In recent days, the 360 digital security group, building on data from the monitoring, analysis and disposal of incidents of extortion software throughout 2025, has integrated national and international security situational data, authoritative studies and information on international hotspot events, which, after a comprehensive review, led to the issuance of the manifestor software prevalence report 2025 (hereinafter referred to as the “report”). The report is based on an in-depth analysis of the characteristics, patterns of evolution and trends in extortion software, systematically deconstructing the evolutionary logic of the ecological chain behind it, and is designed to help political and business institutions build a systematic defence capability covering “monitoring early warning, emergency response, long-lasting protection”, providing strong practical guidance and strategic support for digital security。
Extortion is stable
The encryption technology is moving to performance
The report shows that in 2025, the spread of extortion software in our country generally continued the relative calm that had prevailed since 2024, and that while new extortion families continued to emerge and traditional groups continued to attack frequently, threatening individuals, businesses and government institutions, there was no single extortion software that triggered a large-scale outbreak in the short term. This has benefited from the continuous upgrading of the technical capabilities of safety firms and from coordinated responses, as well as from the increased general awareness of the safety of various categories of users。
Over the past year, 360, supported by a self-researched swarm of safe smarts, cumulatively handled over 2,179 cases of extortion attacks and identified 84 new blackmail families, of which about half were multiple blackmail families; and eight new support for the decryption of the extortion virus, seven of which were for the global exclusive decryption, protected nearly 2. 16 million equipment from intrusion and intercepted a total of over 1. 2 billion weak passwords。
In terms of the distribution of the extortion software family, the pc remains dominated by the three oldest families, weaxor, lockbit and wmansvcs, and their variants. Weaxor has been at the top of the dissemination list, using, for example, the use of the web loophole, and has been able to increase the success rate through a combination of hole-driven kernel confrontations in the attack; wmansvcs has taken over the phobos mode of transmission, mainly through remote desktop implosion; lockbit returned at the end of the year in version 5. 0 and has introduced third-party mafia collaboration to further expand its threatening ecology。
In addition, the report notes that the prevailing use of symmetric encryption by mainstream blackmail families to process large-scale file data and to protect key using asymmetric or elliptical curve algorithms constitutes a multi-level encryption programme that balances strength and efficiency and that the evolving focus is shifting from programme design to implementation efficiency optimization to increase encryption speed and reduce exposure risks。
In terms of dissemination, the means of dissemination of extortion software continue to be based on remote desktops and loopholes, which alone account for nearly 80 per cent of the total. Among them, remote desktop intrusion is still the main route leading to extortion infection, but its advantages are shrinking and the proportion of loopholes used is very close. Remote desktop attacks continued to occur at a high level, mainly as a result of a mature intrusion tool chain, coupled with a large number of small and medium-sized enterprises (smes) and an increasing number of household users opening relevant ports on the public internet and lacking effective protection。
At the same time, the use of loopholes in attacks, mainly focused on the security weaknesses of web applications and various management systems, has become an important and rapidly growing and damaging channel in the current spread of extortion。
Double blackmail has become the norm
Environmental alliance for attacking
The disclosure of data as a core asset of the enterprise not only results in economic losses but also affects reputation, compliance and business continuity. Against this background, the current pattern of extortion attacks has evolved from purely encrypted data to a complex strategy of multiple coercion。
The report shows that there were 122 active extortion software families involved in double/multiple extortion in 2025, an increase of nearly 30 per cent over 2024. Of these, the head top10 family still dominates, but more new families account for a significant increase in their share and show a clear long-term distribution。
Compared to last year, in 2025, data leaks were highly concentrated in services and manufacturing, followed by construction, health and finance. This change stems from extortion attacks that increasingly focus on large and medium-sized enterprises with large equipment and high data value. In addition, education, energy and other sectors are among the top 10, highlighting the urgent need to strengthen protection against extortion in related areas. United states enterprises are at the top of the list with more than half of the publicly known blackmailed enterprises, as well as some 1. 46 per cent。
The 360 security smart body monitoring shows that 40 additional extortion software families introduced a dual/multiple extortion model throughout 2025, indicating that the model is spreading. At the same time, there has been an overall downward trend in ransom demands, which has fallen from the general level of tens of millions of dollars last year to millions of dollars. Even attacks against large businesses, such as blackcat's extortion of united states global health services, are contained at $22 million, reflecting the rationality of ransom pricing。
At the same time, the report concludes that the evolution of extortion software in 2025 is characterized by the following patterns: ecological collaboration, rather than the code itself, becomes the key to family maintenance; the line between brands, gangs and developers is becoming increasingly blurred; and attacks on the main battlefields are shifting towards cloud environments, esxi and saas services. In the future, extortion of ecology may appear more in the form of “coalition” than in the case of independent families。
The blackmail target is focused on politics
Encrypted threat targeting database
According to 360 statistics, the geographical distribution of the extortion software attacks in 2025 remained stable and concentrated in the more developed and densely populated regions of the digital economy. The third most affected areas of guangdong, beijing and zhejiang are indicative of the continued and heightened threat to developed regions。
Manufacturing, internet and software services and services are among the third most vulnerable sectors, including health. These areas, which are generally characterized by high levels of informationalization, high value for data assets and a high willingness to pay, are at greater risk of exposure and extortion and are the object of sustained focus by the attackers。
