3 min read

Singapore's Cyber Threat Landscape: Inside the 2025 Data

Picture of ThreatBook Research Team ThreatBook Research Team : March 15, 2026

Threat Research

Inside the Attacks Targeting the World's Highest-Risk Nation for Ransomware

Singapore now holds the unenviable distinction of ranking #1 globally for ransomware risk. Our 2025 Threat Intelligence Report reveals the groups behind the surge, the industries in the crosshairs, and what every organization needs to know.

Download the Full Report ⤓
#
1

Highest Global Ransomware Risk Ranking — No Other Nation Exceeds This

50
%

Of Singapore Organizations Paid Ransoms Multiple Times in 2025

66
%

Reported Hackers Threatening to Report Breaches to Regulators

Most Severe

Ransomware

Double extortion dominates — encrypting systems while simultaneously threatening data leaks. 50% of Singapore organizations have paid multiple times, trapped in cycles of repeat extortion.

High

Data Theft

Attackers increasingly forgo immediate encryption, instead infiltrating networks for extended periods to harvest intelligence for dark web transactions or state-sponsored operations

 

High

APT Inflitration

State-linked groups operate with long attack cycles and high stealth, targeting government networks, critical infrastructure, and research institutions for strategic long-term intelligence.

Growing

Phishing

The primary entry point for both ransomware and APT campaigns. Increasingly fused with social engineering tactics aligned to Singapore's critical sectors — finance, government, and technology.

 

Why Singapore Tops the Global Ransomware Risk Index

Singapore's risk is structural. Manufacturing, technology, and financial services — the pillars of its economy — are exactly the sectors ransomware groups prize most. Attackers exploit Singapore's regulatory environment with particular ruthlessness: 66% of respondents report being threatened with regulatory reporting if they refuse to pay, turning compliance obligations into extortion leverage.

The result is a vicious cycle. With 50% of organizations having paid ransoms multiple times, attackers have learned that Singapore targets reliably yield returns — reinforcing the city-state's position at the top of every criminal group's target list.

 

APT Groups

The Primary Threat Sources

APT attacks targeting Singapore focus on government networks, critical infrastructure, and research institutions — seeking intelligence with long-term strategic value rather than short-term financial gain.

Lazarus

The most financially destructive APT group active in Singapore. Stole $1.5B in a single supply chain operation — the largest cryptocurrency theft in history. Also linked to the ~$70M breach of Singapore-based crypto exchange in January 2025.

Finance . Crypto

Mabna Institute

Focused on academic espionage — credential stuffing and phishing against universities and research institutions. Singapore academic accounts appeared for sale on the dark web in early 2025, indicating active collection operations.

Academia . Research

 

Ransomware Groups

Most Influential Groups Targeting Singapore

Five ransomware groups drove Singapore's threat landscape in 2025, each exploiting the double extortion model — encrypting systems while simultaneously threatening to leak stolen data to amplify pressure on victims.

Qilin

RAAS · Most Active

Singapore's most active ransomware group in 2025. A mature RaaS operation written in Go and Rust with cross-platform capabilities. Uses Cobalt Strike and Mimikatz for lateral movement, AES-256 + RSA-4096 encryption.

Lynx

RAAS · Supply Chain

Most proficient in supply chain penetration with over 270 victims published by May 2025. Struck a luxury goods firm Asia in July, threatening to expose high-net-worth client data.

Akira

RAAS · Multi-Mode Encryption

Linked to former Conti group members. Struck Singapore manufacturing, medical imaging, and blockchain hosting — including a VPN vulnerability attack that destroyed petabytes of diagnostic imaging data.

DireWolf

Most Destructive · Emerging

First identified in early 2025. Targets manufacturing and ICS/SCADA environments — combining Curve25519 key exchange with ChaCha20 encryption and thorough log purging to hinder all forensic recovery.

DevMan

Emerging · Energy Sector

First detected April 2025. Encrypted SCADA data at a major power company, causing an 8-hour dispatch system outage. Completes penetration and extortion operations within hours or days.

 

Read the Full 2025 Singapore Threat Intelligence Report

Hong Kong's Cyber Threat Landscape: Inside the 2025 Data

Hong Kong's Cyber Threat Landscape: Inside the 2025 Data

Picture of ThreatBook Research Team ThreatBook Research Team : 16 March 2026, 12:03 AM

Threat Research
Read More
Introducing ThreatBook ATI: From Intelligence to Fortified Defense

Introducing ThreatBook ATI: From Intelligence to Fortified Defense

Picture of Ted Xiong Ted Xiong : 29 September 2025, 08:09 AM

Cyber attackers aren’t waiting. Every week, new campaigns, zero-days, and adversary tactics emerge. Security teams need more than static feeds. They...

Product News
Read More
ThreatBook Achieves 5.0 Rating in 20 Overall Responses in Gartner® Voice of the Customer for Endpoint Protection Platforms

ThreatBook Achieves 5.0 Rating in 20 Overall Responses in Gartner® Voice of the Customer for Endpoint Protection Platforms

Picture of Nicholas Tan Nicholas Tan : 26 February 2026, 11:02 AM

We're thrilled to share incredible news: ThreatBook has achieved a full 5.0 out of 5 rating in 20 overall responses in the latest Gartner Peer...

Awards & Recognition
Read More