Ransomware in 2025: Record Attacks Surge as Profits Decline and Hackers Shift Tactics

CyberDefender 15 mins0

Since around 2018, many financially motivated threat actors shifted their strategy toward deploying ransomware after gaining access to systems. Since then, ransomware has become one of the most widespread and disruptive cyber threats across nearly every industry and region.

Over time, ransomware operations have matured into a highly organized ecosystem. The rise of ransomware-as-a-service (RaaS) has made it easier for new actors to get involved, thanks to specialized underground communities and commoditized tooling. While ransomware remains a major threat due to its scale and ability to disrupt operations, there are growing signs that its overall profitability is declining. This appears to be driven by stronger cybersecurity practices, improved recovery capabilities among organizations, and a drop in both ransom payments and payment rates.

At the same time, the ransomware landscape has faced significant disruption. Law enforcement actions, internal conflicts, and operational failures have weakened or dismantled major RaaS groups like LockBit, ALPHV, Basta, and RansomHub. Despite this, established groups such as Qilin and Akira have stepped in to fill the gap, contributing to a record number of victims listed on data leak sites (DLS) in 2025.

Source : Google

This report provides an overview of the ransomware landscape and highlights common tactics, techniques, and procedures (TTPs) observed in ransomware incidents that Mandiant Consulting investigated in 2025. Note that this analysis excludes incidents focused solely on data theft extortion.

Key findings include:

  • In roughly one-third of incidents, initial access was linked to exploitation of vulnerabilities—most commonly in VPNs and firewalls.
  • 77% of incidents involved suspected data theft, up from 57% in 2024.
  • Around 43% of intrusions targeted virtualization infrastructure, compared to 29% in 2024.
  • REDBIKE was the most commonly deployed ransomware family, accounting for 30% of cases.
  • Some trends remained consistent, including reduced use of tools like BEACON and MIMIKATZ, and a leveling off in the use of remote management tools.

The Google Threat Intelligence Group (GTIG) based this analysis primarily on Mandiant investigations, meaning it reflects only a portion of global ransomware activity. These incidents spanned organizations across Asia Pacific, Europe, North America, and South America, and covered nearly every industry sector.

Looking ahead to 2026, ransomware is expected to remain a major threat. However, declining profits may push threat actors toward alternative monetization strategies—such as increased reliance on data theft extortion, more aggressive tactics, or leveraging compromised environments for additional revenue streams.

2025 Ransomware Landscape

In 2025, the ransomware ecosystem became more crowded than ever, with a record number of active data leak sites. At the same time, sustained law enforcement pressure and improved defenses have likely reduced profit margins. As a result, threat actors are adapting—changing who they target and how they operate.

Some notable shifts include:

  • Increased targeting of smaller organizations
  • Greater focus on data theft without deploying ransomware
  • Use of AI in areas like negotiations
  • Adoption of Web3 technologies to make infrastructure more resilient

Despite innovation, instability within the ecosystem has made actors more cautious, leading to stricter vetting of partners. Even so, ransomware groups continue to evolve in an effort to maintain profitability.

Although DLS postings hit record highs in 2025—nearly 50% higher than 2024—these numbers don’t fully reflect ransomware activity. Many posts only appear when victims refuse to pay, and some groups exaggerate or recycle claims. Additionally, some major actors (like those behind CL0P) now focus primarily on data theft rather than encryption.

Profitability Trends

While ransomware has historically been highly lucrative, recent data suggests declining returns:

  • Ransom payment rates reached a historic low in Q4 2025 (Coveware).
  • Average ransom demands dropped from $2 million in 2024 to $1.34 million in 2025 (Sophos).
  • Nearly half of victims restored from backups in 2024, compared to just 11% in 2022 (Unit 42).

As organizations improve resilience, attackers increasingly view data theft as a more reliable way to generate revenue. This shift is reflected in both attacker behavior and RaaS offerings that now include data-theft-only options.

There is also evidence that attackers are shifting toward smaller organizations, which often have weaker security. Some actors have explicitly stated that smaller targets are more effective.

Ecosystem Disruptions and Evolution

In 2025, the ransomware landscape was heavily influenced by:

  • Law enforcement actions
  • Internal disputes and data leaks among threat actors

These disruptions led to arrests, infrastructure seizures, and operational changes. However, groups like Qilin and Akira demonstrated resilience by quickly filling gaps left by disrupted competitors.

