software—such as Patch Management as a Service, also known as Vulnerability Management as a Service.