The first quarter of 2025 saw a marked increase in ransomware hacks, cybersecurity consultancy firm NCC Group warned in a new study. Ransomware attacks and leaks were at an all-time high. That was the bad news. The even worse news is that it could get worse as attackers are employing evermore convincing attacks, tricking users by making it look like emails and texts are coming from HR and IT departments.
According to NCC Group, Q1 2025 saw a 28% increase in cyber attacks over the previous quarter. The cybercriminal group Cl0p, believed to have ties to Russia, was responsible for the most ransomware attacks during the quarter, at 19%. Second was Akira, with a 52% increase in attacks over the previous quarter, and third most active was RansomHub.
This year has seen a marked increase in “malvertising,” which exploits online advertisements to disseminate malware. The number of malvertising attacks heavily increased throughout 2024 and is likely to remain a pervasive threat in 2025.
More Zero Days!
Zero day attacks also remain a significant threat in the first quarter of this year. NCC Group further cautioned that the vendor most affected by the increase is Microsoft, and it has seen 34% of all exploited zero-days so far this year.
“Ransomware attacks hit unprecedented levels over the past months, with the volume of incidents year-on-year increasing 46% in March alone,” explained Matt Hull, head of Threat Intelligence at NCC Group.
“Hack and leak numbers were at an all-time high in Q1 2025,” Hull told ClearanceJobs. “As ever, we are seeing threat actors diversifying and leveraging increasingly complex and sophisticated attack methods to stay ahead—not only to cause mass disruption but to gain attention in the ransomware world. All in all, threat actors remain active, adjusting and adapting their methods to their advantage.”
Hull said it is a unique and challenging time for organizations, which face evolving tactics, including AI-enabled malvertising, and a turbulent geopolitical landscape.
“It’s more important than ever for organizations and individuals alike to remain vigilant and be adaptive to keep pace with these fast-changing threats,” Hull continued.
HR and IT-related Phishing Campaigns on the Rise
Cybersecurity researchers at KnowBe4 also warned in the newly released Q1 2025 Phishing Report that there has been a rise in deceptive email campaigns, with fake HR and IT-related emails account counting for more than 60% of top-clicked phishing emails.
KnowBe4 found that organizations are highly susceptible to branded landing pages from Microsoft, LinkedIn, and Google, which ranked as the top three most effective phishing destinations for harvesting credentials.
The study found that 60.7% of the simulations clicked mentioned internal teams, while 49.7% of the simulations clicked mentioned HR specifically.
“People were more likely to click on links related to internal topics or impersonating known brands (61.6%), with 68.6% involving domain spoofing,” KnowBe4 reported. It also found that in the simulation testing, the top three QR codes people scanned were related to a new drug and alcohol policy from HR (14.7%), a DocuSign for review and signing (13.7%), and a Workday happy birthday message (12.7%).
“It’s not surprising to see HR-related phishing attacks in the reported phishes and repeatedly in the top ten subject lines. This has always been a very useful type of email to use against employees, as HR encounters can be considered a bit scary and drive people to make quick responses while in a state of fear,” explained Erich Kron, security awareness advocate at KnowBe4.
Kron told ClearanceJobs that the use of branded landing pages can be “a great help” to cybercriminals.
“Major brands have spent a lot of money on advertising, so the name is already something we’re familiar with and likely have some level of trust built with,” Kron added. “Well-known brands also mean that the likelihood of a victim using the product is greatly increased, and the familiarity of things like branded pages designed to steal login information uses the familiarity to further lower the guard of potential victims. Odds are the employee has seen a login page from the well-known company being copied already, and therefore it seems normal to be asked to enter credentials.”
Some of the HR tactics seem almost too unbelievable, but they’re still tricking people.
“It is interesting to see a topic of dress code changes so high in the subject lines, especially given the popularity of work-from-home jobs,” said Kron. “People are more likely to expect dress code enforcement within the office environment as opposed to in their own homes, but bad actors are still using this tactic. The fact is, if it were ineffective, it would not be used so often.”
The warning, as always, is to think before you click.
