Ransomware groups surge as July attacks hit Singapore

ThreatBook 2025 report shows tech and finance hit hardest in mid-year breach wave.

Singapore faced a sharp rise in ransomware attacks in 2025, according to the 2025 Singapore Threat Intelligence Report by global cybersecurity firm ThreatBook with attacks peaking in July, affecting technology, finance, manufacturing, and government sectors.

The surge coincided with the release of multiple global software vulnerabilities, which attackers exploited to time their campaigns.

ThreatBook identifies Qilin, DireWolf, Lynx, DevMan, and Akira as the most active ransomware groups.

Qilin targets large enterprises using Office macros and Cobalt Strike to gain access, stealing sensitive data and moving laterally with credential-stealing tools and PowerShell scripts.

DireWolf focuses on manufacturing and industrial systems, combining encryption with public data leaks.

Lynx attacks high-value businesses across multiple sectors, relying on phishing, malware downloads, and social engineering to steal data before encryption.

DevMan targets energy and industrial firms, encrypting files offline and deleting backups, whilst Akira operates across manufacturing, healthcare, blockchain, and transport, exploiting VPN vulnerabilities and phishing campaigns, using segmented encryption and multi-mode data theft.

All five groups employ double extortion tactics, encrypting systems whilst exfiltrating data to dark web leak sites.

Common entry points include phishing emails, malware-laden documents, and exposed remote access tools such as RDP or VPN.

Lateral movement often relies on legitimate administrative tools like SMB, PsExec, AnyDesk, and RustDesk.