Last Year in Ransomware: Threat Trends and Outlook for 2025

In this five-part series, we covered the evolution of attack methodologies, the emergence of Linux variants, how the ransomware ecosystem evolved, and the broader impact from ransomware attacks.

In this final installment, we look at the most significant trends shaping the threat landscape from the rise of decentralized groups to the use of AI in attack planning and delivery. Whether through faster patching cycles, improved endpoint monitoring, or changes to access control, proactive measures remain the strongest strategy.

Evolution of Ransomware Groups

As we enter 2025, the ransomware ecosystem has become increasingly fragmented and volatile. While established groups remain active, the landscape is shifting as affiliates break away and new actors emerge. Attack frequency is expected to rise.

Expected Top Ransomware Groups

Among the established players, Akira, RansomHub, and Cl0p are expected to remain aggressive actors. These groups have demonstrated operational maturity and a growing footprint across sectors, positioning them as leading threats heading into 2025:

Akira, which emerged in March 2023, who for a period focused solely on data extortion, resumed encrypting victims in addition to data exfiltration, reviving its double-extortion model. Akira initially developed a Rust-based ransomware variant to target VMware ESXi servers but has since reverted to C++ for both Windows and Linux encryptors. The group typically gains initial access by exploiting VPN credentials and employs advanced attack techniques. Akira ransomware uses PowerShell to delete Windows Shadow Volume Copies, preventing restoration of encrypted data. Akira uses tools like Mimikatz to extract credentials, disable endpoint detection and response (EDR) software, and perform privilege escalation. In March 2025, Akira was observed leveraging an unsecured webcam to launch an attack on a victim network, circumventing EDR.

RansomHub, which quickly gained influence in 2024 following the decline of groups like LockBit and BlackCat/ALPHV, is expected to remain a dominant threat in 2025. Its rise has been fueled by generous affiliate terms, strict operational standards, and a flexible malware toolkit capable of targeting Windows, Linux, and ESXi systems. The group offers affiliates up to 90% of ransom proceeds, a high commission that has attracted experienced operators, including former affiliates from groups like BlackCat/ALPHV. These aggressive recruitment efforts, combined with ongoing development, reflect RansomHub’s clear focus on growth and long-term sustainability in the ransomware landscape.

Cl0p is reestablishing its reputation as one of the most impactful ransomware groups in 2025, following a major resurgence driven by zero-day exploits targeting file transfer software such as Cleo. In February alone, the group was linked to over a third of global ransomware incidents, using vulnerabilities like CVE-2024-50623 and CVE-2024-55956 to steal data without encryption. Its focus on large-scale exfiltration, combined with sporadic but highly disruptive campaigns, reinforces Cl0p’s position as a leading threat amid ongoing challenges in patch management and access control.  

Meanwhile, the field remains crowded as established operators continue their activities alongside an emerging wave of new groups. Four of these stand out for their recent activities and unique targeting patterns:

Fog, a ransomware-as-a-service (RaaS) variant derived from the STOP/DJVU family, was originally observed in 2021 targeting small businesses. In recent months, it has escalated to more complex operations, including attacks on financial institutions and critical infrastructure. Fog typically exploits stolen VPN credentials or unpatched software for initial access.

KillSec evolved from its origins as a hacktivist collective. In mid-2024, the group launched a RaaS platform and shifted its focus from website defacements to full-scale ransomware operations. It has since targeted sectors including government, finance, and healthcare, particularly across the United States, Southeast Asia, and the Middle East.

Meow, first identified in 2022, resurfaced in 2024 following a period of dormancy. Using a variant of Conti v2 ransomware, the group has sharpened its focus on U.S.-based targets, particularly medical research facilities and healthcare organizations.

Unaffiliated Actors

Ransomware operations are becoming increasingly decentralized, with a growing number of former affiliates choosing to operate independently rather than remain tied to established groups. This shift is being driven by several factors, including increased law enforcement coordination, successful takedowns of major ransomware infrastructure, and a broader push by actors to avoid attribution through brand rotation or unbranded campaigns.

