5 things to know about ransomware threats in 2025

Ransomware attacks continue to be one of the most significant cybersecurity threats organizations and cybersecurity leaders face. Attacks lead to wide-scale disruptions, large data breaches, huge payouts and millions of dollars in costs to businesses.

In response, large, coordinated law enforcement operations have targeted major ransomware groups and disrupted operations, dismantled data leak sites and seen the release of decryption keys.

However, the volume of attacks has risen, the number of reported victims continues to grow and like a hydra that sprouts new heads, the ransomware ecosystem has been reformed and continues operating, although some of the tactics are changing.

Here are five key insights CISOs need to know in 2025.

1. Too much focus on generative AI risks underestimating known threats

Generative AI tools such as ChatGPT continue to cause a stir in organizations and raise a host of security concerns. However, some incident data and threat analysis suggest security leaders need to remain vigilant about the evolution of traditional ransomware tactics.

Verizon’s 2024 Data Breach report found the volume of search terms using the word GenAI along with ransomware, malware and vulnerability in criminal forums has not moved much in the previous two years. While generative AI can amplify existing threats, it may not have moved the needle on ransomware attacks because relatively simple threat vectors such as social engineering and phishing remain effective, the report notes.

Naturally, generative AI threats exist; however, the focus on new technologies risk overshadowing the importance of cybersecurity hygiene practices, especially in resource-constrained sectors like public healthcare, says Aaron Bugal, Sophos field CTO, APJ. “It can come at the expense of addressing more fundamental cybersecurity basics, which contribute to ransomware vulnerabilities.”

Ransomware attack data in the Sophos State of Ransomware 2024 report shows that vulnerability management, compromised credentials, malicious email, and phishing are the most common starting points. It’s these risk factors that need to be managed through routine processes. “A lot of the attacks we’re seeing today, attackers are getting in using deficiencies in what constitutes a poorly managed or mismanaged environment and it’s just giving them the green light,” Bugal tells CSO.

Not protecting credentials, lack of multi-factor authentication, not patching well-known vulnerabilities, not keeping up with aging devices and user accounts, and overlooked configurations can get put off or forgotten about if too much focus is turned to generative AI. “Some things can be trivial to discover and mitigate, but if they’re overlooked by organizations, it leaves them vulnerable to attacks,” he says.

2. Mid-size organizations are highly vulnerable

Industry data shows mid-size organizations remain highly vulnerable to ransomware attacks. “CISOs need to be aware that ransomware is no longer just targeting large companies, but now even mid-sized organizations are at risk. This awareness is crucial,” says Christiaan Beek, senior director, threat analytics, at Rapid7.

Companies with annual revenue around $5 million are falling victim to ransomware twice as often as those in the $30-50 million range and five times more frequently than those with a $100 million revenue, according to Rapid7’s 2024 ransomware report.

In 2025, the threat remains, and with many mid-sized organizations lacking a dedicated CISO, they’re more vulnerable to ransomware disruption, according to Beek. Larger organizations stand better prepared because they have a central, senior person and resources to go with it. “CISOs often have larger security teams and better tools to defend against attacks,” he says.

Cyber criminals are going after these companies believing they’re large enough to hold valuable data but lack the protection of larger organizations. Meanwhile, larger organizations need to consider that supply chains and third-party partners that include smaller, mid-size outfits without a dedicated security leader can increase their exposure to risk.

In the case of an attack, mid-market organizations may lack the visibility of data leaks and the forensic tools of more mature enterprises to effectively validate ransomware claims, according to Ashwin Ram, cyber security evangelist for Check Point. “Many of these organizations haven’t fully embraced external attack surface management and dark web monitoring to the same extent as the more advanced organizations.”

Beek recommends CISOs conduct ransomware attack simulation exercises at least twice a year to thoroughly assess all aspects of their incident response preparedness. “It helps identify gaps and ensure they’re ready to respond effectively,” he says.

3. Data exfiltration attacks require a critical shift in security priorities

In recent years, ransomware attackers have shifted away from encryption-based extortion to data exfiltration and double-, triple and even quadruple extortion, that targets the organization and individuals and help launch distributed denial-of-service (DDoS) attacks, according to CheckPoint’s Ram.

According to data from Coveware, 87% of observed cases in the last quarter of 2024 involved exfiltration and either leads into encryption-based attacks or is the primary objective of the attack.

