• Qilin, a ransomware-as-a-service (RaaS) operation, led attack listings in the Caribbean
• Ransomware groups like Qilin offer lucrative opportunities for affiliates, providing easy access to encryption tools
• While smaller groups conduct random attacks, the real threat lies in large, organized groups with significant resources

Above: Illustration by wiro.klyngz/DepositPhotos.

BitDepth 1558 for April 13, 2026

On April 06, a week ago, Shiva Parasram of the Computer Forensics and Security Institute (CFSI) issued a report on Ransomware for 2025 covering his findings across the Caribbean with a focus on Caricom.

This is the third consecutive evaluation of ransomware in the Caribbean produced by CFSI, though only the reports for 2025 and 2024 are currently available on the cybersecurity company’s website. A report on the 2023 findings is here.

Parasram tends to be non-sensational in discussing this kind of potentially sensational information, so his decision not to name the victims of ransomware dumps is in keeping with his previous approach to these issues, but his report may not alarm businesses operating in the Caribbean as much as it should.

CFSI lists 21 confirmed ransomware attack listings across 11 Caribbean countries and territories, an increase in declared attacks.

The leading ransomware-as-a-service (RaaS) operating globally, Qilin, also led attack listings in the Caribbean last year with eight listings. Barbados was hardest hit, with nine listings, followed by Trinidad and Tobago with five and Jamaica with four.

Notably, some of these attacks were related, with attack vectors on a single company affecting multiple countries. No business sector was immune to compromise, but the finance sector was listed in three compromises and the real estate sector in two.

*Attack listings by ransomware group. From the CFSI report.*

“This breadth of targeting suggests that Caribbean organizations across all sectors should consider themselves potential targets,” the report noted.

“The attack on a utility company in Aruba (Qilin, September) is particularly concerning as it represents a direct threat to critical infrastructure. Disruption of utility services can cascade across other sectors including health, finance, and daily life, especially in island economies that often depend on single service providers.”

Shiva Parasram agreed to answer questions about the research that informed the CFSI findings.

“The number of documented attacks in 2025! Those were only the ones that were listed by some of the ransomware groups. It started off quietly in January, but for the rest of the month, I’ve never seen anything like this before in the Caribbean.”

“I didn’t have any documentation in 2022, I was just sort of casually looking [on the dark web], but that was a pretty bad year as well. Things settled down in 2023 but in 2024 we had some big attacks, even so, I was surprised to see so many attacks during 2025.”

The report counted 21 confirmed dumps of information to the dark web, but Parasram estimates that twice that number, at the very least, were breached resulting in small proof exposures of company data released as part of the threat process.

Those companies would have been in the negotiation phase of ransomware demands. Complete dumps of company data only happen if a company refuses to make payments by a set deadline.

“I am aware of several other attacks in quite a few countries in the Caribbean that experienced ransomware demands, but they weren’t published. It’s odd because no ransomware payment was made.”

“Typically when the ransomware payment is not made, the whole point of the ransomware attack is to use that refusal against them. That’s double extortion because they encrypt the data [on the company’s servers] while also leaking the files.”

Parasram conjectured that a ransomware group that wasn’t successful in its demands might not want to draw attention to that fact.
He noted that in 2025 and into 2026, the ransomware group LockBit drew the attention of a large cross section of international law enforcement agency organisation because they listed as many as 95 percent of their attacks.

“There are absolutely no rules to this type of cybercrime.They do what they feel, what they want,” he said.

“Qilin announced on their dark web site that their goal is to become a ransomware cartel. I think that they mean cartel in every sense of that word. They have demonstrated their strength and their operations have a near monopoly after joining forces with the other major groups.”

*Shiva Parasram. Photo by Mark Lyndersay.*

“There’s more [criminal] opportunity in joining these groups, such as LockBit and Qilin because there’s a lot less work involved. You contact them, you upload proof of your skill sets and possibly of any breaches that you might have been responsible for and that’s it.”

“You get access to their tools for encryption. Sometimes they even have a dashboard for all the ransomware affiliates. They’re very welcoming, and I think the cut that Qilin offers is significantly larger than what other ransomware as a service groups offer. I think it was at least 20 to 30% [of takings].”

Parasram noted that as many as five smaller groups surfaced in Caribbean attacks during 2025, “they hit hard and they just disappear.”

“Sometimes you just have random hits being carried out by the affiliates, sometimes they might just try their luck and say, hey, this company looks like they make a lot of money.”

But Parasram believes that the attack profiles are growing more sophisticated and organised, consolidating around success.

Parasram believes the real danger is from large scale, organised groups like Qilin, which can bring significant resources to attack vectors. He believes that the profile of attacks in the region is being guided by the economies of the Caribbean nations and that TT is not getting hit harder because ransomware groups are well aware that companies have difficulty getting access to foreign exchange.

“There is a recycling of affiliates and affiliates belonging to multiple groups as well. Wherever they decide to meet up, usually on forums on the dark web, they exchange information and assess the people responsible for these attacks.”

“These attacks were quite successful [they might say]. Ransoms were paid. Maybe we want to have these people involved with us as affiliates. We could offer them something additional.”

“It’s not just technical people in these groups, they have a very deep understanding of organizational structure, accounting, business, financials, HR.
They have the potential to be very highly paid consultants that could restructure organizations and CEOs and C-level management.”

As it stands, that talent is being leveraged for digital terrorism and holding companies hostage when they grow careless in managing their cybersecurity.

The report can be downloaded here.