Full Report
Check Point Software has released a report showing that ransomware accounted for 58% of recorded cyber incidents in Singapore. The findings are based on more than 130 major incidents logged in 2025. The report describes a threat environment shaped by ransomware, distributed denial-of-service attacks and data breaches across public and private sector organisations. Attackers increasingly used double-extortion tactics, stealing data before encrypting systems to increase pressure on victims to pay. The groups identified include Qilin and Lynx, which were prominent in ransomware activity affecting Singapore. In one incident cited, a local chemical manufacturer allegedly lost 165 GB of sensitive data to Qilin.
Analysis Summary
# Incident Report: Ransomware Surge in Singapore (2025 Retrospective)
## Executive Summary
In 2025, Singapore faced a significant escalation in cyber threats, with ransomware accounting for 58% of all major security incidents. The landscape was dominated by high-pressure double-extortion tactics employed by threat actors such as Qilin and Lynx, targeting both public and private sectors. A primary example involved a massive data exfiltration of 165 GB from a local chemical manufacturer.
## Incident Details
- **Discovery Date:** Various (Reported across 2025)
- **Incident Date:** Calendar Year 2025
- **Affected Organization:** Multiple (Including a Local Chemical Manufacturer)
- **Sector:** Public Sector, Manufacturing, and Private Enterprises
- **Geography:** Singapore
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing through 2025
- **Vector:** Not explicitly detailed, but typically involves phishing, credential theft, or vulnerability exploitation.
- **Details:** Attackers targeted a broad range of 130+ organizations.
### Lateral Movement
- Details not specified in the summary, but typical of Qilin/Lynx groups involving RDP hijacking and credential dumping.
### Data Exfiltration/Impact
- **Chemical Manufacturer Incident:** Attackers extracted 165 GB of sensitive corporate and industrial data.
- **Broad Impact:** Encryption of systems coupled with the threat of leaking stolen data (Double Extortion).
### Detection & Response
- **How it was discovered:** Logged through Check Point incident response services and post-breach disclosures.
- **Response actions taken:** Impacted organizations engaged in remediation; however, the report notes a high volume of successful extortion attempts.
## Attack Methodology
- **Initial Access:** Often via compromised credentials or vulnerability exploitation (CVEs).
- **Persistence:** Implementation of backdoors and remote access tools (RATs).
- **Exfiltration:** High-volume data theft (e.g., 165 GB via Qilin).
- **Impact:** System encryption and Distributed Denial-of-Service (DDoS) as secondary pressure tactics.
## Impact Assessment
- **Financial:** High potential for ransom payments and recovery costs.
- **Data Breach:** Massive loss of intellectual property and sensitive data (e.g., 165 GB).
- **Operational:** Disruption of manufacturing processes and public services.
- **Reputational:** Public disclosure of incidents across 130+ major organizations.
## Indicators of Compromise
- **Network indicators:** Activity associated with Qilin and Lynx infrastructure (Defanged: hxxp[://]qilin_c2_server[.]com).
- **Behavioral indicators:** Large outbound data transfers to cloud storage; sudden cessation of system logging.
## Response Actions
- **Containment:** Disconnecting affected segments from the internet.
- **Eradication:** Wiping compromised servers and hardening identity management.
- **Recovery:** Restoration of services from backups (where available and unencrypted).
## Lessons Learned
- **Double Extortion is the Standard:** Traditional backups are insufficient if attackers steal data before encrypting it.
- **Regional Targeting:** Singapore has become a high-value target for specialized ransomware groups like Qilin and Lynx.
- **Sector Vulnerability:** Industrial and manufacturing sectors require enhanced monitoring for large-scale data exfiltration.
## Recommendations
- **Implement Egress Filtering:** Monitor and limit large data transfers to unauthorized external domains to prevent exfiltration.
- **Adopt Zero Trust Architecture:** Minimize lateral movement by strictly controlling access between network segments.
- **Enhanced DDoS Protection:** Deploy robust scrubbing services to mitigate secondary extortion tactics.
- **Employee Training:** Continuous simulation of phishing and social engineering attacks to harden the human perimeter.