The intelligence division in cybersecurity of Palo Alto Networks, known as UNIT 42, has presented its report on the extortion and ransomware trends corresponding to the first quarter of 2025. The document offers a detailed vision of the global threat panorama, supported by quantitative data and in the qualitative analysis of real incidents.
Among the most disturbing findings of the study is the detection, for the first time, of a direct collaboration between ransomware bands and a state actor: the North Korean regime. This alliance marks a turning point in the evolution of organized cybercrime. According to Unit 42, the North Korean group would have actively participated in extortion campaigns, which suggests a hybrid strategy between cybercrime and cyberspion.
“The fact that a government is actively being involved in ransomware operations represents an unprecedented threat to the global private sector,” the report warns.
In addition to state support, Palo Alto Networks experts highlight an increase in tactics of deception and psychological pressure. In some cases, the attackers have sent physical rescue notes to the domicile of senior executives, despite not there are evidence of a real gap. These simulated extortion campaigns are supported by counterfeit data, which demonstrates a growing sophistication in social engineering methods.
More aggressive clear and technical objectives of ransomware
The investigation also points out that the United States remains the country most affected by this type of threats, followed by Canada, the United Kingdom and Germany. By sectors, the manufacturing industry continues to be the main target of cybercriminals, although significant attacks have also been reported against technology and health companies.
The investigation reveals an unprecedented collaboration between criminal gangs and governments, in addition to sophisticated forms of extortion aimed at companies around the world
Another focus of concern is the growing use of tools known as “EDR Killers”, designed to disable security sensors in Endpoints. To this is added an increase in attacks against cloud infrastructure, which calls into question the preparation of many organizations against increasingly distributed and sophisticated threats.
False identities and internal threats: the new face of corporate espionage
The report also documes a worrying rebound in the creation of fictional identities through artificial intelligence. These are used to supplant remote workers and access corporate environments in order to steal intellectual property or source codes. In several incidents, North Korean operations would have infiltrated international companies simulating to be external developers.
“We are seeing how internal threats, driven by false identities, are becoming a crucial attack vector for the most advanced adversaries,” Unit 42 warns.
Defense recommendations
Faced with this panorama, Palo Alto Networks underlines the importance of adopting a comprehensive cybersecurity approach. Among its proposals is the use of its next -generation firewalls and the Cortex platform for the detection and automated response to incidents. In addition, the company makes available to organizations its ransomware preparation evaluation, a tool designed to identify vulnerabilities and strengthen the critical points of digital infrastructure.
The report concludes with a clear warning: ransomware has ceased to be a business isolated from cybercriminals to become a geopolitical instrument. In this new scenario, collaboration between state and criminal actors requires an equally coordinated response by the public and private sector.
