Threat actors are increasingly trying to grind business to a halt | CyberScoop<\/title> <meta name=\"description\" content=\"Palo Alto Networks\u2019 threat intelligence firm said nearly 9 in 10 cyberattacks it responded to last year involved disrupted business operations.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Threat actors are increasingly trying to grind business to a halt\"> <meta property=\"og:description\" content=\"Palo Alto Networks\u2019 threat intelligence firm said nearly 9 in 10 cyberattacks it responded to last year involved disrupted business operations.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:published_time\" content=\"2025-02-25T11:01:00+00:00\"> <meta property=\"article:modified_time\" content=\"2025-02-24T22:57:33+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg\"> <meta property=\"og:image:width\" content=\"5079\"> <meta property=\"og:image:height\" content=\"3503\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1739294329g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1739821441g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1740183262g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=9586249c695df0f3b26c\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/83590\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/cyberscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.2\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=83590\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcyberattacks-business-disruption-2025-unit-42-palo-alto-networks%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fcyberattacks-business-disruption-2025-unit-42-palo-alto-networks%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-83590 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--event js-stickybar\">\n<div class=\"stickybar__details\" readability=\"5.12\">\n<div class=\"stickybar__info js-sticky-bar-content\" readability=\"32\">\n<p>Nominations can be submitted for the 2025 CyberScoop 50 awards!<\/p>\n<\/div>\n<p> <a class=\"stickybar__link button button-tertiary\" href=\"https:\/\/cyberscoop.com\/cyberscoop50\/\">Click here!<\/a> <\/div>\n<p> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"25.366983372922\">\n<div class=\"single-article__header-content\" readability=\"34.4039408867\">\n<p> Palo Alto Networks\u2019 threat intelligence firm said nearly 9 in 10 cyberattacks it responded to last year involved disrupted business operations. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/83590\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"441\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt.jpg?resize=640%2C441&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg 5079w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=300,207 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=768,530 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=1024,706 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=1536,1059 1536w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=2048,1413 2048w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=600,414 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=244,168 244w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=489,337 489w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=979,675 979w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-2.jpg?resize=1222,843 1222w\" sizes=\"(max-width: 979px) 100vw, 979px\"><figcaption> (Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"36.221071863581\"><body readability=\"74.171122994652\"><\/p>\n<p>Cybercriminals intentionally disrupted operations at a growing rate last year, Palo Alto Networks\u2019 threat intelligence firm Unit 42 said in an <a href=\"https:\/\/www.paloaltonetworks.com\/blog\/2025\/02\/incident-response-report-attacks-shift-disruption\/\">annual incident response report<\/a> released Tuesday.<\/p>\n<p>Of the nearly 500 major cyberattacks Unit 42 responded to last year, 86% involved business disruption, including operational downtime, fraud-related losses, increased operating costs and negative reputational impacts. <\/p>\n<p>Unit 42 called this trend the \u201cthird wave of extortion attacks,\u201d another point of potential leverage for threat groups to impose on targets in addition to encryption and data theft. <\/p>\n<p>These disruptive attacks stand out for the pain, impact and broader ripple effects they inflict on society and the economy at large, said Sam Rubin, senior vice president of consulting and threat intelligence at Unit 42.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cThis is what organizations need to be worried about from a threat perspective and from a defensive strategy standpoint,\u201d Rubin said. <\/p>\n<p>Encryption remains the most common tactic used in extortion attacks, which Unit 42 observed in 92% of attacks last year, followed by data theft in 60% of all cases. Yet, cybercriminals are demonstrating adaptability by intensifying attacks through operational disruptions, adding to the impact of data theft and encryption.<\/p>\n<p>\u201cIt\u2019s often building on each other, but ultimately it\u2019s how to get to that end game of getting paid,\u201d Rubin said.<\/p>\n<p>Unit 42 observed attackers visibly disrupting organizations by removing systems, destroying data and harassing customers and partners, which allows them to gain leverage in rather significant ways. For example, in an attack on a large IT services firm, the threat group\u2019s persistence and proven ability to continue deleting additional systems compounded financial losses, Rubin said. <\/p>\n<p>The CEO of the IT services firm was so determined to end the hardship, they instructed advisers to pay the large ransom demand without further negotiations. Unit 42 helped the organization lower the payment, but \u201cthat\u2019s the urgency that they felt to just move on and get past this, because there\u2019s just continuing pain and infliction of different tactics to take down parts of their environment,\u201d Rubin said.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Unit 42 observed threat groups using disruptive tactics against critical infrastructure organizations in sectors like health care, hospitality and manufacturing, often extorting them for higher ransoms.<\/p>\n<p>The median initial extortion demand jumped almost 80% year over year to $1.25 million in 2024, about 2% of the victim organization\u2019s perceived annual revenue, Unit 42\u2019s research found. The company said it negotiated a median percentage reduction of more than 50% from initial ransom demands, with the median ransom payment coming in at $267,500 last year.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"3.7374476987448\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/02\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/cyberattacks-business-disruption-2025-unit-42-palo-alto-networks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Threat actors are increasingly trying to grind business to a<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,895,1583,323,1156,715,46,256,288,1,183],"tags":[286,86,902,1587,327,1168,720,54,262,294,325,207],"class_list":["post-7390","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-data-theft","category-encryption","category-extortion","category-incident-response","category-palo-alto-networks","category-ransomware","category-research","category-threats","category-uncategorized","category-unit-42","tag-cybercrime","tag-cybersecurity","tag-data-theft","tag-encryption","tag-extortion","tag-incident-response","tag-palo-alto-networks","tag-ransomware","tag-research","tag-threats","tag-uncategorized","tag-unit-42"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/data-theft\/\" rel=\"category tag\">Data theft<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/encryption\/\" rel=\"category tag\">encryption<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/extortion\/\" rel=\"category tag\">extortion<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/incident-response\/\" rel=\"category tag\">incident response<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/palo-alto-networks\/\" rel=\"category tag\">Palo Alto Networks<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/ransomware\/\" rel=\"category tag\">ransomware<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/research\/\" rel=\"category tag\">Research<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/uncategorized\/\" rel=\"category tag\">Uncategorized<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/unit-42\/\" rel=\"category tag\">Unit 42<\/a>","tag_info":"Unit 42","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7390","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7390"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7390\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7390"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7390"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7390"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7390,"date":"2025-02-25T05:01:00","date_gmt":"2025-02-25T11:01:00","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83590"},"modified":"2025-02-25T05:01:00","modified_gmt":"2025-02-25T11:01:00","slug":"threat-actors-are-increasingly-trying-to-grind-business-to-a-halt","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/02\/25\/threat-actors-are-increasingly-trying-to-grind-business-to-a-halt\/","title":{"rendered":"Threat actors are increasingly trying to grind business to a halt"},"content":{"rendered":"