The assault system was distributed in the top three places, windows 10, windows server 2012 and 2008. Windows 10, while still the largest share, was significantly lower than in 2024, mainly as a result of its entry into the end of its life cycle and its bias towards government servers。
From the point of view of the type of operating system, the share of desktop pcs as a whole also decreased to 55. 31 per cent, while attacks against linux and nas systems remained stable but low. This change reflects the continuing shift of extortion attacks towards servers and government targets and the need for agencies to further enhance security protection。
Compared to last year, databases and office files remain the two most important types of encrypted data for the aggrieved party, but the two are being aligned in order: the database is now the first and the lead is significant. This change is closely related to the increase in the rate of attacks on government and business institutions, as a large amount of operational data is more stored in the database and the relevant professional software is generally dependent on the database for data transfer and management。
Ai-driven offensive upgrade
360 security smart body enabling global protection
Based on an in-depth analysis of the spread and evolution of extortion software in 2025, the report further examines its future trends and proposes a defence response。
The first is that ai is comprehensively reshaping the pattern of extortion attacks from auxiliary tools to core engines. The attack side builds on large models and automated technologies to achieve the intellectual customization of the attack chain and the autonomous penetration of the entire process, providing the extortion software with dynamic aversion and precision of strike capability, while the defensive side relies on ai model-driven threat detection, behaviour analysis and automated response to facilitate the upgrading of the security system from rule-based to intelligent research. At the same time, ai has significantly lowered the threshold for the application of advanced security capabilities and has helped businesses to respond to the threat of increasingly intelligent extortion, marking a new stage in the fight against confrontation that is officially driven by artificial intelligence。
The second is a more specialized and systematic attack group, with small and medium-sized enterprises becoming high-frequency targets. The attack groups are operating closer to the “quasi-red” model, employing structured intrusion tactics and modular tool chains, and the raas model has matured and even introduced kpi and split mechanisms to drive the attacks towards industrialization. At the same time, the weaponization of the n-day loophole has increased significantly, from openness to use, to an average of seven days, making small and medium-sized enterprises with weak patch management the main victims. In the face of professional attacks and a lack of capacity, an increasing number of enterprises are moving towards safe hosting (mss) and saas protection programmes to promote outsourcing of safety capabilities as a mainstream response。
Thirdly, in the ongoing confrontation with extortion software, innovation is the central driving force for breaking the balance of defense and driving defence systems to achieve systemic leaps. The future blackmail confrontation will be compared to the speed of deployment of ai and the resilience of the defence system. Instead of relying on a single safety product, the vast majority of government and industry institutions need to construct a unified security operating system with ai at its core, covering terminals, networks, applications and cloud environments。
As leader of digital security, the 360 digital security group has been working for many years to extort protection against the virus. On the basis of the vast security data accumulated over the past 20 years, the experience of operational confrontation, and the strength of the global top security expert team, 360 innovations have built a “safe intelligence hive” system that relies on the capabilities of the large security model。
The system consolidates the capabilities and experience of security specialists and integrates end-of-pipe security intelligence in dozens of vertical categories, such as extortion, detection of fishing mail and end-of-life virus detection. Through the coordinated movement of the security intelligence, the system not only allows for automated, millisecond threat identification and disposal, but also for targeted screening of the extortion virus at each of its main nodes before, during and after the attack, helping to build the capacity of a broad range of government agencies to protect the blackmail virus from the ai era。
Inaccessibility of the virus: deployment of 360 security probes on the side of terminals and traffic, real-time monitoring of threats through active defensive capabilities such as internet access testing. Once the virus alert is triggered, the terminal security intelligence will automatically take samples, quickly complete the family identification of the virus, and conduct in-depth analysis of threat intelligence, leading to a real-time synchronization of threat levels and disposal results, leading to precision detection and interception at the site stage
(a) dispersing the virus: the end-deprivation defence intelligence is capable of responding to the unusual encryption and horizontal penetration attacks of the blackmail virus, conducting intelligent analysis to intercept and detect disruptions, and achieving “a single discovery, a full-net disruption”
(a) unencrypted viruses: combined with cloud intelligence enabling by end-safe probes, using the automated traceability analysis capability of end-safe intelligence bodies, which enables accurate determination of the identity of the blackmail virus and reverse detections; coupled with built-in document backup mechanisms, undetected backup of day-to-day office files and sensitive business data, comprehensive protection of back-up area files and the exclusion of third-party programs from unauthorized operation of backup areas, thereby blocking the encryption of the blackmail virus to backup areas
Recoverable after encryption: a large number of 360 unique file decryption tools and cloud decryption platforms are in place, clouds support the decryption of 1000+ blackmail files, local support for the decryption of 100+ blackmail files, and the full extent of encrypted recovery through the end secure intelligence。
At present, 360 safe smart bees respond to different types of extortion virus, different client sizes and needs, and have introduced a multi-product and service package, which has cumulatively provided help in over 10,000 cases of extortion。
In 2025, 360, based on the empowerment of the safe smart bee community, captured a total of 5858 leads on extortion attacks, involving 1639 affected units, identified 62 families of extortion viruses, targeted 52 countries or areas outside the country, exported 674 leads on extortion attacks, assisted over 2,200 users in decrypting 4. 86 million documents, recovered damages of more than 47 million yuan, and sustained support to political institutions in building deep, process-wide systems of protection against extortion。
