Ransomware Tactics and Defenses in 2025
Ransomware remains one of the most significant threats to organizations worldwide, with attackers continuously evolving their tactics to maximize impact and profits. Recent analysis highlights that the most successful ransomware groups leverage automation, customization, and advanced tooling, with groups like Qilin and LockBit 5.0 leading the market by using data leak sites to pressure victims into paying ransoms. The ransomware-as-a-service (RaaS) model has further lowered the barrier to entry for cybercriminals, enabling a wider range of actors to participate in attacks. Double extortion tactics, where data is both encrypted and exfiltrated for additional leverage, are now commonplace, and the underground economy supporting ransomware is thriving, with infostealers playing a critical role in supplying credentials for initial access.
Defending against ransomware requires a multi-layered approach, including the deployment of open-source platforms like Wazuh for detection and response, as well as a focus on securing credentials and monitoring for infostealer activity. The proliferation of infostealers has transformed cybercrime, enabling attackers to bypass multi-factor authentication and facilitate lateral movement within networks. Organizations are urged to improve visibility across assets, implement robust access controls, and stay vigilant against phishing and other common ransomware delivery vectors. The ongoing evolution of ransomware and its supporting ecosystem underscores the need for continuous adaptation of security strategies and technologies.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Some ransomware groups shift to data-theft-only extortion
By November 2025, some groups such as Crimson Collective and Clop were reported to be moving away from deploying ransomware binaries and instead focusing on pure data-theft extortion.
Research finds top RaaS groups rely on automation and advanced tooling
Research reported in November 2025 found the most profitable ransomware-as-a-service groups distinguish themselves through automation, customization, and advanced tooling, with automation present in 80% of analyzed groups and average breakout time reduced to 18 minutes.
Law enforcement disrupts some major infostealer families
Authorities carried out disruption actions against several major infostealer families, though the reporting notes the broader infostealer threat is expected to continue despite those takedowns.
Apple changes Gatekeeper to block a common infostealer bypass
Apple implemented a Gatekeeper change in September 2024 that reduced infections associated with a widely used bypass technique leveraged in macOS infostealer campaigns.
macOS infostealer activity rises with Atomic, Poseidon, and Banshee
A major increase in macOS-targeting infostealers was observed, with families such as Atomic, Poseidon, and Banshee commonly spread through cracked software and malicious advertisements.
Infostealer-as-a-service ecosystem becomes established
Infostealer operations evolved into a service-based criminal market in which developers provide malware, dashboards, and subscriptions while operators exfiltrate and resell stolen credentials, cookies, and tokens.
Zeus banking trojan helps establish early infostealer model
Early banking trojans such as Zeus marked the emergence of malware focused on stealing credentials and financial data, laying groundwork for the modern infostealer ecosystem described in later reporting.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Ransomware Defense Using the Wazuh Open Source Platform
thehackernews.com
Open sourceInside the Playbook of Ransomware's Most Profitable Players
darkreading.com
Open sourceInfostealers have transformed cybercrime – here’s how CISOs can stop them
scworld.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Escalating Ransomware Threats and Defensive Strategies in 2025-2026
Ransomware attacks have surged in frequency and sophistication, with organizations facing a dramatic increase in incidents driven by AI-powered attack chains, double- and multi-extortion tactics, and the proliferation of ransomware-as-a-service. Industry surveys and reports highlight that nearly 78% of companies experienced ransomware attacks in the past year, with attack volumes tripling year-over-year and public disclosures rising sharply. Attackers are increasingly leveraging artificial intelligence to accelerate intrusion, encryption, and extortion, rendering traditional detection methods less effective. The financial impact is severe, with average incident costs exceeding $5 million and a significant portion of victims suffering major disruption or data loss, even when ransoms are paid. Security leaders emphasize the urgent need for comprehensive ransomware playbooks, regular tabletop exercises, and enhanced training to build organizational resilience. Despite the growing threat, many organizations remain underprepared, with 76% struggling to keep pace with AI-assisted attacks and 85% acknowledging the obsolescence of legacy detection tools. Experts recommend a shift from reactive to proactive defense, including robust planning, cloud data protection, and continuous improvement of incident response capabilities to mitigate the evolving ransomware landscape.
Mar 21, 2026
Ransomware Threat Landscape and Ecosystem Evolution in 2025
Ransomware in 2025 has evolved into a highly organized and profit-driven cybercrime ecosystem, with threat actors leveraging Ransomware-as-a-Service (RaaS), initial access brokers, and advanced extortion strategies. Attack volumes have reached record highs, with over 4,700 confirmed incidents through September and a notable increase in targeting of critical infrastructure, healthcare, and manufacturing sectors. The landscape is now fragmented among more than 85 active groups, and while victim disclosures have increased, ransom payments have dropped significantly as organizations improve their resilience and recovery capabilities. Attackers are increasingly using supply-chain compromises, zero-day exploits, and living-off-the-land techniques, making ransomware a persistent and adaptive threat. The underground infrastructure supporting ransomware operations has also matured, with dark web forums like RAMP serving as central hubs for collaboration, recruitment, and intelligence sharing among major ransomware groups such as LockBit, DragonForce, and Medusa. These forums facilitate the rapid dissemination of new ransomware variants and operational tactics, contributing to the ecosystem's agility. Meanwhile, specific ransomware families like HardBit 4.0 continue to innovate, employing sophisticated techniques such as brute-forcing RDP/SMB services and using legacy malware like Neshta as droppers to evade detection and maintain persistence, underscoring the technical advancement and adaptability of modern ransomware campaigns.
Mar 21, 2026
Fragmentation and Evolution of Ransomware Operations in 2025
The ransomware landscape in 2025 experienced a significant transformation, marked by the emergence of numerous short-lived ransomware groups that rapidly executed extortion campaigns before rebranding or dissolving. Rather than relying on technical innovation, these groups focused on optimizing access through identity compromise, cloud misconfiguration, and exploiting governance gaps. Notable new families such as RansomHub, Arkana, CrazyHunter, and NightSpire appeared, often sharing infrastructure and access brokers. The proliferation of these groups led to a 20% increase in publicly listed victims compared to the previous year, with attackers increasingly leveraging weekends and holidays to maximize impact while defenders were less vigilant. Payment rates for ransomware dropped to historic lows, prompting some groups to target larger enterprises for higher payouts, while others, like Akira, focused on mid-market organizations with smaller demands. Ransomware tactics continued to evolve, with attackers adapting their procedures and expanding their use of advanced techniques, including AI-driven capabilities and targeting SaaS platforms. The operational focus shifted from malware sophistication to exploiting weaknesses in identity and cloud security. Security teams observed that attackers frequently made mistakes and adjusted their tactics in real time, as evidenced by endpoint telemetry and event logs. The overall trend in 2025 was a chaotic, fragmented threat environment where the barriers to entry for new ransomware groups were minimal, and the success of extortion operations depended more on access and agility than on technical prowess.
Mar 21, 2026