North Korea Elevates Cyber Threat by Partnering in Ransomware-as-a-Service

Published December 6, 2025 by Stronglink Team

Microsoft has confirmed a significant and concerning shift in North Korea's cyber capabilities, detailing in its "2025 Digital Defense Report" that the nation's hackers are now joining the "ransomware...

Microsoft has confirmed a significant and concerning shift in North Korea's cyber capabilities, detailing in its "2025 Digital Defense Report" that the nation's hackers are now joining the "ransomware as a service" (RaaS) ecosystem as partners. This adoption of the RaaS model, which allows threat actors to outsource key operational components, is a strategic move to allocate resources more efficiently and focus on infiltration activities. Microsoft warns that this development will likely lead to a further increase in both the frequency and sophistication of North Korean-linked ransomware campaigns. Beyond the RaaS participation, the report highlights several other advanced tactics being employed. North Korean groups are escalating their phishing operations specifically to steal intellectual property (IP), particularly that related to weapons systems. Furthermore, they are actively utilizing cloud infrastructure to conceal their command and control (C2) servers. This use of advanced cloud capabilities makes attacks significantly more difficult to detect and block, indicating a focus on evading traditional defenses with increasingly sophisticated techniques. The primary targets for these state-sponsored operations reflect national goals of revenue generation and intelligence collection. Microsoft's analysis shows the attacks are concentrated across the IT sector, academia, and various think tanks and non-governmental organizations. Geographically, the United States remains the most heavily targeted country, accounting for half of the attacks. The specific industries under fire include blockchain and cryptocurrency, defense and manufacturing, and institutions related to East Asia policy.