Key 2025 SaaS Threat Actors to Watch: Profiles and Lessons

1. ShinyHunters: The Trophy Collectors

• Playstyle: Precision Shots (Cybercriminal Organization)
• Biggest Wins: Snowflake, Ticketmaster, and Authy
• Notable Drama: Exploited a single misconfiguration to breach 165+ organizations.

ShinyHunters capitalized on SaaS misconfigurations, exploiting overlooked Snowflake customer settings. This enabled unauthorized access, credential harvesting, and massive data exfiltration, with many organizations failing to enforce MFA or rotate credentials.

Lessons Learned:

• Conduct frequent audits of SaaS configurations.
• Implement robust authentication controls, including MFA and allow lists.
• Monitor for anomalous behavior in user accounts and API usage.

2. ALPHV (BlackCat): The Shadows of Deception

• Playstyle: Strategic Maneuvering (Ransomware-as-a-Service, RaaS)
• Biggest Wins: Change Healthcare, Prudential
• Notable Drama: Faked an FBI takedown to mislead affiliates and authorities.

ALPHV’s audacious tactics included a $22M in ransom extortion campaign against Change Healthcare and a betrayal of its affiliate, RansomHub. Their operations showcased sophisticated deception and opportunistic targeting of SaaS platforms.

Lessons Learned:

• Leverage darknet monitoring to track leaked credentials.
• Enforce Single Sign-On (SSO) to centralize and secure authentication processes.
• Continuously monitor authentication activities to detect and mitigate account compromises early.

3. RansomHub: Rookie of the Year

• Playstyle: Opportunistic Offense (Ransomware-as-a-Service, RaaS)
• Biggest Win: Frontier Communications
• Notable Drama: Fallout with ALPHV over a 22M in ransom dispute.

RansomHub demonstrated adaptability, exploiting weak authentication and SaaS integrations to execute high-impact breaches. Despite setbacks, their persistence marked them as a rising threat in the ransomware landscape.

Lessons Learned:

• Deploy identity threat detection tools to monitor for account takeovers.
• Educate employees on recognizing phishing attempts.
• Strengthen third-party integration security.

4. LockBit: The Enforcers of Ransom

• Playstyle: Relentless Offense (Ransomware-as-a-Service, RaaS)
• Biggest Wins: Evolve Bank & Trust (Fintech)
• Notable Drama: Resilience against FBI’s Operation Cronos.

LockBit continued its dominance, leveraging supply chain vulnerabilities to amplify its impact. Despite law enforcement crackdowns, the group remained a formidable force.

Lessons Learned:

• Prioritize third-party risk assessments.
• Use User and Entity Behavior Analytics (UEBA) to detect anomalies.
• Maintain visibility into SaaS app connectivity.

5. Midnight Blizzard (APT29): The Silent Operator

• Playstyle: Defensive Infiltration (Advanced Persistent Threat, APT)
• Biggest Win: TeamViewer breach
• Notable Drama: Covert espionage operations.

Backed by Russian state resources, Midnight Blizzard executed stealthy breaches, focusing on intelligence gathering rather than financial gain. Their tactics emphasized long-term infiltration and data exfiltration.

Lessons Learned:

• Perform regular configuration audits of critical SaaS applications.
• Implement MFA and secure access controls.
• Proactively monitor for anomalies in high-value systems.

6. Lapsus$: The Opportunistic Chaos Agents

• Playstyle: Disruptive Opportunists (Cybercriminal Organization)
• Biggest Wins: Microsoft, Nvidia, and Okta
• Notable Drama: Publicly taunted victims and leaked sensitive data for notoriety.

Lapsus$ exploited vulnerabilities with audacious, high-profile attacks, often leveraging stolen credentials and social engineering to gain access. Their public-facing antics, including recruitment through Telegram, highlighted their chaotic but effective tactics.

Lessons Learned:

• Strengthen employee training on phishing and social engineering tactics.
• Enforce strict access controls and monitor for credential misuse.
• Establish incident response plans to handle public leaks.

7. Clop (TA505): The Precision Saboteurs

• Playstyle: Calculated Tacticians (Ransomware Group)
• Biggest Wins: MOVEit, Accellion
• Notable Drama: Exploited zero-day vulnerabilities in file transfer systems to exfiltrate and ransom data.

