Organisations across the Asia-Pacific and Japan (JAPAC) region are putting their security posture first, and many are now detecting intrusions early in the attack lifecycle, before attackers can execute their objectives. This has led to an increase in incident response cases that are contained at the network access stage. Despite progress, ransomware and extortion campaigns continue to succeed at significant rates. Analysing Palo Alto Networks’ Unit 42 incident response cases, Unit 42 researchers found that in response, threat actors are intensifying their tactics, using more aggressive methods to pressure victims and secure higher, more consistent payouts. Organisations therefore must stay aware of trends in ransomware and employ a defence-in-depth strategy for protection to remain prepared for ransomware attacks.

"We’re seeing a clear shift in how ransomware and extortion actors operate globally and across the Asia-Pacific and Japan region. Attackers are shifting from traditional encryption tactics to more aggressive and manipulative methods including false claims, insider access, and tools that disable security controls,” said Philippa Cogswell, Vice President and Managing Partner, Unit 42, Asia-Pacific & Japan, Palo Alto Networks. “These new and evolving tactics show just how critical it is for organisations to move beyond reactive defences and invest in security strategies that provide full visibility and rapid response across their environments.”

In Australia, ransomware and cyber extortion remain significant threats. The Australian Signals Directorate (ASD) reported that 71% of extortion-related cybersecurity incidents it responded to in the 2023–24 financial year involved ransomware. While organisations have made strides in early detection and incident response, attackers continue to view Australia as a viable and vulnerable target. This reflects the persistent and evolving nature of cyber threats in Australia, highlighting the need for organisations to adopt comprehensive cybersecurity strategies and remain vigilant against such attacks.

Key findings of the report include:

• Attackers are lying to get paid: Unit 42 observed a growing number of cases of extortion scams using fake data and even physical ransom notes sent to executives’ homes.
• Manufacturing remains the top ransomware target, continuing a trend that has persisted for several years. The second most impacted industry is wholesale & retail, followed by professional & legal services.
• Ransomware activity by location headquarters: The most targeted regions for attackers are the United States, Canada, UK, Germany.
• Cloud and endpoint security are under siege: Attackers are increasingly using “EDR killers” to disable endpoint security sensors and targeting cloud systems more aggressively than ever before.
• AI-generated insider threat extortion on the rise: North Korean operatives using AI-generated identities to post as remote IT workers have extorted companies by stealing proprietary code and threatening public leaks.
• RansomHub emerges as top ransomware variant: RansomHub became the most prolific ransomware observed during the reporting period. This marks a sharp rise from mid-2024, when it was first identified as an emerging threat to watch.

To read the full report, please visit: https://unit42.paloaltonetworks.com/2025-ransomware-extortion-trends/

About Palo Alto Networks

As the global cybersecurity leader, Palo Alto Networks (NASDAQ: PANW) is dedicated to protecting our digital way of life via continuous innovation. Trusted by more than 70,000 organizations worldwide, we provide comprehensive AI-powered security solutions across network, cloud, security operations and AI, enhanced by the expertise and threat intelligence of Unit 42. Our focus on platformization allows enterprises to streamline security at scale, ensuring protection fuels innovation. Explore more at www.paloaltonetworks.com.