SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Hooded figure computer dark room multiple screens abstract encrypted code cyber attack
#
Ransomware
#
Encryption
#
Advanced Persistent Threat Protection

Ransomware groups surge as automation cuts attack time to 18 mins

Thu, 23rd Oct 2025
Author image
By Shannon Williams, Journalist

ReliaQuest has released a detailed report analysing the key factors driving the success of ransomware-as-a-service (RaaS) groups in the current cybercrime landscape.

Automation's growing role

The research points to workflow automation, attack customization, and advanced tooling as the principal components underpinning highly effective ransomware operations. ReliaQuest found that 80% of analysed RaaS groups incorporate automation or artificial intelligence into their attack platforms, resulting in significant increases in attack speed and reduced response windows for defenders.

According to the report, the average breakout time-the window between initial access and lateral movement across a network-has fallen from 48 minutes in 2024 to just 18 minutes between June and August 2025. This accelerated pace leaves security teams with markedly less time to identify, analyse, and contain attacks before ransomware is deployed.

ReliaQuest's customer data shows that the mean time to contain (MTTC) attacks for teams using manual defence strategies remains at eight hours, a figure that greatly increases the risk of data theft and operational downtime.

"Automation, and the speed it offers, ultimately makes attacks more likely to succeed: Attackers can quickly compromise more endpoints, giving defenders less time to alert, analyze, and contain before ransomware deployment. This shrinking window is especially dangerous, given our customer data indicates that the mean time to contain (MTTC) attacks for security teams relying solely on manual strategies is eight hours. This delay could lead to significant data theft and business downtime and highlights the need for defensive automations that keep pace with attackers."

Impact of customisation and advanced tools

Customisation options-such as selectable encryption modes and targeted data prioritisation-are present in 60% of groups surveyed. These options allow affiliates to tailor attacks for either maximum disruption or strong encryption, making incident recovery more challenging for victim organisations.

Advanced tools, including endpoint detection and response (EDR) bypass scripts and automated log and backup deletion, are offered by only half of the monitored groups. These tools enhance the capability of ransomware groups to disable security measures and enforce extortion demands by denying victims the option of system restoration.

ReliaQuest highlights that groups combining all three features-automation, customisation, and advanced tooling-are most successful in attracting skilled affiliates capable of compromising even well-defended enterprises. Fewer than half of RaaS groups deliver the complete range of capabilities observed in market leaders.

Top-tier groups and emerging threats

One example cited is the group Qilin, which leads current victim counts on data-leak sites, attributed to its comprehensive set of features:

"Qilin exemplifies the RaaS recipe for success, rising to become the most dominant ransomware group in the second and third quarters of 2025 (in terms of data-leak site victim count). This success is highly likely driven by its platform offering the market's strongest combination of automation, customization, and advanced features. By providing such a powerful toolkit, Qilin likely attracts a higher number of skilled affiliates, who in turn probably execute more successful attacks against well-defended targets. This cycle of attracting top talent and achieving results has cemented Qilin's position at the top of the ransomware charts, demonstrating how a sophisticated offering creates a more formidable threat that is much harder for businesses to defend against."

The report details specific advanced capabilities advertised by Qilin, including automated Safe Mode execution, selectable encryption modes, and backup and log deletion, all designed to increase attack effectiveness and hinder defensive efforts.

The ransomware group LockBit has recently introduced "LockBit 5.0", reportedly incorporating artificial intelligence for attack randomisation and enhanced targeting options, with a focus on regaining its previous position atop the ransomware ecosystem. Medusa, by contrast, was noted to have fallen behind due in part to lacking widespread automated and customisable features, despite previous activity levels.

ReliaQuest's analysis predicts the rise of new groups through the lens of its three-factor model, specifically naming "The Gentlemen" and "DragonForce" as likely to become major threats due to their adoption of advanced technical capabilities. The Gentlemen, for instance, has listed over 30 victims on its data-leak site within its first month of activity, underpinned by automation, prioritised encryption, and endpoint discovery for rapid lateral movement.

Conversely, groups such as "Chaos" and "Nova" are likely to remain minor players, lacking the integral features associated with higher victim counts and affiliate recruitment. Chaos and Nova average just two and six victims per month, according to public data-leak site listings.

Defensive recommendations

ReliaQuest's report recommends that organisations focus defences not on the names of specific groups, but on common tactics, techniques, and procedures (TTPs) shared across the RaaS ecosystem.

Key recommended measures include the implementation of automated response playbooks to match the speed of automated attack chains, network segmentation to limit the impact of targeted attacks, and layered security strategies to maintain detection and investigation capabilities even if some controls are disabled or bypassed.

"Fight Automation with Automation: RaaS groups now use automation to reduce breakout times to as little as 18 minutes, making manual intervention too slow. Implement automated containment and response plays to keep pace with attackers. These workflows should automatically isolate hosts, block malicious files, and disable compromised accounts quickly after a critical detection, containing the threat before ransomware can be deployed."

The report further advises that network segmentation can help neutralise the impact of custom ransomware deployments by slowing attacker movement and restricting access to critical data, while forwarding logs to secure locations and monitoring for signs of tool or log manipulation can provide early warnings of attack activity.

The analysis suggests that by proactively deploying such defensive measures and focusing on evolving attacker methodologies, organisations can better defend against both established and emerging ransomware threats in today's rapidly shifting cybercrime environment.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Forrester predicts AI errors to cost B2B firms over USD $10 billion
Drata appoints Aneal Vallurupalli as CFO amid global expansion
Ping Identity launches platform to secure & manage AI agents
Gigamon unveils quantum-safe cryptography in GigaVUE update
Barracuda unveils AI assistant to boost security team efficiency

Top stories

Harnessing the power of ICT to propel your enterprise forward: Five key trends you need to be across in 2026
The cybersecurity imperative for smart factories
Fortinet unveils Secure AI Data Centre with 69% power saving
Exclusive: Google on AI-powered attacks & cyber threats in Australia
Hexaware boosts cybersecurity with strategic CyberSolve acquisition