Clop’s targeted approach to exploiting third-party vulnerabilities demonstrated their skill in identifying and monetizing high-value opportunities, often impacting numerous organizations simultaneously.

Lessons Learned:

• Regularly update and patch third-party software to close known vulnerabilities.
• Perform third-party risk assessments to identify weak links in the supply chain.
• Implement file integrity monitoring to detect unauthorized data transfers.

8. FIN7: The Financial Hit Squad

• Playstyle: Strategic Heists (Cybercriminal Organization)
• Biggest Wins: Hospitality, retail, and financial services industries
• Notable Drama: Disguised operations as legitimate businesses to recruit unsuspecting employees.

FIN7 prioritized financial gain, using highly sophisticated malware and phishing campaigns to steal payment card information and compromise point-of-sale systems.

Lessons Learned:

• Use endpoint protection to detect and block malicious activity.
• Train employees to recognize phishing and fraudulent communications.
• Isolate critical financial systems from broader IT networks.

9. Wizard Spider: The Dark Web Strategists

• Playstyle: Coordinated Campaigns (Cybercriminal Organization)
• Biggest Wins: Ryuk ransomware campaigns targeting healthcare and municipal systems
• Notable Drama: Transitioned from banking trojans to ransomware for greater impact.

Wizard Spider orchestrated large-scale ransomware campaigns with precision, focusing on sectors with low tolerance for downtime to maximize ransoms.

Lessons Learned:

• Deploy ransomware-specific defenses, such as immutable backups and endpoint detection.
• Monitor dark web activity to anticipate potential targeting.
• Strengthen sector-specific incident response capabilities.

10. Conti Group: The Systematic Wreckers

• Playstyle: Methodical Sabotage (Ransomware-as-a-Service, RaaS)
• Biggest Wins: Ireland’s Health Service Executive (HSE)
• Notable Drama: Publicly leaked internal chats following a ransomware dispute.

Conti’s methodical approach to ransomware attacks included extensive reconnaissance and the deliberate targeting of essential services, forcing swift ransom payments.

Lessons Learned:

• Develop ransomware playbooks tailored to critical services.
• Invest in cyber insurance to mitigate financial losses.
• Strengthen network segmentation to limit the impact of intrusions.

11. REvil (Sodinokibi): The Extortion Architects

• Playstyle: Strategic Ransomware Empire Builders (Ransomware-as-a-Service, RaaS)
• Biggest Wins: Kaseya, JBS Foods
• Notable Drama: Briefly disappeared after law enforcement crackdowns, only to reemerge.

REvil demonstrated expertise in large-scale ransomware operations, leveraging supply chain vulnerabilities and double extortion tactics to maximize profits.

Lessons Learned:

• Secure remote access systems with MFA and allow lists.
• Implement vulnerability scanning to detect and remediate exploitable flaws.
• Prepare public relations strategies for high-visibility incidents.

12. Ragnar Locker: The Guardians of Data Hostage

• Playstyle: Targeted Data Extortion (Ransomware Group)
• Biggest Wins: EDP (Energias de Portugal), Campari Group
• Notable Drama: Threatened victims with public data leaks if ransom demands were not met.

Ragnar Locker’s focus on highly sensitive data made them a formidable ransomware group, often targeting industries with strict regulatory requirements to amplify pressure.

Lessons Learned:

• Encrypt sensitive data to limit its value in ransomware scenarios.
• Develop and test data recovery plans to ensure rapid response.
• Collaborate with legal and regulatory teams to address potential compliance risks.

Threat Actors to Watch Summary in 2025

Cyber threats targeting SaaS surged in 2024, by exploiting SaaS misconfigurations. These rising threat actor stars in ransomware and state-sponsored actors created several high visibility data breaches. Elite cybercriminal organizations like ShinyHunters breached 165+ organizations including Snowflake and Ticketmaster, while Lapsus$ targeted tech giants Microsoft, Nvidia, and Okta. In the Ransomware-as-a-Service (RaaS) space, ALPHV orchestrated a $22M campaign against Change Healthcare, while LockBit maintained dominance despite FBI crackdowns. The Russian state-backed Advanced Persistent Threat group Midnight Blizzard conducted stealthy intelligence gathering operations, notably breaching TeamViewer. Specialized threat groups like Clop exploited zero-day vulnerabilities in file transfer systems, while Wizard Spider targeted healthcare and municipal systems. Key trends included exploitation of authentication vulnerabilities, supply chain attacks, sophisticated social engineering, and evolving ransomware tactics emphasizing double extortion. Essential defense strategies focused on regular SaaS configuration audits, robust MFA implementation, third-party risk assessments, and advanced behavior monitoring.

