7 Ransomware Groups Targeting Seattle-Area Businesses in 2025 (And How They Get In)

TL;DR

• Ransomware attacks increased 34% in 2025, with SMBs accounting for 88% of victims
• Qilin and Akira are the most active groups right now, both targeting manufacturing and professional services
• Phishing and stolen VPN credentials remain the primary entry points
• The average ransom payment dropped to $1 million (down 50%), but total recovery costs still average $254,000+

The Current Landscape

Ransomware groups operate like franchises now. The Ransomware-as-a-Service (RaaS) model lets technically unskilled attackers rent malware and infrastructure from professional operators. The result: attacks happen every 19 seconds globally, and 47% of small businesses under $10 million in revenue got hit in the past year.

For Seattle and Tacoma businesses, the math is simple. You're not too small to target. You're exactly the right size because you have fewer defenses and can't afford extended downtime.

Here's who's doing the damage in 2025.

1. Qilin

Activity Level: Most active group in 2025, averaging 75 victims per month in Q3

How They Get In:

• Compromised VPN credentials purchased from initial access brokers
• Exploitation of Fortinet/FortiGate vulnerabilities (CVE-2024-55591, CVE-2024-21762)
• Phishing campaigns using stolen credentials

What Makes Them Dangerous:
Qilin runs like a startup. They offer affiliates up to 85% revenue share, which attracts skilled operators. They've been linked to attacks on healthcare providers and government agencies, including Ukraine's Ministry of Foreign Affairs. Microsoft confirmed North Korean group Moonstone Sleet deployed Qilin ransomware in 2025, marking the first known use of third-party RaaS by a nation-state actor.

Industries Targeted: Healthcare, financial services, government, manufacturing

2. Akira

Activity Level: 348% increase in victims Q2 2025 vs Q2 2024, roughly 130 victims per quarter

How They Get In:

• Compromised remote access solutions (VPN, RDP)
• Stolen or brute-forced credentials
• Exploiting unpatched systems

What Makes Them Dangerous:
Akira targets Windows, Linux, and VMware ESXi systems. In one documented case, they bypassed endpoint detection by pivoting through an unsecured webcam on the network. They've hit over 250 organizations and collected an estimated $42 million in ransom payments since emerging in 2023.

In July 2025, Akira claimed responsibility for breaching a U.S. defense contractor.

Industries Targeted: Manufacturing, business services, construction

3. RansomHub

Activity Level: Rose to prominence in 2024, activity declined in Q2 2025 as affiliates migrated to other groups

How They Get In:

• Mass exploitation of vulnerabilities
• Phishing with AI-generated lures
• Compromise of trusted vendors in supply chain

What Makes Them Dangerous:
RansomHub attracted former LockBit and ALPHV affiliates after those groups faced law enforcement action. Their geographic spread is wide, and they've demonstrated ability to hit organizations across multiple industries simultaneously.

Industries Targeted: Broad targeting, including professional services and retail

4. Cl0p (Clop)

Activity Level: Surges tied to specific vulnerability exploits, most notably MOVEit

How They Get In:

• Zero-day and N-day exploitation of file transfer software
• Supply chain compromises
• Targeting managed service providers to reach their clients

What Makes Them Dangerous:
Cl0p doesn't encrypt files in most attacks. They steal data and threaten to publish it. The 2023 MOVEit exploit affected 2,773 organizations, and stolen data from that campaign was still being published on dark web forums in late 2024. If you used Progress Software's MOVEit Transfer, you may have been affected even if you never received a direct ransom demand.

Industries Targeted: Organizations using specific vulnerable software, especially file transfer tools

5. Play

Activity Level: 369 disclosed victims in 2024, consistent activity into 2025

How They Get In:

• Exploitation of VPN and RDP vulnerabilities
• Custom-built tooling
• Low-profile approach (fewer headlines, steady operations)

What Makes Them Dangerous:
Play focuses on government agencies, police networks, and critical infrastructure, particularly in Latin America and Europe. But they're opportunistic and will hit targets of convenience. Their victim disclosures come in waves designed to pressure specific targets.

Industries Targeted: Government, public sector, critical infrastructure

6. Medusa

Activity Level: Stepped up significantly in late 2024 and into 2025

How They Get In:

• Phishing campaigns
• Exploitation of exposed services
• Credential stuffing attacks

What Makes Them Dangerous:
Medusa runs both RaaS operations and conducts negotiations directly. They offer deadline extensions for payment, which suggests sophisticated understanding of victim psychology and cash flow constraints. They've hit high-profile targets and aren't afraid of attention.

Industries Targeted: Financial services, healthcare, education

7. DragonForce

Activity Level: 212.5% surge in attacks in 2025

How They Get In:

• Advertising on dark web forums for affiliates
• Reusing LockBit and Conti code
• Bring-your-own-vulnerable-driver (BYOVD) techniques to bypass security tools

What Makes Them Dangerous:
DragonForce offers affiliates up to 80% of ransom proceeds and provides ransomware builders for Windows, Linux, ESXi, and NAS devices. They blur the line between extortion and analytics by offering "data audit services" that help affiliates identify high-value files. They're scaling like a legitimate tech company.

Industries Targeted: Broad targeting, opportunistic

How They All Get In (And What Actually Stops Them)

Despite the variety of groups, the entry points are consistent:

The uncomfortable truth: Most ransomware attacks succeed because of basics that weren't in place. MFA alone stops the majority of credential-based attacks. Patching internet-facing systems within 72 hours of critical CVE disclosure stops most vulnerability exploitation. Security awareness training reduces successful phishing by 60-80%.

What Changed in 2025

Three shifts worth noting:

1. Payments are down, attacks are up. Only 23-37% of victims paid ransom in 2025, the lowest rate on record. But attacks increased 34%. Groups are compensating with volume.

2. Data exfiltration is the real threat. 76% of ransomware incidents now include data theft before encryption. Even with perfect backups, attackers can threaten to publish your data. Defense has shifted from "backup and restore" to "detect and prevent exfiltration."

3. AI-generated phishing is harder to spot. Darktrace noted a 135% spike in novel social engineering attacks coinciding with ChatGPT adoption. The classic "bad grammar" tell for phishing is gone.

Action Checklist for Seattle/Tacoma SMBs

• [ ] Enable MFA on VPN, email, and all admin accounts (stops 80%+ of credential attacks)
• [ ] Patch edge devices first (firewalls, VPN appliances, remote access tools)
• [ ] Verify backup recovery works and includes offline/immutable copies
• [ ] Run phishing simulations quarterly (users are still the primary target)
• [ ] Segment your network (attackers shouldn't reach everything from one compromised device)
• [ ] Monitor egress traffic (data theft happens before encryption)

How Rain City Can Help

Ransomware Readiness Assessment (Free, 45 minutes)

We'll evaluate your current defenses against the specific tactics these groups use:

• MFA coverage audit
• Edge device patch status review
• Backup and recovery verification
• Phishing susceptibility baseline
• Network segmentation analysis

You'll get a prioritized list of gaps ranked by likelihood of exploitation, not theoretical best practices.

Schedule assessment

Sources:

• ReliaQuest Q2 2025 Ransomware Report
• Cyfirma Ransomware Tracking March 2025
• Sophos State of Ransomware 2025
• Flashpoint RaaS Analysis 2025
• Check Point Q3 2025 Ransomware Report
• Verizon 2025 DBIR
• FBI IC3 2024 Internet Crime Report