Ransomware Trends in 2025 - Blending in is the Strategy
Basically, ransomware attacks are now sneaky and look like normal user activity.
Ransomware tactics are evolving, blending in with normal user activity. Key sectors like manufacturing are at risk. Organizations must adapt their defenses to combat these sophisticated threats.
What Happened
Ransomware attacks have evolved significantly, moving away from brute-force methods to more sophisticated tactics. According to the Talos 2025 Year in Review, attackers now often gain access through seemingly legitimate means, with 40% of breaches initiated via phishing. Once inside, they mimic user behavior, utilizing tools like RDP, PowerShell, and PsExec, which are commonly used in many organizations. This blending in with normal operations makes detection challenging for defenders.
The report highlights a shift in how ransomware actors operate. Instead of overtly breaking in, they strategically position themselves within networks, making it harder to distinguish between legitimate and malicious actions. This change in tactics emphasizes the need for robust asset management and continuous monitoring to identify anomalies in network behavior.
Who's Being Targeted
The manufacturing sector remains the most targeted by ransomware groups, primarily due to its complex environments that are difficult to monitor. Following closely is the professional, scientific, and technical services sector, which also faces significant risks as access often spans multiple systems. These sectors are particularly vulnerable because they have limited tolerance for disruptions, making them attractive targets for ransomware actors.
As ransomware tactics evolve, organizations must be vigilant in protecting their infrastructure. The report indicates that valid accounts are crucial at every stage of a ransomware attack, from initial access to execution. This underscores the importance of identity protection in cybersecurity strategies.
Most Prolific Ransomware Groups
The landscape of ransomware-as-a-service (RaaS) has seen notable changes. Qilin has emerged as the most notorious group, employing a double-extortion strategy that combines data encryption with threats to leak sensitive information. Qilin targeted over 40 victims monthly in 2025, highlighting its persistent threat.
Other groups like Akira and Play have also gained traction, adapting their tactics and absorbing affiliates from defunct groups like LockBit. Interestingly, LockBit, which was previously a leading group, has fallen to 35th place due to sustained law enforcement pressure. This shift indicates that while some groups may decline, others are stepping up to fill the void.
Defender Recommendations
To combat these evolving threats, organizations must strengthen their defenses. Here are some key recommendations:
- Enhance identity protections: Focus on training against phishing and social engineering, as attackers often target individuals rather than infrastructure.
- Monitor administrative tools: Keep an eye on the use of RDP, PowerShell, and PsExec for any unusual activity that could indicate lateral movement.
- Reinforce basic security measures: Ensure that backup, endpoint detection and response (EDR), segmentation, logging, and recovery capabilities are robust.
- Regularly test response readiness: Conduct tests during months of typically lower activity, like January, to avoid real incident interference.
By implementing these strategies, organizations can better prepare for the evolving ransomware landscape and protect themselves against potential attacks.