ExtraHop, the network detection and response (NDR) company, published its 2025 Global Threat Landscape Report where it revealed that ransomware groups are running fewer attacks than last year but are taking on a more targeted strategy using sneaky tactics to realize more significant results.
Ransomware groups are conducting more targeted, sophisticated attacks, allowing them to spend more time within victims’ systems since they move undiscovered to realize a substantial compromise before implementing their file-encrypting payloads. They designed attacks to cause the greatest damage and considerable downtime, which raises the odds of getting paid a higher ransom. ExtraHop states that in one year, the average ransom demand increased to $3.6 million from $2.5 million, though healthcare organizations, especially HIPAA-compliant entities, and government entities are sent higher ransom demands. About 70% of attacked entities turn out to pay the ransom.
In 2024, ExtraHop monitored an average of 8 incidents per company, whereas it is only 5-6 incidents this year. Ransomware actors generally get access to victims’ systems for about two weeks before launching their attack, when they exfiltrate sensitive data. Victims usually take over two weeks to take action on a security alert and manage an attack. Attacks typically cause a downtime of about 37 hours.
During the reconnaissance stage, victims discover only 17% of attacks. 29% of attacks are discovered during initial access, while 30% of attacks are discovered later during the attack stage: 12% during file exfiltration, 13% during data encryption, and 5% upon receipt of the ransom note. Although attacks have become more sophisticated and difficult to identify using traditional security applications, the initial access vectors have generally stayed the same. The most frequently used infiltration tactics are as follows:
- Phishing/social engineering – 33.7% of attacks
- Software vulnerability exploitation – 19.4% of attacks
- Supply chain compromises – 13.4% of attacks
- Software misconfiguration exploitation – 13% of attacks
ExtraHop has noticed a notable rise in the usage of compromised credentials for initial access. In 12.2% of attacks, compromised credentials enable attackers to gain access to networks, move laterally, and stay in systems undiscovered for longer periods, frequently escalating privileges to access more sensitive systems.
For defenders, the biggest sources of cybersecurity risk are:
- Public cloud – 53.8%
- Third-party services and integrations – 43.7%
- Generative AI programs -41.87%
The problem for many companies is having to deal with a complicated selection of equally important obstacles. The main problems met by defenders include the following:
- restricted visibility into their whole environment – 41%
- inadequate staffing or an expertise gap – 35.5%
- improperly built in tools – 34%
- alert fatigue because of a huge number of security notifications – 34%
- not enough or manual SOC workflows – 33%
- inadequate budget and management support – 29%
- organizational structure – 26%
ExtraHop’s suggestion is to first be aware of the full attack surface, meaning understanding what is in the system and where vulnerabilities can be found. Although it is essential to have strong perimeter protection, internal traffic should be checked, as attackers are more and more capable of penetrating defenses. By means of efficient monitoring, companies can recognize and stop attacks before escalation, data exfiltration, and file encryption. Although it is important to know what threat actors are doing nowadays, it is necessary to be updated with changing tactics to be ready for what could happen down the road, such as attackers using rising technologies.