“Threat actors are exfiltrating sensitive data and using the threat of public exposure to force victims into paying ransoms and it’s most effective in the healthcare sector with medical records and the finance sector, where PII could facilitate financial scams and identity fraud,” says Ram.

It’s changing the ransomware ecosystem. Many established cyber-criminal groups such as BianLian and Meow have adopted exfiltration techniques while new entrants such as Bashe have sprung up offering “data selling platforms”, according to CheckPoint’s 2025 State of Cyber Security report.

There are numerous reasons for the changing nature of attacks. As organizations have improved their backup and recovery capabilities and law enforcement actions have disrupted attacks, bad actors have shifted their focus to data exfiltration to streamline operations, evade detection, and find other avenues for lucrative attacks, the report noted.

However, without the obvious signs of data being locked up, security practitioners face the challenge of quickly determining if organizational data has been stolen and verifying any claims. In some cases, bad actors may claim a data breach by recycling information already available. “Attackers might get hold of some accounts, but they don’t have the entire organization’s credentials or they have one or two customer databases or certain customers in particular,” Ram tells CSO.

Ram recommends CISOs review and strengthen their organization’s defenses around data protection, monitoring, and rapid threat detection. This requires a multi-layered approach and above all else, the organization’s “crown jewels” or most critical data assets need the highest priority. “CISOs are going to have to rewrite some of their playbooks for incident response, where that validation piece is going to play a key part,” he says.

4. Heightened risks for critical infrastructure

Attacks on critical infrastructure are on the rise, with energy, utilities and power infrastructure facing escalating threats and public healthcare organizations impacted in large numbers.

In public healthcare, resources are usually stretched, while in others, such as manufacturing, utilities and power infrastructure, digital transformation is bringing operating systems online, creating new vulnerabilities.

There is a raft of complicating factors, such as patches not being available for legacy and end-of-life technologies. “If an attacker finds a way into those industries that were traditionally offline, it presents much more of a problem,” says Sophos’ Bugal. Many organizations in the energy and utilities market tend to have older software and technologies that are more prone to security gaps. “It provides opportunities for attackers to gain access and then move laterally within environments, ultimately leading to ransomware incidents,” Bugal tells CSO.

Complicating matters, as organizations grow, their IT infrastructure increases in both size and complexity and this can result in attacks, particularly those that start with an unpatched vulnerability. In the case of an attack, it’s harder for IT teams to have full visibility of all their exposures and patch before they are exploited, according to the Sophos’ report.

Attacks on critical infrastructure are expected to continue into 2025, according to Arctic Wolf Labs 2025 predictions report. It also warns that while these ransomware attacks may follow the typical playbook, they can hide intrusions from hostile nation-states, potentially laying the groundwork for future digital conflict. “These incidents may have also been intended to distract from a strategic objective of establishing stealthy persistence within these environments,” the report noted.

5. Breakdown of perimeter defences

As an organization’s digital perimeter expands, the attack surface grows, with edge services and devices increasingly targeted by threat actors as entry points in ransomware attacks. The perimeter now includes IoT devices, cloud applications, VPN gateways, a host of internet connected devices and other network access tools, making it more challenging to secure access controls and monitor networks.

In 2024, software vulnerabilities within devices from Palo Alto Networks and SonicWall were exploited and used to launch ransomware attacks.

Looking ahead, organizations can expect more threats to its attack surface, according to Arctic Wolf Labs 2025 predictions report. Perimeter devices remain vulnerable to the misuse of valid accounts, exploitation of vulnerabilities, gaps in multi-factor authentication (MFA) and weaknesses in identity management practices.

CISOs face increasing pressure to maintain robust patch management processes and strengthen access configurations across the board. At the same time, the expanding digital perimeter brings more exposure to zero-day vulnerabilities. The manufacturing industry remains particularly vulnerable, the report noted, accounting for 44% of all cases investigated by the lab.

While advanced security technologies and tools are important, it doesn’t take away from the need to secure the organization’s digital front door, says Beek. Yet it’s an area that still has room for improvement. “We still see common security lapses, such as weak passwords on security devices or unsecured remote access that can provide an entry point for attackers,” he tells CSO.

In addition, having access to insights about observed attacks helps in understanding the chain of events and the potential risks they may pose in the CISO’s own organization, according to Beek. They can then review their processes and whether there is the right technology and trained people to notice the same kind of attack. “As a CISO, if you can understand the chain of attack, you can see if there are tripwires in place and visibility of this happening in your own organization,” he says.