Akamai Technologies, the cybersecurity and cloud computing company that powers and protects business online, has found that threat actors are using a new quadruple extortion tactic in ransomware campaigns, while double extortion remains the most common approach.
According to the new Akamai State of the Internet (SOTI) report, Ransomware Report 2025: Building Resilience Amid a Volatile Threat Landscape, the emerging trend of quadruple extortion includes using distributed denial-of-service (DDoS) attacks to disrupt business operations and harassing third parties — like customers, partners, and media — to increase the pressure on the victim. It builds on double extortion ransomware in which attackers simply encrypt a victim’s data and threaten to leak it publicly if the ransom isn’t paid.
Ransomware threats today aren’t just about encryption anymore,” said Steve Winterfeld, Advisory CISO at Akamai. “Attackers are using stolen data, public exposure, and service outages to increase the pressure on victims. These methods are turning cyberattacks into full-blown business crises, and are forcing companies to rethink how they prepare and respond.”
Other key findings from the report include:
GenAI and large language models (LLMs) are helping to increase the frequency and scale of ransomware attacks by making it easier for individuals with less technical expertise to launch sophisticated campaigns. These individuals and groups use LLMs to write ransomware code and improve their social engineering tactics.
Hacktivist/ransomware hybrid groups are increasingly using ransomware as a service (RaaS) platforms to amplify their impact, driven by a mix of political, ideological, and financial motives. These groups have evolved from previous hacktivist organizations; for example, Dragon RaaS emerged in 2024 as an offshoot of Stormous, shifting its focus from targeting major corporations to smaller organizations with weaker security.
Cryptominers pose their own unique danger, but their goals and the strategies they employ are similar to those of ransomware groups. Akamai researchers found that nearly half the cryptomining attacks they analyzed targeted nonprofit and educational organizations, likely because of a lack of resources within these industries.
The TrickBot malware family, used by ransomware groups globally, has extorted more than US$724 million in cryptocurrency from victims since 2016. The Akamai Guardicore Hunt Team recently spotted this malware family linked to four suspicious scheduled tasks on five customers’ systems.
The report also features an analysis of the current state of legal and regulatory efforts that affect how organizations respond to ransomware. Akamai Vice President and Chief Privacy Officer James A. Casey notes that while existing cybersecurity laws apply to ransomware, specific regulations focus on discouraging ransom payments. He also highlights the importance of robust cybersecurity measures, incident reporting, and risk management, as well as strategies like Zero Trust and microsegmentation, to build resilience against evolving ransomware threats. Casey stresses the necessity for organizations to stay informed and adapt to emerging threats.