This trend is expected to accelerate into 2025. Analysts anticipate a continued rise in unaffiliated or “lone wolf” operators leveraging toolkits, infrastructure, and techniques previously associated with defunct or splintered groups. These actors often reuse malware variants and public ransomware builders, making attribution more difficult and raising the risk of misclassification in incident response efforts.

Despite the structural fragmentation, the technical foundations of most ransomware attacks remain largely unchanged. Initial access continues to rely on remote compromise, phishing emails, and unknown intrusion vectors.

Security teams are expected to shift focus in 2025 from tracking specific threat actors to detecting and disrupting the full range of tactics, techniques, and procedures (TTPs) used across ransomware operations. A capabilities-based defense approach will be essential, prioritizing common vulnerabilities, reinforcing access control mechanisms, and continuously monitoring for behavioral anomalies.

Tactical Shifts and Defense Strategies

As ransomware operators adapt to increasing pressure from law enforcement and improved defenses, their tactics continue to evolve. One of the most notable shifts is the growing frequency of encryption-less attacks, where threat actors skip file encryption altogether and focus solely on data theft and extortion.  

This approach means the threat actors don’t need to invest heavily in developing and maintaining a RaaS platform and associated encryption payloads. For example, in November 2024, Hunters International announced plans to cease ransomware operations, citing global law enforcement actions and geopolitical pressures. They indicated a shift towards a short-lived project dubbed "World Leaks," focusing solely on data exfiltration for extortion without delivering an encryption payload.  

While groups like Hunters International might be experimenting with straight data extortion like BianLian before them, don’t expect this to become the norm. Encryption is what ultimately gives attackers the upper hand. If your systems are locked up and your business can’t operate, the pressure to pay ramps up fast. It’s much harder for a victim to ignore a ransom demand when their entire infrastructure is down versus when their data is merely at risk of exposure. The pain is immediate, disruptive, and expensive.

Unpatched Applications

Unpatched software continues to provide ransomware actors with reliable access paths. Nearly one-third of ransomware incidents in 2024 were attributed to known but unpatched vulnerabilities. This persistent gap in patching remains one of the lowest-effort, highest-impact strategies available to attackers.  

In February 2025, the Clop ransomware group exploited two patchable vulnerabilities in Cleo's file transfer software—CVE-2024-50623 and CVE-2024-55956—enabling unauthorized remote code execution. The continued exploitation of recently disclosed vulnerabilities highlights the need for faster and more structured patch management processes across all industries.

VPN as Primary Targets

Virtual Private Network (VPN) appliances are expected to remain a central focus for ransomware operators in 2025. Organizations continue to rely on VPNs for remote access, and attackers are exploiting both newly discovered and legacy flaws to compromise these systems.  

This trend has continued into early 2025 with the active exploitation of vulnerabilities like CVE-2025-0282 in Ivanti Connect Secure, which allows for remote code execution. Due to short remediation windows and inconsistent patching practices, these devices will likely remain among the most targeted assets in the coming year.

Web Application Exploits

Public-facing web applications are expected to remain high-risk entry points for ransomware actors in 2025, particularly when vulnerabilities go unpatched, or misconfigurations persist. Application-layer exploits are increasingly used to support both phishing campaigns and credential theft.

Cross-site scripting (XSS) vulnerabilities continue to be leveraged by attackers to host malicious content on trusted domains. These exploits enable phishing pages to appear more legitimate, making them highly effective in social engineering campaigns. Employees tricked into clicking these links may be redirected to ransomware payloads or credential harvesting tools without realizing the risk.

Credential harvesting through application exploits is also expected to increase. In February 2025, attackers exploited CVE-2024-24919 in CheckPoint gateways to capture VPN credentials and move laterally within targeted networks. The vulnerability was widely used by China-linked groups, demonstrating how quickly known flaws can be operationalized by both financially motivated and state-aligned threat actors.

