Kaspersky is monitoring 25 APT groups that are currently active in the Middle East, Turkiye and Africa (META) region, including well-known ones such as SideWinder, Origami Elephant, and MuddyWater.
The rise of creative exploits for mobile and further development of techniques aimed at evading detection are among the trends Kaspersky is seeing in these targeted attacks.
On a broader level, the first quarter of 2025 showed that Turkiye and Kenya had the highest number of users affected by web incidents (online threats) – 26,1% and 20,1% respectively. They were followed by Qatar (17,8%), Nigeria (17,5%) and South Africa (17,5%).
Ransomware remains one of the most destructive cyberthreats. A
ccording to Kaspersky data, the share of users affected by ransomware attacks increased by 0.02 pp to 0,44% from 2023 to 2024 globally. In the Middle East the growth is 0.07 pp to 0,72%, in Africa: 0.01 pp growth to 0,41%, in Turkiye 0,06 pp growth to 0,46%.
Attackers often don’t distribute this type of malware on a mass scale, but prioritise high-value targets, which reduces the overall number of incidents. While ransomware is not increasing largely, that doesn’t mean that it becomes less dangerous.
In the Middle East ransomware affected a higher share of users due to rapid digital transformation, expanding attack surfaces and varying levels of cybersecurity maturity.
Ransomware is less prevalent in Africa due to lower levels of digitisation and economic constraints, which reduce the number of high-value targets.
However, as countries like South Africa and Nigeria expand their digital economies, ransomware attacks are on the rise, particularly in the manufacturing, financial and government sectors. Limited cybersecurity awareness and resources leave many organisations vulnerable, though the smaller attack surface means the region remains behind global hotspots.
Ransomware trends include:
- AI tools are increasingly being used in ransomware development, as demonstrated by FunkSec, a ransomware group that emerged in late 2024 and quickly gained notoriety by surpassing established groups like Cl0p and RansomHub with multiple victims claimed in December alone. Operating under a Ransomware-as-a-Service (RaaS) model, FunkSec employs double extortion tactics — combining data encryption with exfiltration — targeting sectors such as government, technology, finance, and education in Europe and Asia. The group’s heavy reliance on AI-assisted tools sets it apart, with its ransomware featuring AI-generated code, complete with flawless comments, likely produced by Large Language Models (LLMs) to enhance development and evade detection. Unlike typical ransomware groups demanding millions, FunkSec adopts a high-volume, low-cost approach with unusually low ransom demands, further highlighting its innovative use of AI to streamline operations.
- In 2025, ransomware is expected to evolve by exploiting unconventional vulnerabilities, as demonstrated by the Akira gang’s use of a webcam to bypass endpoint detection and response systems and infiltrate internal networks. Attackers are likely to increasingly target overlooked entry points like IoT devices, smart appliances or misconfigured hardware in the workplace, capitalising on the expanding attack surface created by interconnected systems. As organisations strengthen traditional defenses, cybercriminals will refine their tactics, focusing on stealthy reconnaissance and lateral movement within networks to deploy ransomware with greater precision, making it harder for defenders to detect and respond in time.
- The proliferation of LLMs tailored for cybercrime will further amplify ransomware’s reach and impact. LLMs marketed on the dark web lower the technical barrier to creating malicious code, phishing campaigns and social engineering attacks, allowing even less skilled actors to craft highly convincing lures or automate ransomware deployment. As more innovative concepts such as RPA (Robotic Process Automation) and LowCode, which provide an intuitive, visual, AI-assisted drag-and-drop interface for rapid software development, are quickly adopted by software developers, we can expect ransomware developers to use these tools to automate their attacks as well as new code development, making the threat of ransomware even more prevalent.
“Ransomware is one of the most pressing cybersecurity threats facing organisations today, with attackers targeting businesses of all sizes and across every region, including META,” says Sergey Lozhkin, Head of META and APAC regions in Global Research and Analysis Team at Kaspersky. “Ransomware groups continue to evolve by adopting techniques, such as developing cross-platform ransomware, embedding self-propagation capabilities and even using zero-day vulnerabilities that were previously affordable only for APT actors.
“There is also a shift toward exploiting overlooked entry points — including IoT devices, smart appliances, and misconfigured or outdated workplace hardware. These weak spots often go unmonitored, making them prime targets for cybercriminals.
“To stay secure, organisations need a layered defense: up-to-date systems, network segmentation, real-time monitoring, robust backups, and continuous user education.”