At the same time:

  • Some RaaS operations became private or semi-private
  • Actors increased operational security
  • Affiliate vetting became more rigorous

Emerging Technologies

Threat actors are increasingly adopting new technologies:

  • Web3: Used for decentralized infrastructure (e.g., ICP blockchain, Polygon smart contracts)
  • AI: Integrated into negotiation tools and victim analysis
  • Cross-platform ransomware: More families now target both Windows and Linux

Initial Access

The most common entry point in 2025 was vulnerability exploitation, followed by web compromise, stolen credentials, and brute-force attacks.

Frequently targeted systems included:

  • VPNs and firewalls (Fortinet, SonicWall, Palo Alto, Citrix)
  • Other services like SharePoint, SAP NetWeaver, and Backup Exec

There were also indications of zero-day exploitation.

Malvertising and SEO poisoning were widely used to distribute malware, often disguised as legitimate tools like PuTTY or RVTools.

Stolen credentials remained a major access vector, typically used for VPN or RDP access. Brute-force attacks were also observed, sometimes over long periods before success.

Establishing Foothold and Persistence

After gaining access, attackers used:

  • Compromised credentials
  • Tunnelers (e.g., PYSOXY, CHISEL, CLOUDFLARED)
  • Backdoors (e.g., SQUIDGATE, FIREHAWK)
  • Remote management tools (e.g., AnyDesk, ScreenConnect, Splashtop)

Example command used to establish persistence:

/Create /SC MINUTE /MO 720 /TN Reg /TR "C:\Windows\System32\rundll32.exe C:\windows\system32\config\red.dll Test" /ru system

Privilege Escalation

Attackers relied on:

  • Credential dumping (LSASS, NTDS.dit, SAM)
  • Tools like MIMIKATZ (used in ~18% of cases)
  • Active Directory abuse (e.g., DCSync, AD CS)

They often elevated privileges by adding accounts to admin groups or assigning rights like:

  • SeDebugPrivilege
  • SeBackupPrivilege

Internal Reconnaissance

Attackers used PowerShell and native tools to map environments:

powershell Import-Module ActiveDirectory; Get-ADUser -filter * -properties Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | select Enabled,DisplayName,Mail,SAMAccountName,homephone,ipphone,TelephoneNumber,comment,description,title | export-csv C:\Users\Public\Music\users.csv 
powershell Import-Module ActiveDirectory; Get-ADComputer -Filter {enabled -eq $true} -properties *|select comment, description, Name, DNSHostName, OperatingSystem, LastLogonDate, ipv4address | Export-CSV C:\users\public\music\AllWindows.csv -NoTypeInformation -Encoding UTF8

They also searched for sensitive data like:

  • Financial records
  • HR files
  • Cyber insurance policies

Lateral Movement

Common techniques included:

  • RDP (used in ~85% of intrusions)
  • SMB and SSH
  • Tools like PsExec, WinRM, WMIC

Firewall modifications were frequently used:

cmd.exe /C netsh advfirewall firewall set rule group="remote desktop" new enable=No
powershell.exe -Command New-NetFirewallRule -Name sshd -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22

Ransomware Deployment

Deployment methods included:

  • Batch scripts
  • Scheduled tasks
  • GPOs
  • PowerShell

Virtual environments were heavily targeted (43% of incidents).

Example command:

esxcli system settings advanced set -o /User/execInstalledOnly -i 0

Data Exfiltration

Data theft occurred in 77% of incidents.

Common tools:

  • Rclone (28%)
  • WinRAR / 7-Zip
  • FileZilla / WinSCP

Attackers often exfiltrated data to cloud services like:

  • MEGA
  • OneDrive
  • AWS / Azure

Defense Evasion

Attackers disabled security tools, especially Windows Defender:

cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f 
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1"
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
cmd.exe /c reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f

Ransomware remains a major global threat, but its economics are changing. Declining profits, stronger defenses, and regulatory pressure are reshaping the landscape.

Going forward, we expect:

  • More data theft–focused attacks
  • Increased targeting of smaller organizations
  • Greater use of aggressive extortion tactics
  • Alternative monetization strategies (e.g., phishing via compromised infrastructure)

Even with these changes, ransomware will likely remain one of the most impactful cyber threats in the near future.

CyberDefender