2025 Threat Landscape Reports Highlight Identity-Based Intrusions and High-Impact Ransomware Losses
Multiple 2025 retrospective threat reports describe identity compromise as the dominant initial access vector, with attackers repeatedly exploiting predictable control gaps such as weak identity security, third-party access paths, and exposed/perimeter systems. Barracuda’s Managed XDR telemetry analysis (spanning trillions of events and hundreds of thousands of alerts) reported that Microsoft 365 anomalous login and “impossible travel” detections were among the most common signals, consistent with credential theft and account takeover activity; it also noted post-compromise behavior including suspicious privilege manipulation (e.g., adding users to high-risk Windows groups). Dataminr’s 2026 Cyber Threat Landscape Report similarly characterized 2025 as a structural shift toward accelerated identity-based intrusions, citing that a significant share of intrusions leveraged valid credentials, alongside growth in infostealer malware and AI-enabled social engineering, and increased exploitation of third-party weaknesses.
The same reporting also emphasizes that while overall ransomware activity may have stabilized in volume, loss severity increased, with “mega-loss” incidents exceeding $100M and in some cases $1B, driven by multi-vector campaigns combining credential theft, data exfiltration, and disruption. Other items in the set are broader commentary rather than incident- or disclosure-driven intelligence: an opinion piece argues that the rapid expansion of AI-driven data center infrastructure raises systemic risk from ransomware, supply-chain compromise, and OT disruption, while a predictions article discusses 2026 security investment themes without tying to a specific campaign. A separate news roundup recaps multiple 2025 events (including third-party/SaaS integration compromises and other vulnerabilities) rather than providing new, single-story reporting, making it only loosely aligned with the identity-and-ransomware trend narrative.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Barracuda telemetry report finds recurring security gaps drove 2025 intrusions
Barracuda's 2025 Managed XDR telemetry report concluded that many successful intrusions in 2025 began with familiar weaknesses such as identity compromise, third-party access, and poorly secured perimeter devices. It reported that supply-chain and third-party access featured in 66% of incidents, ransomware activity rose year over year, and attackers frequently abused legitimate remote access and RMM tools to blend in.
Dataminr report says 2025 marked a structural shift in cyber risk
Dataminr's 2026 Cyber Threat Landscape Report characterized 2025 as a turning point in cyber risk, citing a 225% increase in average monthly threat actor alerts versus 2024, more than 18,000 ransomware alerts, and over 2 million domain impersonation incidents. The report said identity became the primary attack surface, with nearly 30% of intrusions using valid credentials and more systemic multi-vector attacks driving larger losses.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Annual threat reports highlight faster intrusions and expanding cloud-focused attacker activity
CrowdStrike’s 2025 global threat reporting says financially motivated intrusions are accelerating, with **average breakout time** (lateral movement after initial access) dropping to **29 minutes** and the fastest observed breakout time at **27 seconds**; the report also describes attackers increasingly using **social engineering**, **living-off-the-land** techniques, and abuse of **trusted systems** to move across *cloud, identity, enterprise,* and unmanaged device boundaries, alongside a reported **37% year-over-year increase** in cloud-focused attacks and a growing set of tracked adversaries (281 named groups plus additional activity clusters). Check Point Research’s 2025 retrospective similarly emphasizes that many 2025 operations relied on **familiar techniques combined in new ways**, highlighting themes such as early **ToolShell** exploitation assessed as Chinese-nexus activity against North American government targets and **identity-centric** intrusions (including **AiTM** credential theft) against US think-tank researchers. Several other items in the set are not about these annual threat-report findings and instead cover separate topics: Romania’s cyber chief warning that ransomware incidents against critical infrastructure may align with **Russian hybrid objectives**; sector-level reporting that **manufacturing** remains heavily targeted by ransomware due to IT/OT interconnectivity and downtime pressure; and US law-enforcement/FBI reporting on a surge in **ATM jackpotting** losses and related indictments. Additional entries are primarily **generic commentary, newsletters, or professional/educational content** (e.g., quantum-preparedness opinion, Enigma/RSAC history piece, a weekly video briefing, a malware-newsletter link roundup, a recon how-to article, and a governance/career feature page) and do not substantively corroborate the specific annual threat-report story.
Mar 24, 2026
Reports Highlight Identity, Supply-Chain, and Healthcare as Key Cyber Risk Drivers
Recent reporting highlights a shift in enterprise cyber risk toward **external dependencies and identity abuse**. Coverage of the EU’s **NIS2** directive emphasizes that organizations are expected to treat **supply-chain security** as a core governance and architecture issue, reflecting the reality that third parties (e.g., cloud providers, software suppliers, maintenance access, and outsourced services) are frequent intrusion paths rather than risks contained “inside the firewall.” Separately, findings cited from Eye Security’s *State of Incident Response Report 2026* indicate attackers are increasingly **exploiting existing access** rather than “hacking in,” with **identity-based attacks** dominating and **passwords** implicated in the vast majority of such incidents; common initial compromise paths still include phishing, exposed/misconfigured internet-facing systems, social engineering, and software supply-chain attacks. In healthcare, a Trellix threat intelligence report based on **54.7 million detections** from 2025 healthcare environments warns cyber incidents are escalating from IT disruption into a **patient safety** issue due to highly interconnected systems and “cascading” outages. The report identifies **email** as the leading threat vector and the **U.S.** as the primary target, and describes ransomware and extortion activity intensifying, including groups such as **Qilin** (noted for targeting EHR databases), **INC Ransom**, and newer actors like **Sinobi** focusing on biotech; it also reports a sharp rise in **extortion-only** tactics with per-patient ransom demands intended to sidestep corporate insurance dynamics. Across these sources, **phishing** remains a dominant initial access method, with lures increasingly tailored to privileged IT roles (e.g., “AI Transformation” themes).
Mar 21, 2026
2026 Cybersecurity Threat Landscape and Predicted Trends
Multiple 2026 outlook pieces highlight a threat environment shaped by **high breach volume**, accelerating vulnerability disclosure, and adversaries optimizing for speed and stealth. One assessment cites more than **4,100 publicly disclosed breaches** in the prior year and notes a surge to **49,209 CVEs in 2025** (about 135/day), arguing that traditional scanner-first vulnerability management is increasingly misaligned with real attacker behavior because only a small fraction of vulnerabilities are exploited in the wild. The same outlook emphasizes shifting toward exposure-driven prioritization (e.g., *CTEM*) to focus remediation on issues most likely to translate into material risk. Threat intelligence forecasting for 2026 also anticipates **quieter intrusions**, increased **living-off-the-land (LOTL)** tradecraft, and **faster exploitation cycles**, with **ransomware** remaining a primary monetization path and **Ransomware-as-a-Service (RaaS)** ecosystems becoming more competitive and affiliate-friendly. In parallel, a separate “cyber attacks timeline” post functions mainly as a rolling digest of incidents and statistics rather than providing a cohesive 2026 forecast narrative or new technical findings, making it less useful for decision-making compared to the two forward-looking threat landscape/trends analyses.
Mar 21, 2026