Full Report
The number of extortion-related cyberattacks increased by roughly 63% in 2025 to 6,800, according to Intel 471’s report, which is based on data from the company’s analysis of dark-web forums. The previous year saw the “rapid ascension” of the Qilin ransomware gang, Intel 471 said, although the Sp1d3r Hunters alliance (composed of Scattered Spider, LAPSUS$ and ShinyHunters…
Analysis Summary
# Industry News: Extortion Attacks Surge 63% as Threat Actors Pivot to Supply Chain Vulnerabilities
## Summary
A new report from Intel 471 reveals a dramatic 63% increase in extortion-related cyberattacks during 2025, reaching a total of 6,800 documented cases. The surge is characterized by a strategic shift toward supply-chain exploitation, where hackers target managed service providers (MSPs) and software vendors to gain downstream access to lucrative corporate targets.
## Key Details
- **Date:** February 12, 2026 (Report covering 2025 data)
- **Companies Involved:** Intel 471 (Analyst firm); Qilin, Cl0p, and Sp1d3r Hunters (Threat groups); Cleo and Salesloft (Affected vendors)
- **Category:** Market Analysis | Threat Intelligence
## The Story
The cybersecurity landscape in 2025 was defined by the "rapid ascension" of the Qilin ransomware group and the continued dominance of established entities like Cl0p and the "Sp1d3r Hunters" alliance—a formidable coalition consisting of Scattered Spider, LAPSUS$, and ShinyHunters.
According to Intel 471’s analysis of dark-web forums, the industry is witnessing a pivot in attacker methodology. Rather than attacking well-defended perimeters directly, threat actors are increasingly prioritizing "trust-based" attacks. By infiltrating a single contractor or IT service provider, attackers can bypass robust defenses of hundreds of downstream clients simultaneously. High-profile examples from the past year include a Qilin campaign that compromised 20 South Korean companies via a single IT provider, and major breaches at vendors Cleo and Salesloft that facilitated significant secondary intrusions.
## Business Impact
### For the Companies Involved
- **Intel 471:** Solidifies its position as a primary source for dark-web telemetry and trend forecasting.
- **Affected Vendors (Cleo/Salesloft):** Face significant reputational damage, potential churn, and long-term legal/remediation costs following downstream customer compromises.
### For Competitors
- **In the Security Sector:** Managed Detection and Response (MDR) and Supply Chain Risk Management (SCRM) providers will likely see increased demand as businesses scramble to audit their third-party risks.
- **In the Software Industry:** Small-to-midsize SaaS providers must now treat security as a primary competitive differentiator or risk being "blacklisted" by risk-averse enterprise procurement teams.
### For Customers
- **End Users:** Face increased risk of data exposure through secondary breaches where they have no direct control over the security posture of the compromised vendor.
- **Procurement Teams:** Will likely face more rigorous (and expensive) vendor due diligence requirements and an increase in cybersecurity insurance premiums.
### For the Market
- **Market Dynamics:** The 63% growth in extortion indicates that the "ransomware-as-a-service" business model is highly resilient and expanding despite international law enforcement efforts.
- **Supply Chain Fragility:** The "concentration of risk" in a few major software vendors/MSPs is now a systemic economic concern.
## Technical Implications
The report highlights the shift from "brute force" to "identity and trust" exploitation. Attackers are leveraging vulnerabilities in contractor products to "live off the land," using legitimate administrative tools and established access pathways to move laterally without triggering traditional perimeter alerts.
## Strategic Analysis
- **Market Positioning:** Threat actors are positioning themselves as "aggregator" attackers, seeking high-leverage points in the global supply chain to maximize ROI.
- **Competitive Advantage:** For businesses, a transparent and "audit-ready" security posture is becoming a critical strategic advantage in B2B sales.
- **Challenges:** The primary obstacle is the "transparency gap"—most companies have limited visibility into the security practices of their fourth-party and nth-party partners.
## Industry Reactions
- **Analyst Opinions:** Security analysts emphasize that "trust is the new attack surface," suggesting that traditional castle-and-moat defense strategies are officially obsolete.
- **Market Response:** There is an expected uptick in investment for "Zero Trust" architectures and automated third-party risk assessment tools.
## Future Outlook
- **Predictions:** Expect the "Sp1d3r Hunters" alliance model (multi-group collaboration) to become the standard for high-complexity attacks.
- **What to watch for:** Increased regulatory pressure on software vendors to maintain "Software Bill of Materials" (SBOMs) and be liable for downstream security failures.
## For Security Professionals
Practitioners should shift focus from internal perimeter defense to **Third-Party Risk Management (TPRM)** and **Incident Response (IR)** for supply chain scenarios. Hardening the identity layer (MFA, privileged access management) is critical, as attackers are increasingly using legitimate vendor credentials to gain entry. Compliance teams should prepare for more intensive audits regarding how they vet and monitor their service providers' access to their internal environments.