Defending Against a Faster, More Disruptive Ransomware Landscape

In the ever-evolving cybercrime landscape of cybersecurity threats, ransomware is still among the most fruitful and lucrative forms of cyberattack. Within the U.S. alone incident numbers have increased by 149% year-over-year and continue to surge. Globally, estimates report damages could reach $57 billion this year, emphasizing the increasing economic impact of these attacks. From January 2022 to February 2024, 59% of worldwide organizations were impacted by ransomware, a trend that has only intensified.

Current State

Historically, ransomware groups have often adopted their playbooks from more sophisticated threat actors rather than pioneering new tactics. Consequently, their TTPs frequently overlap with those of other attackers. However, in 2025, these groups are refining their methods to accelerate compromises and better evade detection. Initial access often exploits vulnerabilities in edge devices like Virtual Private Networks (VPNs) and firewalls or, more commonly, use stolen credentials from dark web markets. After an adversary gains initial access, legitimate tools such as PowerShell and Remote Desktop Protocol (RDP) are used for lateral movement, with average breakout times now down to 48 minutes, and as little as 51 seconds in some extreme cases.

Social engineering has advanced, with techniques like ClickFix, which preys on a user’s desire to resolve their own problems, impersonating IT tools to trick users into executing malicious scripts. Groups such as Interlock have employed this in campaigns, while others use phishing, credential theft, and brute-force attacks on VPNs and RDP. Evasion tactics include bring-your-own-installer (BYOI) for disabling endpoint detection and response (EDR) systems, just-in-time (JIT) hooking, and memory injection to deploy custom payloads stealthily. Qilin, a cybercrime group focusing on ransomware, uses automated tooling for privilege escalation and custom .NET loaders like NETXLOADER. Malware-free techniques now comprise 79% of detections. Actors are more often utilizing “living-off-the-land” tactics with tools like AnyDesk for persistence and GC2, an open-source tool which allows an attacker to execute commands on target machines through Google Sheets or Microsoft SharePoint. Attackers then use these tools to list and exfiltrate files through Google Drive or Microsoft SharePoint documents, for command-and-control (C2). In addition, it has been reported by CrowdStrike that 73 of the 161 vulnerabilities exploited in the first half of 2025 were linked to ransomware installations.

AI Integration

Ransomware attacks surged 70% in the first half of 2025 compared to prior years, with AI being cited as a key enabler in many cases. Threat actors have been successfully using AI to significantly improve their social engineering attacks by automating the crafting of more realistic email (phishing), SMS (smishing) and voice phishing (vishing) campaigns. AI is being used to automate full campaigns by building imitation profiles and websites for social engineering, boosting the quantity, effectiveness, and impact of their attacks. AI chatbots are being used for ransomware negotiations as victims are being redirected to these chatbots to haggle over payments. Claude, an AI assistant by Anthropic, has been used to generate ransomware variants by assisting in coding advanced features for evasion techniques. One technique used was to allow Akira’s Rust-based variant incorporating generative AI to mutate payloads in real time to evade endpoint detection. Overall trends are seeing AI integrated into every stage of ransomware attacks, from initial access (phishing/vuln scanning), execution (code gen), and extortion (negotiations/data analysis). By Q3 2025, 80% of attacks involved AI, per MIT Sloan research, with projections of $265B in global damages by 2031.

Increased Extortion

Although paying cyber criminals was never the preferred method of recovering from an attack, for many years a proven trend was that if you did pay, the criminals would return your data, provide working decryption keys and not publicize or share your data. Those days are long gone. Beyond encryption and data theft, 2025 has seen an increase in the “Third Wave” of extortion, where attackers disrupt business in 86% of cases by wiping backups, launching DDoS attacks, harassing executives, and filing false complaints. Double extortion remains the new standard, with groups like SafePay building on leaked code from prior operations. Geopolitical elements are emerging, as seen with North Korea’s Moonstone Sleet adopting Russian based Qilin ransomware tools.

Conclusion

Outlined above is a high-level breakdown of the current trends and tactics that are being reported on currently. Listed below is a further breakdown of those reported trends with solutions that can be implemented or improved on within your organization to improve your security posture and resilience to these common ransomware TTPs.

Reported Trend: Sophos 2025 report identified 63% of successful attacks stemmed from unpatched systems.

Solution: Proactive Vulnerability Management. Simply patching edge devices like firewalls, VPNs, and other exposed systems.

Reported Trend: Acronis has reported that 85% of organizations with tested, immutable backups were able to avoid paying ransom.

Solution: Follow the 3–2–1 rule for backups: 3 copies, 2 different media, 1 offsite or air gapped location. Test and restore backups quarterly.

Reported Trend: CISA has reported that there are 40% fewer successful, undetected lateral movement by threat actors in environments that have adopted comprehensive zero trust architectures.

Solution: Adopt Zero Trust architecture: Enforce least-privilege access and multi-factor authentication on ALL systems. Micro-segment critical systems, ICS, and IoT.

Reported Trend: CrowdStrike’s 2025 report credits threat hunting with a 35% reduction in dwell time.

Solution: Conduct persistent threat hunting to identify pre-ransom IoCs. Develop, update, and test incident response plans annually.

Reported Trend: CISA 2025 statistics showed that organizations that were collecting and part of intelligence-sharing networks saw a 25% lower attack rate.

Solution: Join information sharing and threat analysis groups (ex. CISAs Joint Cyber Defense Collaborative). Leverage government advisories to stay current with evolving threats and TTPs. Invest in threat intelligence staff and/or platforms.

Reported Trend: The cybersecurity company ESET noted a 50% drop in phishing click rates with AI-assisted training programs.

Solution: Conduct regular AI generated phishing and vishing training emulating real threat examples. Implement real AI-driven email gateways that detect anomalies and sender behaviors.

To combat these trends, organizations must prioritize and invest in the solutions outlined above. Unfortunately, there is no one solution that will cover all attack scenarios and the criminals will evolve requiring the solutions to constantly evolve. What works today will not necessarily protect you tomorrow. Continuous defense innovation is essential against AI-driven threats and rapid breakout times. As ransomware evolves, staying informed through reports like those from CISA, FBI, Sophos, Rapid7, and CrowdStrike will be crucial for building resilient strategies.

In conclusion, 2025 has solidified ransomware as a highly adaptable threat, overlaying technology, opportunism, and business-like efficiency. By understanding these trends and TTPs, defenders can better predict, adapt, and respond to the next wave of attacks.