{"id":2103,"date":"2025-02-27T06:00:00","date_gmt":"2025-02-27T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=2103"},"modified":"2025-02-27T06:00:00","modified_gmt":"2025-02-27T06:00:00","slug":"5-things-to-know-about-ransomware-threats-in-2025","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=2103","title":{"rendered":"5 things to know about ransomware threats in 2025"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Ransomware attacks continue to be one of the most significant cybersecurity threats organizations and cybersecurity leaders face. Attacks lead to wide-scale disruptions, large data breaches, huge payouts and millions of dollars in costs to businesses.<\/p>\n

In response, large, coordinated law enforcement operations have targeted major ransomware groups<\/a> and disrupted operations, dismantled data leak sites and seen the release of decryption keys.<\/p>\n

However, the volume of attacks has risen, the number of reported victims continues to grow and like a hydra that sprouts new heads, the ransomware ecosystem has been reformed and continues operating, although some of the tactics are changing.<\/p>\n

Here are five key insights CISOs need to know in 2025.<\/p>\n

1. Too much focus on generative AI risks underestimating known threats<\/h2>\n

Generative AI tools such as ChatGPT continue to cause a stir in organizations and raise a host of security concerns. However, some incident data and threat analysis suggest security leaders need to remain vigilant about the evolution of traditional ransomware tactics.<\/p>\n

Verizon\u2019s 2024 Data Breach report<\/a> found the volume of search terms using the word GenAI along with ransomware, malware and vulnerability in criminal forums has not moved much in the previous two years. While generative AI can amplify existing threats, it may not have moved the needle on ransomware attacks because relatively simple threat vectors such as social engineering and phishing remain effective, the report notes.<\/p>\n

Naturally, generative AI threats exist; however, the focus on new technologies risk overshadowing the importance of cybersecurity hygiene practices, especially in resource-constrained sectors like public healthcare, says Aaron Bugal, Sophos field CTO, APJ. \u201cIt can come at the expense of addressing more fundamental cybersecurity basics, which contribute to ransomware vulnerabilities.\u201d<\/p>\n

Ransomware attack data in the Sophos State of Ransomware 2024 report<\/a> shows that vulnerability management, compromised credentials, malicious email, and phishing are the most common starting points. It\u2019s these risk factors that need to be managed through routine processes. \u201cA lot of the attacks we\u2019re seeing today, attackers are getting in using deficiencies in what constitutes a poorly managed or mismanaged environment and it\u2019s just giving them the green light,\u201d Bugal tells CSO.<\/p>\n

Not protecting credentials, lack of multi-factor authentication, not patching well-known vulnerabilities, not keeping up with aging devices and user accounts, and overlooked configurations can get put off or forgotten about if too much focus is turned to generative AI. \u201cSome things can be trivial to discover and mitigate, but if they\u2019re overlooked by organizations, it leaves them vulnerable to attacks,\u201d he says.<\/p>\n

2. Mid-size organizations are highly vulnerable<\/h2>\n

Industry data shows mid-size organizations remain highly vulnerable to ransomware attacks. \u201cCISOs need to be aware that ransomware is no longer just targeting large companies, but now even mid-sized organizations are at risk. This awareness is crucial,\u201d says Christiaan Beek, senior director, threat analytics, at Rapid7.<\/p>\n

Companies with annual revenue around $5 million are falling victim to ransomware twice as often as those in the $30-50 million range and five times more frequently than those with a $100 million revenue, according to Rapid7\u2019s 2024 ransomware report<\/a>.<\/p>\n

In 2025, the threat remains, and with many mid-sized organizations lacking a dedicated CISO, they\u2019re more vulnerable to ransomware disruption, according to Beek. Larger organizations stand better prepared because they have a central, senior person and resources to go with it. \u201cCISOs often have larger security teams and better tools to defend against attacks,\u201d he says.<\/p>\n

Cyber criminals are going after these companies believing they\u2019re large enough to hold valuable data but lack the protection of larger organizations. Meanwhile, larger organizations need to consider that supply chains and third-party partners that include smaller, mid-size outfits without a dedicated security leader can increase their exposure to risk.<\/p>\n

In the case of an attack, mid-market organizations may lack the visibility of data leaks and the forensic tools of more mature enterprises to effectively validate ransomware claims, according to Ashwin Ram, cyber security evangelist for Check Point. \u201cMany of these organizations haven\u2019t fully embraced external attack surface management and dark web monitoring to the same extent as the more advanced organizations.\u201d<\/p>\n

Beek recommends CISOs conduct ransomware attack simulation<\/a> exercises at least twice a year to thoroughly assess all aspects of their incident response preparedness. \u201cIt helps identify gaps and ensure they\u2019re ready to respond effectively,\u201d he says.<\/p>\n

3. Data exfiltration attacks require a critical shift in security priorities<\/h2>\n

In recent years, ransomware attackers have shifted away from encryption-based extortion to data exfiltration and double-, triple and even quadruple extortion, that targets the organization and individuals and help launch distributed denial-of-service (DDoS) attacks, according to CheckPoint\u2019s Ram.<\/p>\n

According to data from Coveware<\/a>, 87% of observed cases in the last quarter of 2024 involved exfiltration and either leads into encryption-based attacks or is the primary objective of the attack.<\/p>\n

\u201cThreat actors are exfiltrating sensitive data and using the threat of public exposure to force victims into paying ransoms and it\u2019s most effective in the healthcare sector with medical records and the finance sector, where PII could facilitate financial scams and identity fraud,\u201d says Ram.<\/p>\n