Emerging 2025 Threats and Forecast

1. AI-Augmented Ransomware

The convergence of AI and ransomware is poised to redefine cyber threats in 2025. Attackers are now leveraging AI to:

• Automate target selection by analyzing vast datasets for high-value victims.
• Generate highly personalized phishing emails using natural language models.
• Bypass defenses through adaptive malware capable of evading detection mechanisms.

Prediction: Expect a rise in AI-driven ransomware campaigns targeting SaaS platforms, where AI tools will analyze user behavior to identify and exploit weaknesses in authentication and access controls.

2. Zero-Day Exploits in SaaS Environments

With the proliferation of SaaS applications, zero-day vulnerabilities will become a primary attack vector. Threat actors will exploit these flaws to:

• Compromise authentication mechanisms.
• Access sensitive data.
• Disrupt critical business operations.

Prediction: Organizations will face increased risks from zero-day attacks targeting widely-used SaaS platforms. Early detection and patch management will be critical.

3. Supply Chain and Shadow IT Risks

As organizations integrate more third-party SaaS applications, the risk of supply chain attacks will grow. Unauthorized apps (shadow IT) will introduce additional vulnerabilities.

Prediction: Security teams will need to implement stricter oversight and automated remediation tools to mitigate these risks effectively.

Advanced Defensive Strategies: Warden, CNAPP, and Application Zero Trust

Warden Your Cybersecurity Secret Weapon

Warden’s advanced security capabilities offer unparalleled protection against SaaS threat actors:

• Default Deny Technology: Prevents unauthorized access by enforcing strict role-based controls.
• Kernel API Virtualization: Isolates applications from potential exploits, ensuring safe execution environments.
• Threat Detection: Leverages AI and machine learning to identify and block malicious activity in real time.

CNAPP (Cloud-Native Application Protection Platform)

CNAPP provides end-to-end security for cloud environments:

• Continuous Monitoring: Identifies misconfigurations, vulnerabilities, and compliance gaps.
• Identity-Centric Security: Ensures access is granted based on roles and permissions.
• Threat Prevention: Blocks lateral movement and privilege escalation attempts.

Application Zero Trust

This approach enforces strict access controls:

• Centralized Data Storage: Stores all data, including unstructured data, within the Oracle database, minimizing the attack surface.
• Leveraging Oracle Security: The platform uses Oracle’s built-in security features like encryption, access controls, and audit logs to protect sensitive data.
• Granular Access Control: Allows organizations to define precisely who can access which data, under what conditions, and for how long.
• Data Lineage and Accountability: The centralized data storage allows organizations to track data access and demonstrate accountability for compliance and audits.
• Encryption: Encrypts data both at rest and in transit using Oracle’s encryption mechanisms.
• Reduced Attack Vectors: By centralizing data within a single, secure environment, reduces the number of potential attack points.
• Simplified Compliance: Helps meet regulatory compliance requirements like GDPR and HIPAA by leveraging Oracle’s security and controls.
• Cost Reduction: Reduces IT costs by eliminating separate security solutions and the need for extensive middleware.

Conclusion: Preparing Your Cybersecurity for 2025

The cybersecurity landscape in 2025 will be shaped by AI-driven threats, zero-day exploits, and the continued exploitation of SaaS vulnerabilities by these threat actors. To stay ahead, organizations must:

• Implement multi-layered defenses, including tools like Warden and CNAPP.
• Regularly audit SaaS configurations and permissions.
• Invest in AI-powered threat detection to counter emerging risks.

By adopting proactive security measures and staying vigilant, businesses can protect their critical assets and navigate the evolving threat landscape effectively.