There has been a wave of new ransomware variants released in recent months, wreaking havoc in critical sectors from the healthcare to transportation. New Akira ransomware, aka Darter or Howling Scorpius, has been a hot topic in cybersecurity recently. It intelligently abuses the vulnerability in Throttlestop driver to perform its attacks effectively. This strain, which sideloads the Bumblebee loader through its operations, emerged in mid to late 2025. Osiris ransomware hits Panthers Group, the second largest food service franchisee operator in Southeast Asia. In particular, this attack underscores its power in the world of Windows and Linux environments, respectively.
As we have heard from cybersecurity experts, ransomware attacks are more complex and sophisticated than ever before. These attacks are iterating past standard encryption defenses. The advent of new tactics has made it imperative for organizations to bolster their defense mechanisms against this evolving threat landscape.
Akira Ransomware and Its Exploits
The Akira ransomware has made headlines in recent weeks for its unusual method of exploiting vulnerable drivers. Cybersecurity professionals are rightly horrified by a wave of attacks enabled by exploiting the Throttlestop driver. This approach reliably sideloads the Bumblebee loader.
“In recent months, we have observed a notable increase in ransomware attacks that employ innovative techniques,” said a representative from Symantec and Carbon Black. They acknowledged that “attack payloads that use effective encryption” are still the most common attack type, but encryptionless attacks are on the rise. This ongoing evolution poses new challenges to the extortion ecosystem. Ransomware is just one piece of a much bigger picture.
The birth of Akira came as a wake-up call that all companies must be on-guard. And as attackers get smarter, the risk for costly data breaches and operational disruptions escalates dramatically.
Osiris and Other Ransomware Developments
In late November 2025, Osiris ransomware targeted the regional headquarters of a major food service franchisee operator in Southeast Asia. This strain of impressive is compounded by the fact that it’s written in Rust. This makes it capable of running on many operating systems, including both Windows and Linux. Such versatility allows Osiris to become one of the most effective opponents in this present-day ransomware environment.
LockBit ransomware further cements its reputation as the go-to ransomware among cybercriminals. Even with extensive law enforcement operations targeting the dismantling of LockBit’s infrastructure in early 2024, LockBit has proven itself to be resilient. LockBit 5.0, which was just released in July, represents a cutting-edge two-stage ransomware deployment model. This model separates the loader from the primary payload, increasing its efficacy. This comprehensive strategy makes its unique multifaceted prevention tool most effective against various targets.
LockBit at one point was touted for its rapid evolution. Simultaneously, newer threats such as the 01flip ransomware emerged, primarily targeting a specific set of victims based in the Asia-Pacific region. On the other hand, Makop ransomware has branched out to target hospitals in India, as well as companies in Brazil and Germany. It preys on exposed and insecure RDP systems. This enables it to perform a wide range of nefarious tasks, including network scans and credential dumps.
Emerging Threats and Industry Response
Sicarii ransomware has recently appeared on the threat landscape, gaining notoriety for its creepy behavior. Since her debut in late 2025, it has only succeeded in claiming one victim. Stratfor operators The main operator’s use of the Telegram account “@Skibcum” for coordinated communication has stood out to analysts.
The second disturbing trend is the increased use of real digital forensics tools by attackers. Storm-2603 also actively employs the Velociraptor DFIR tool during their precursor activities. These behaviors, all of which are relatively easy to engage in, inevitably result in the use of ransomware strains such as Warlock, LockBit and Babuk. This tactic highlights the importance of having your organization uphold a high cybersecurity standard for every tool you use.
Lynx ransomware has shown its capability by being deployed just three days after initial access was gained through compromised RDP credentials. This quick timeline for a credentialed attack underlines the urgency and speed attackers can maneuver within a network once they get in the door.
“KillAV, which is a tool used to deploy vulnerable drivers for terminating security processes, was also deployed on the target’s network,” – The Symantec and Carbon Black Threat Hunter Team
As organizations continue to wrestle with these growing still largely novel threats, industry experts say this is the year to take proactive measures. Attackers are now exfiltrating data to Wasabi buckets. The repetition in usage of the same known malware tools points not only to the same attacker, but possibly shared connections between other cyberattacks.