Ransomware's New Face: Cybercriminals Adopting Hacktivist Tactics

A new report from cybersecurity and cloud computing company Akamai reveals a troubling evolution in the world of cybercrime: ransomware is no longer just about making money; it's also a weapon for spreading political propaganda.

Akamai's "State of the Internet 2025" report highlights how some ransomware groups are increasingly behaving like hacktivists—hackers who use their skills to advance political or social agendas. These ransomware-as-a-service (RaaS) groups, driven by ideology, are even using their ill-gotten gains to fund campaigns that further their beliefs.

"We are seeing actors like DragonForce and KillSec blend ideology with extortion, turning ransomware into a weapon of disruption rather than just a tool for profit," explains Reuben Koh, Akamai's Director of Security Technology and Strategy for Asia-Pacific & Japan. "This fusion of hacktivism and RaaS blurs attribution and complicates response." These RaaS groups rely on a vast criminal ecosystem, including developers, affiliates, the zero-day market, and initial access brokers, all crucial for orchestrating their attacks.

Key Players in the Hybrid Threat Landscape

Several groups stand out in this emerging landscape:

• DragonForce: This prominent Malaysia-based group specifically targets systems in India and Israel, but has also launched significant ransomware attacks in the UK and the United States.

• Stormous: Known for attacking major companies like Coca-Cola and Mattel, Stormous often leaves ransom notes in Arabic. It focuses on countries perceived as unfriendly to Russia or aligned with Western interests, including France, Spain, the US, and India.

• KillSec: Emerging in October 2023, KillSec supports pro-Russian political ideologies and primarily targets government and healthcare sectors. It has shown a particular interest in Asian countries such like India and Bangladesh, as well as the United States.

• CyberVolk: Originally a political hacktivist group from 2024, CyberVolk now employs ransomware to attack critical systems in NATO-aligned countries. It often targets Spain, using ransomware in retaliation against perceived adversaries of Russia or India.

Ransomware's Growing Impact in Asia

The report also cites data from eCrime Threat and Risk Intelligence Services, indicating that Asia has become a major target for ransomware attacks. In 2024, India experienced 17 attacks on its financial institutions, surpassing the UK's 16 and Canada's 11. While these figures are still lower than the 151 attacks reported in the US last year, Koh warns, "India’s growing geopolitical relevance and digital infrastructure make it a high-value target for hybrid ransomware groups. This highlights the urgent need for resilient, intelligence-led cyber defences across Indian enterprises and critical infrastructure that can adapt to the ever-changing threat landscape and adversaries."

Countering the Threat

Efforts are underway to mitigate the impact of ransomware. Since 2022, FBI decryption keys have helped US victims avoid over $800 million in ransom payments, safeguarding sensitive data. Governments are increasingly banning ransom payments to threat actors, as paying doesn't guarantee data recovery. Additionally, cyber insurance providers are incentivising organisations to bolster their security programs and offering their expertise to negotiate lower ransomware demands.

As ransomware continues to evolve, merging financial gain with ideological warfare, what new strategies will organisations and governments need to adopt to stay ahead of these increasingly sophisticated and motivated adversaries?