3 min read

Singapore's Cyber Threat Landscape: Inside the 2025 Data

Picture of ThreatBook Research Team ThreatBook Research Team : March 15, 2026

Threat Research

Inside the Attacks Targeting the World's Highest-Risk Nation for Ransomware

Singapore now holds the unenviable distinction of ranking #1 globally for ransomware risk. Our 2025 Threat Intelligence Report reveals the groups behind the surge, the industries in the crosshairs, and what every organization needs to know.

Download the Full Report ⤓
#
1

Highest Global Ransomware Risk Ranking — No Other Nation Exceeds This

50
%

Of Singapore Organizations Paid Ransoms Multiple Times in 2025

66
%

Reported Hackers Threatening to Report Breaches to Regulators

Most Severe

Ransomware

Double extortion dominates — encrypting systems while simultaneously threatening data leaks. 50% of Singapore organizations have paid multiple times, trapped in cycles of repeat extortion.

High

Data Theft

Attackers increasingly forgo immediate encryption, instead infiltrating networks for extended periods to harvest intelligence for dark web transactions or state-sponsored operations

 

High

APT Inflitration

State-linked groups operate with long attack cycles and high stealth, targeting government networks, critical infrastructure, and research institutions for strategic long-term intelligence.

Growing

Phishing

The primary entry point for both ransomware and APT campaigns. Increasingly fused with social engineering tactics aligned to Singapore's critical sectors — finance, government, and technology.

 

Why Singapore Tops the Global Ransomware Risk Index

Singapore's risk is structural. Manufacturing, technology, and financial services — the pillars of its economy — are exactly the sectors ransomware groups prize most. Attackers exploit Singapore's regulatory environment with particular ruthlessness: 66% of respondents report being threatened with regulatory reporting if they refuse to pay, turning compliance obligations into extortion leverage.

The result is a vicious cycle. With 50% of organizations having paid ransoms multiple times, attackers have learned that Singapore targets reliably yield returns — reinforcing the city-state's position at the top of every criminal group's target list.

 

APT Groups

The Primary Threat Sources

APT attacks targeting Singapore focus on government networks, critical infrastructure, and research institutions — seeking intelligence with long-term strategic value rather than short-term financial gain.

Lazarus

The most financially destructive APT group active in Singapore. Stole $1.5B in a single supply chain operation — the largest cryptocurrency theft in history. Also linked to the ~$70M breach of Singapore-based crypto exchange in January 2025.

Finance . Crypto

Mabna Institute

Focused on academic espionage — credential stuffing and phishing against universities and research institutions. Singapore academic accounts appeared for sale on the dark web in early 2025, indicating active collection operations.

Academia . Research

 

Ransomware Groups

Most Influential Groups Targeting Singapore

Five ransomware groups drove Singapore's threat landscape in 2025, each exploiting the double extortion model — encrypting systems while simultaneously threatening to leak stolen data to amplify pressure on victims.

Qilin

RAAS · Most Active

Singapore's most active ransomware group in 2025. A mature RaaS operation written in Go and Rust with cross-platform capabilities. Uses Cobalt Strike and Mimikatz for lateral movement, AES-256 + RSA-4096 encryption.

Lynx

RAAS · Supply Chain

Most proficient in supply chain penetration with over 270 victims published by May 2025. Struck a luxury goods firm Asia in July, threatening to expose high-net-worth client data.

Akira

RAAS · Multi-Mode Encryption

Linked to former Conti group members. Struck Singapore manufacturing, medical imaging, and blockchain hosting — including a VPN vulnerability attack that destroyed petabytes of diagnostic imaging data.

DireWolf

Most Destructive · Emerging

First identified in early 2025. Targets manufacturing and ICS/SCADA environments — combining Curve25519 key exchange with ChaCha20 encryption and thorough log purging to hinder all forensic recovery.

DevMan

Emerging · Energy Sector

First detected April 2025. Encrypted SCADA data at a major power company, causing an 8-hour dispatch system outage. Completes penetration and extortion operations within hours or days.

 

Read the Full 2025 Singapore Threat Intelligence Report

Hong Kong's Cyber Threat Landscape: Inside the 2025 Data

1 min read

Hong Kong's Cyber Threat Landscape: Inside the 2025 Data

Picture of ThreatBook Research Team ThreatBook Research Team : 16 March 2026, 12:03 AM

Threat Research
Read More
TA558 Uses Steganography to Launch Global Cyberattacks

5 min read

TA558 Uses Steganography to Launch Global Cyberattacks

Picture of ThreatBook Research Team ThreatBook Research Team : 6 April 2026, 12:04 AM

Overview TA558 (also known as "SteganoAmor") is a financially motivated cybercriminal organization that has been active since 2018. Its attacks are...

Threat Research
Read More
Suspected North Korea-Linked Hackers Conduct Targeted Attack Campaign Against Uzbekistan

3 min read

Suspected North Korea-Linked Hackers Conduct Targeted Attack Campaign Against Uzbekistan

Picture of ThreatBook Research Team ThreatBook Research Team : 25 November 2025, 12:11 AM

Overview In November 2025, ThreatBook Research Team identified two suspected targeted attack campaigns against targets within Uzbekistan. We...

Threat Research
Read More