• 26 March, 2026
• No Comments

5 ransomware groups, 1 trend: How ransomware leads to data breach

Singapore’s ransomware risk in 2025 was not defined by one dramatic outage. It was defined by volume, timing, and repeatable tradecraft. According to reporting on ThreatBook’s 2025 Singapore Threat Intelligence Report, ransomware attacks rose sharply across the year and peaked in July, with technology and finance among the hardest-hit sectors, alongside manufacturing and government.

That July spike matters because it reflects how ransomware groups now operate: opportunistically, at speed, and with clear attention to global vulnerability cycles. Campaigns are increasingly scheduled around the release of high-impact software vulnerabilities, when patch gaps are predictable, and scanning activity is intense. When defenders think in quarters and attackers think in hours, the advantage is obvious.

Why July became a pressure point

ThreatBook’s framing points to a familiar pattern. Attackers watch for moments when exposure expands, such as when widely used products disclose fresh vulnerabilities and organisations scramble to test and deploy patches. This is not just “patch faster” advice. It is a lesson about operational tempo. If a business cannot rapidly identify where a vulnerable product exists, who owns it, and what is internet-facing, then the window of exposure is effectively unmanaged.

The July timing also aligns with how ransomware groups pick targets. Rather than “one sector at a time”, they often prioritise environments where access is likely to be monetised quickly: companies with complex supply chains, always-on services, and time-sensitive operational pressure. Technology and finance are obvious candidates because they combine data density with high expectations for uptime. 

The groups are different, but the playbook is converging

ThreatBook highlighted five active ransomware groups in Singapore’s 2025 picture: Qilin, DireWolf, Lynx, DevMan, and Akira. Their branding and sector focus vary, but the core approach increasingly converges into the same business model: steal data, encrypt systems, then threaten public leaks to force payment.

That double extortion model is no longer an “extra”. It is the default. ThreatBook’s summary explicitly notes that these groups encrypt systems whilst also exfiltrating data to dark web leak sites. This changes how organisations should measure impact. Even if systems are restored quickly, the breach dimension can persist for months through legal exposure, customer communications, and reputational fallout.

Qilin shows how ransomware blends old and new techniques

In the ThreatBook summary, Qilin is described as targeting large enterprises using Office macros and Cobalt Strike, then moving laterally with credential-stealing tools and PowerShell scripts. That combination is telling. The techniques are not exotic, but they are reliable, and they exploit everyday enterprise realities: documents still circulate, admin tooling still exists, and PowerShell is still everywhere.

Independent threat research aligns with Qilin’s positioning as a ransomware-as-a-service operation and highlights its ongoing activity across sectors. The practical takeaway is that defenders cannot rely on “novel malware detection” alone. The more consistent control points are identity hardening, macro policy hygiene, endpoint visibility, and rapid containment when remote tooling or credential theft patterns appear.

Akira illustrates why remote access remains a critical weakness

ThreatBook’s summary notes Akira’s cross-sector activity and references exploitation of VPN vulnerabilities and phishing, alongside segmented encryption and multi-mode data theft. That focus on remote access is consistent with public advisories. A joint StopRansomware advisory on Akira describes how initial access can involve compromised credentials and VPN access, and provides defensive guidance on hardening remote services and monitoring for suspicious activity.

For Singapore-based organisations, the remote access lesson is not limited to VPN patching. It extends to how remote access is governed in practice: whether multi-factor authentication is enforced everywhere, whether access is conditional on device health, and whether vendor remote access is segmented and time-bound. Ransomware operators thrive on long-lived access pathways that no one owns end-to-end.

“Legitimate tools” are the quiet engine of lateral movement

One of the most useful details in the ThreatBook summary is also the most operational: lateral movement often relies on legitimate administrative tools, including SMB, PsExec, AnyDesk, and RustDesk. This is a crucial point for leadership teams who expect attacks to look like “malware events”. In many ransomware intrusions, the attacker’s most effective tools are the ones the organisation already trusts.

This is where detection must mature beyond simple signatures. If an organisation cannot reliably differentiate expected remote administration from unusual remote administration, then ransomware operators gain room to manoeuvre. A practical example is AnyDesk usage. It may be normal for IT support, but unusual at 3 am from a new endpoint, followed by credential access attempts and rapid file enumeration. Individually, each event can look benign. Together, they describe a breach in progress.

Why double extortion reshapes breach planning in Singapore

The operational sequence of modern ransomware is increasingly consistent. Initial access arrives through phishing, malware-laden documents, or exposed remote access services such as RDP or VPN. After that, the attacker focuses on privilege, persistence, and discovery, then moves to data theft, and finally triggers encryption once leverage is secured.

For organisations, that changes incident priorities. The question is not only “How quickly can we restore systems?” It is also “What data may have been accessed or extracted before encryption?” Double extortion turns ransomware into a data breach scenario, not just an availability incident. That means evidence preservation, scoping, communications planning, and regulatory decision-making must be integrated into ransomware playbooks, not treated as a separate track.

What stronger ransomware resilience looks like without relying on luck

The most robust ransomware programmes focus on two timelines at once. The first is prevention and containment, which is largely about reducing the likelihood that a single compromised credential becomes domain-wide control. That includes segmentation, least privilege, strong identity controls, and limiting where remote tools can operate.

The second is recovery credibility. Ransomware groups increasingly delete backups or target recovery pathways. ThreatBook’s summary notes behaviours like offline encryption and backup deletion among active groups. The organisations that recover best are those that regularly test restoration under pressure, validate that backups are immutable or isolated, and rehearse the decision-making process when data theft is suspected.

How Privacy Ninja can help you

Ransomware is a cybersecurity problem, but it becomes a governance problem the moment personal data exposure is possible. Privacy Ninja supports organisations by strengthening the coordination layer that often fails during ransomware incidents: clarity on roles, accountability, and consistent actions under pressure.

Our DPO-as-a-Service provides a dedicated point of contact to keep PDPA compliance on track, maintain core data protection policies and practices, and handle data protection queries or requests in a structured way. When an incident arises, the DPO helps coordinate the initial response and communications as the organisation’s key data protection contact, so decisions are recorded and follow-up is disciplined. Where technical assurance is required, Privacy Ninja’s vulnerability assessment and penetration testing services help validate common ransomware entry paths, such as exposed remote access, weak segmentation, and identity misconfigurations.

The July 2025 spike is best understood as a warning about speed and convergence. Ransomware groups no longer rely on one trick. They combine phishing, remote access exposure, credential abuse, legitimate admin tools, and double extortion to apply pressure from multiple angles. Singapore’s experience, as summarised in coverage of ThreatBook’s 2025 reporting, shows that ransomware risk is not confined to one sector, and it often accelerates when global vulnerability disclosures widen the attack surface. The organisations that do best are those that treat ransomware as both an operational resilience challenge and a data breach readiness challenge, with controls and response routines that work when time is short.