It\u2019s changing the ransomware ecosystem. Many established cyber-criminal groups such as BianLian and Meow have adopted exfiltration techniques while new entrants such as Bashe have sprung up offering \u201cdata selling platforms\u201d, according to CheckPoint\u2019s 2025 State of Cyber Security report<\/a>.<\/p>\n

There are numerous reasons for the changing nature of attacks. As organizations have improved their backup and recovery capabilities and law enforcement actions have disrupted attacks, bad actors have shifted their focus to data exfiltration to streamline operations, evade detection, and find other avenues for lucrative attacks, the report noted.<\/p>\n

However, without the obvious signs of data being locked up, security practitioners face the challenge of quickly determining if organizational data has been stolen and verifying any claims. In some cases, bad actors may claim a data breach by recycling information already available. \u201cAttackers might get hold of some accounts, but they don\u2019t have the entire organization\u2019s credentials or they have one or two customer databases or certain customers in particular,\u201d Ram tells CSO.<\/p>\n

Ram recommends CISOs review and strengthen their organization\u2019s defenses around data protection, monitoring, and rapid threat detection. This requires a multi-layered approach and above all else, the organization\u2019s \u201ccrown jewels\u201d or most critical data assets need the highest priority. \u201cCISOs are going to have to rewrite some of their playbooks for incident response, where that validation piece is going to play a key part,\u201d he says.<\/p>\n

4. Heightened risks for critical infrastructure<\/h2>\n

Attacks on critical infrastructure are on the rise, with energy, utilities and power infrastructure facing escalating threats and public healthcare organizations impacted in large numbers.<\/p>\n

In public healthcare, resources are usually stretched, while in others, such as manufacturing, utilities and power infrastructure, digital transformation is bringing operating systems online, creating new vulnerabilities.<\/p>\n

There is a raft of complicating factors, such as patches not being available for legacy and end-of-life technologies. \u201cIf an attacker finds a way into those industries that were traditionally offline, it presents much more of a problem,\u201d says Sophos\u2019 Bugal. Many organizations in the energy and utilities market tend to have older software and technologies that are more prone to security gaps. \u201cIt provides opportunities for attackers to gain access and then move laterally within environments, ultimately leading to ransomware incidents,\u201d Bugal tells CSO.<\/p>\n

Complicating matters, as organizations grow, their IT infrastructure increases in both size and complexity and this can result in attacks, particularly those that start with an unpatched vulnerability. In the case of an attack, it\u2019s harder for IT teams to have full visibility of all their exposures and patch before they are exploited, according to the Sophos\u2019 report.<\/p>\n

Attacks on critical infrastructure are expected to continue into 2025, according to Arctic Wolf Labs 2025 predictions report. It also warns that while these ransomware attacks may follow the typical playbook, they can hide intrusions from hostile nation-states, potentially laying the groundwork for future digital conflict. \u201cThese incidents may have also been intended to distract from a strategic objective of establishing stealthy persistence within these environments,\u201d the report noted.<\/p>\n

5. Breakdown of perimeter defences<\/h2>\n

As an organization\u2019s digital perimeter expands, the attack surface grows, with edge services and devices increasingly targeted by threat actors as entry points in ransomware attacks. The perimeter now includes IoT devices, cloud applications, VPN gateways, a host of internet connected devices and other network access tools, making it more challenging to secure access controls and monitor networks.<\/p>\n

In 2024, software vulnerabilities within devices from Palo Alto Networks<\/a> and SonicWall<\/a> were exploited and used to launch ransomware attacks.<\/p>\n

Looking ahead, organizations can expect more threats to its attack surface, according to Arctic Wolf Labs 2025 predictions report<\/a>. Perimeter devices remain vulnerable to the misuse of valid accounts, exploitation of vulnerabilities, gaps in multi-factor authentication (MFA) and weaknesses in identity management practices.<\/p>\n

CISOs face increasing pressure to maintain robust patch management processes and strengthen access configurations across the board. At the same time, the expanding digital perimeter brings more exposure to zero-day vulnerabilities. The manufacturing industry remains particularly vulnerable, the report noted, accounting for 44% of all cases investigated by the lab.<\/p>\n

While advanced security technologies and tools are important, it doesn\u2019t take away from the need to secure the organization\u2019s digital front door, says Beek. Yet it\u2019s an area that still has room for improvement. \u201cWe still see common security lapses, such as weak passwords on security devices or unsecured remote access that can provide an entry point for attackers,\u201d he tells CSO.<\/p>\n

In addition, having access to insights about observed attacks helps in understanding the chain of events and the potential risks they may pose in the CISO\u2019s own organization, according to Beek. They can then review their processes and whether there is the right technology and trained people to notice the same kind of attack. \u201cAs a CISO, if you can understand the chain of attack, you can see if there are tripwires in place and visibility of this happening in your own organization,\u201d he says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Ransomware attacks continue to be one of the most significant cybersecurity threats organizations and cybersecurity leaders face. Attacks lead to wide-scale disruptions, large data breaches, huge payouts and millions of dollars in costs to businesses. In response, large, coordinated law enforcement operations have targeted major ransomware groups and disrupted operations, dismantled data leak sites and […]<\/p>\n","protected":false},"author":0,"featured_media":2104,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-2103","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2103"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2103"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/2103\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/2104"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}