Few issues keep cybersecurity professionals up at night more than the threat of ransomware. The ubiquity of targets, the relative organization of threat actors, and their multiple paths of entry make combating ransomware particularly formidable Business Radar.

But there is one more facet to this threat that makes ransomware a vexing problem across all organizations: it’s evolving, constantly.

In a new report released today by Rapid7 Labs, researchers, threat intelligence experts, and detection & response teams have put together the latest state-of-play in the ransomware space. The Ransomware Radar Report offers some startling insights into who ransomware threat actors are and how they’ve been operating in the first half of 2024.

The fact of the matter is, ransomware as a business is booming. Over the first half of 2024, Rapid7 researchers found an increase of 23% in the number of posts ransomware groups were making to their leak sites. This correlates with the amount of extortion attempts these groups are attempting as they are rarely quiet about who they infiltrate. Surprisingly, one of the newest groups, RansomHub, made the second-most number of posts among the groups studied, with 181 over that six-month period. But, to put that into perspective, the leader, well-established LockBit, made 474 posts over the same time period.

This leads us to another intriguing finding: the number of new (or revamped) ransomware groups. We found that among a total of 68 unique groups posting extortion attempts, some 21 were either net new or rebranded from previous groups. The rebranded groups may indicate a bit of a silver lining as they are potentially due to the success of some recent law enforcement actions against ransomware threat actors.

However, threat actors are only half of the equation. The report also notes that the ransomware ecosystem may be moving away from the attacks on “big fish” we had seen in the past and toward smaller organizations as juicier targets. For instance, organizations with $5 million in annual revenue were five times more likely to be targeted than their larger counterparts. This could be for a lot of reasons, not the least of which is that these smaller organizations contain many of the same data threat actors are after, but they often have less mature security precautions in place.

Ransomware actors are also getting more sophisticated as businesses. They have their own marketplaces, sell their own products, and in some cases have 24/7 support. They also seem to be creating an ecosystem of collaboration and consolidation in the kinds of ransomware they deploy. Rapid7 researchers looked at different ransomware variants and found three distinct clusters of similarities. Essentially, many of these ransomware strains resemble one another. This could indicate collaboration among groups, reuse of source code, or the use of common builders. Other research avenues indicated that the number of ransomware families is going down — potentially showing that threat actors are focusing their efforts on more effective or specialized approaches.

The takeaways in this blog post are only the tip of the iceberg. The Ransomware Radar Report goes deep into the kinds of encryption algorithms that are trending at the moment and why, details on prevailing coding languages, and the varied tactics threat actors use to infiltrate organizations. To get the latest on ransomware and ensure your organization is well-informed and prepared for the fight against these threat actors, download the report here.

Email Threat Radar – July 2025

During July, Barracuda threat analysts identified several notable email-based threats targeting organizations around the world. Many of them leveraged popular phishing-as-a-service (PhaaS) kits Business Radar. The threats include:

Phishing attacks abusing Autodesk Construction Cloud

Barracuda’s threat analysts have seen attackers abusing the Autodesk Construction Cloud to deliver sophisticated phishing attacks. The Autodesk Construction Cloud is a set of online collaboration tools for people working on construction projects, from design and build to project management and budgeting.

In the attacks seen by Barracuda, attackers impersonate a trusted executive and send official-looking project notifications through Autodesk. The notifications lead recipients to an Autodesk-hosted page containing a seemingly harmless ZIP file.

Opening the HTML file brings up a fake CAPTCHA verification screen — a common technique in phishing because it lends credibility to the attack and helps it bypass automated security detection. The user is then prompted to enter Microsoft login credentials on a convincingly spoofed page.

This campaign employs the Tycoon 2FA phishing kit, which is designed to mimic Microsoft’s login and can bypass two-factor authentication protections.

Attackers target U.S. road users with new toll scam

A new phishing scam is targeting U.S.-based drivers with fake notices about unpaid tolls. Victims receive urgent messages via text, email or phone calls, often appearing to come from legitimate toll agencies. These messages claim the recipient owes a fee and threaten account suspension or legal action if payment is not made immediately.

