While last month, we reported a bit of good news that ransomware payments have been going down in aggregate, ransomware still continues to be a significant challenge for critical infrastructure organizations. This month’s news highlights some of the sophisticated ways that adversaries exploit vulnerabilities to maximize disruption and extortion.
From the 87% increase in ransomware attacks on industrial systems revealed in the latest Dragos OT Cybersecurity Report to the emergence of Medusa RaaS and its triple extortion tactics, attackers are constantly refining their methods. Additionally, Qilin ransomware-as-a-service continues to make headlines for its role in high-profile breaches.
Meanwhile, cybersecurity researchers have identified a new ransomware operator, SuperBlack, actively exploiting Fortinet firewall vulnerabilities to compromise thousands of devices. These threats underscore the urgent need for robust cybersecurity measures, including Zero Trust security, mitigating unpatchable vulnerabilities, and enhanced network segmentation to minimize risk and protect essential services from disruption.
Every edition of the Cyber Risk Roundup, we break down the top stories of the month. Here’s what you need to know for March 2025.
Ransomware in Industrial Sectors Continues to Rise, According to Dragos OT Cybersecurity Report
The Dragos OT Cybersecurity Report, now in its eighth annual edition, highlights a significant 87% increase in ransomware attacks targeting industrial organizations in 2024. The manufacturing sector bore the brunt of these attacks, with adversaries focusing on businesses that have low tolerance for downtime. While no ransomware strains were specifically designed for industrial control systems (ICS), attackers still effectively disrupted operations.
Ransomware incidents had a 100% impact rate on victims, leading to either full shutdowns (25%) or partial disruptions (75%). This underscores the severity of these attacks, as even brief operational downtime can cause substantial financial and logistical consequences for industrial organizations.
One of the primary attack vectors was remote access exploitation, which accounted for 20% of incidents. Many breaches resulted from insecure remote access, including default credentials, unpatched VPNs, and exposed RDP sessions. Additionally, vulnerabilities introduced by third-party access and the lack of Zero Trust security policies played a major role in enabling these attacks.
Given the alarming rise in ransomware threats, industrial organizations must prioritize stronger access controls, implementation of Zero Trust security frameworks, and mitigating risks due to unpatchable vulnerabilities to protect critical infrastructure from operational disruptions.
Medusa RaaS Advisory Issued Following Critical Infrastructure Attacks
The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory regarding the Medusa ransomware-as-a-service (RaaS), which has impacted over 300 critical infrastructure organizations. Medusa employs the “double extortion” tactic, combining data exfiltration and encryption to pressure victims into paying ransoms. However, the advisory warns of an emerging “triple extortion” scheme, where victims who have already paid are targeted again—this time by a second actor affiliated with Medusa, falsely claiming that the original ransom was stolen by the negotiator and demanding an additional payment for the decryption key.
Organizations are urged to remain vigilant and implement robust cybersecurity measures to prevent such attacks. The core guidance remains unchanged—do not pay the ransom and ensure that preventative controls are in place. Zero Trust access policies, network segmentation, and proactive threat monitoring can help minimize the attack surface and reduce leverage for malicious actors.
Qilin Ransomware Steps Forward as Responsible for Lee Enterprises Attack
Qilin ransomware has been linked to several high-profile cyberattacks, including a February 2025 incident involving Lee Enterprises, a major American media company. The group claims to have stolen 350 GB of data from Lee Enterprises, encompassing sensitive information such as investor records and financial arrangements. In addition to targeting media organizations, Qilin has also attacked cultural institutions like the Houston Symphony and the health ministry of Palau. These incidents highlight the group’s broad targeting strategy across various sectors.
Qilin ransomware was also deployed by an emerging North Korean threat actor known as “Moonstone Sleet” according to Microsoft.
Switzerland becomes latest country to mandate reporting of attacks to critical infrastructure
Switzerland has enacted a new mandate requiring operators of critical infrastructure to report cyber-attacks to national authorities, and will take effect on April 1, 2025. With this mandate, Switzerland joins nations such as Australia, the EU, Japan, Singapore, South Korea, the UK, and the US, which have implemented similar reporting mandates for critical infrastructure operators.
Under this mandate, entities such as energy and drinking water suppliers, transport companies, and cantonal and communal administrations must notify the National Cyber Security Centre (NCSC) within 24 hours of discovering a cyber-attack. The reporting obligation applies if the attack threatens the functionality of critical infrastructure, results in data manipulation or leakage, or involves extortion attempts.
New Ransomware Operator Exploits Fortinet Firewall Vulnerabilities
A newly identified ransomware operator, dubbed “SuperBlack,” is actively exploiting two Fortinet firewall vulnerabilities (CVE-2024-55591 and CVE-2025-24472), Forescout has warned. These vulnerabilities allow attackers to gain administrator privileges on vulnerable FortiOS devices, putting organizations at serious risk.
Researchers report that nearly 8,000 FortiGate firewalls remain exposed in the United States alone. Patches are available and should be applied immediately to prevent exploitation. Organizations are urged to prioritize updates, strengthen access controls, and monitor for suspicious activity to mitigate potential ransomware threats.