Tactics that include urgency and official branding pressure recipients to act without verifying the legitimacy of the message, making this scam highly effective.

Phishing campaign impersonating the Zix Secure Message Center

This campaign mimics the Zix Secure Message Center, an encrypted email service that is popular with organizations in healthcare, finance, legal and government sectors.

Victims receive an email about a supposed secure message, with a link to click to view it. The link takes users to a fake Zix page where they are asked to enter their email. They are then redirected to a fraudulent Microsoft login page designed to steal credentials.

EvilProxy fake voicemail attack spoofing RingCentral

Barracuda’s threat analysts have seen a sophisticated phishing attack using fake voicemail alerts to trick victims into entering their credentials on malicious sites.

Posing as RingCentral, a popular cloud-based business communications and collaboration platform, attackers send convincing emails about a ‘new voicemail,’ complete with personalized details. Clicking the play button initiates a series of redirections — starting with a trusted newsletter platform (Beehiiv), followed by legitimate cloud hosting (Linode), and finally a verification step on glitch.me.

These steps help the attack evade detection and add credibility. The destination is a phishing page using the EvilProxy PhaaS kit, designed to harvest Microsoft credentials, even bypassing common security checks. This multilayered approach makes the attack difficult to spot and highly effective.

Gabagool is a sophisticated PhaaS kit known for its stealth and effectiveness and for targeting corporate and government employees with advanced credential-stealing tactics. Barracuda’s threat analysts have spotted attackers using Gabagool and the file-sharing functionality of the Notion.com business productivity tool to distribute malicious PDF files containing phishing links. The PDFs lead to phishing pages designed to steal user credentials. By leveraging a trusted platform and seemingly innocuous PDFs, attackers increase the chances of bypassing standard security controls.

Bundling Copilot and SharePoint brands for phishing

Cybercriminals are combining Microsoft SharePoint and Copilot branding in phishing schemes, crafting emails that look like genuine ‘Document shared’ alerts from internal or vendor accounts. These messages encourage recipients to click links leading to expertly spoofed Microsoft login pages. The campaign targets organizations that rely on Microsoft tools, aiming to harvest login credentials from unsuspecting employees.

LogoKit supports credential theft using Roundcube webmail service

This phishing campaign targets users of the Roundcube free open-source webmail client with fake password expiration alerts, warning that their passwords will expire in 48 hours unless action is taken. The message includes a link, supposedly to retain the current password, but it leads to a phishing site built using the LogoKit toolkit. Here, users are prompted to enter their credentials, which are then harvested by attackers.

Tycoon PhaaS link distributed as project document download

This phishing campaign circulates emails disguised as legitimate business documents, such as ‘Project Overview.pdf.’ Victims are enticed to click on download links, which redirect through several intermediate pages to mask the malicious intent, eventually landing on a Tycoon PhaaS-hosted phishing site. This modular and evasive strategy helps criminals bypass detection and increases the longevity of malicious URLs. The campaign targets business users accustomed to exchanging documents, making them more likely to trust and interact with the phishing links, resulting in stolen credentials and potential business compromise.

How Barracuda Email Protection can help your organization

Barracuda Email Protection offers a comprehensive suite of features designed to defend against advanced email threats.

It includes capabilities such as Email Gateway Defense, which protects against phishing and malware, and Impersonation Protection, which safeguards against social engineering attacks.

Additionally, it provides Incident Response and Domain Fraud Protection to mitigate risks associated with compromised accounts and fraudulent domains. The service also includes Cloud-to-Cloud Backup and Security Awareness Training to enhance overall email security posture.

Barracuda combines artificial intelligence and deep integration with Microsoft 365 to provide a comprehensive cloud-based solution that guards against potentially devastating, hyper-targeted phishing and impersonation attacks.

Further information is available here.

The Ransomware Insights Report 2025

Subscribe to the Barracuda Blog.

Managed Vulnerability Security: Faster remediation, fewer risks, easier compliance