Brute-Force Attacks on Remote Services

Brute-force attacks remain a staple technique for gaining unauthorized access to remote services such as Remote Desktop Protocol (RDP) and Virtual Private Networks (VPN). Despite increased awareness, poor configurations and weak password policies continue to leave these services vulnerable.

While the most dramatic spike in brute-force activity occurred during the early days of remote work in 2020, the method remains widely used in 2025. Attackers rely on automation and errant credential reuse to breach systems, often using previously leaked credentials or pairing brute-force tools with phishing campaigns. With many organizations still using exposed RDP ports and lacking multifactor authentication, this vector is likely to remain a consistent feature in ransomware playbooks.

SIM Swapping

SIM swapping has become a preferred method for bypassing SMS-based multi-factor authentication. By fraudulently transferring a victim’s phone number to a device under their control, attackers can hijack corporate accounts and gain access to sensitive systems.  

According to FBI data, SIM-swapping scams resulted in $48 million in losses in 2023, with over 800 cases reported by late 2024. Threat actors often combine SIM swapping with social engineering tactics to escalate privileges and maintain access. In many cases, ransomware operators collaborate with SIM-swapping specialists to help disable recovery channels or steal financial assets, making this technique a critical threat vector in 2025.

Social Engineering Expands with AI Tools

Social engineering continues to be a core tactic in ransomware operations. In 2025, attackers are increasingly using AI-generated voice phishing, or vishing, to impersonate trusted individuals with convincing accuracy. Generative AI tools are being used to replicate local accents, speech patterns, and even emotional tone, enabling more effective impersonation of executives or IT staff.

Beyond voice-based attacks, generative AI is now central to reconnaissance and phishing campaign design. Attackers are using AI to identify vulnerable software, generate tailored phishing lures based on public data, and automate the crafting of persuasive messaging. These enhancements increase the success rate of social engineering while reducing the manual effort required by threat actors.

This automation supports widespread password spraying campaigns and enables attackers to manipulate targets in real time during active engagements. As generative AI grows more readily available, organizations should prepare for an increase in targeted, AI-enhanced social engineering attacks.

Living-off-the-Land Techniques

Living-off-the-Land (LOTL) techniques are now a defining feature of advanced ransomware campaigns. Rather than deploying traditional malware, attackers increasingly rely on legitimate system tools already present in the environment to carry out malicious actions. Utilities like PowerShell, Windows Management Instrumentation (WMI), and common administrative binaries are frequently used to move laterally, escalate privileges, and exfiltrate data without triggering standard security alerts.

In 2025, LOTL techniques are expected to be even more deeply integrated into ransomware workflows (PDF). Tools like PsExec, WMI, and LOLBins allow attackers to operate in a fileless manner, reducing their digital footprint and complicating detection. These methods also enable ransomware payloads to be delivered directly from memory, making forensic recovery more difficult.

LOTL campaigns often include credential dumping with tools such as Mimikatz, which attackers use to access administrator accounts and spread ransomware across entire networks. As defenders rely more heavily on built-in system monitoring and behavioral analytics, ransomware groups are expected to adapt LOTL techniques further to evade detection.

Effective defense against LOTL tactics requires a shift toward behavior-based detection, including the use of Endpoint Detection and Response (EDR) tools, strict privilege management, and enhanced system logging. In an environment where attackers increasingly exploit the tools organizations use every day; traditional static defenses are no longer sufficient.

AI-Powered Attack Evolution

The integration of artificial intelligence into ransomware operations marks a turning point in the evolution of cybercrime. As 2025 approaches, AI is no longer a theoretical threat vector; it is actively reshaping how ransomware is developed, distributed, and executed. Cybercriminals are leveraging AI to enhance speed, scale, and evasion, enabling more complex and effective attacks with fewer resources.

AI-powered malware and social engineering techniques are becoming standard across ransomware campaigns. Threat actors are using generative AI to create malware variants, craft convincing phishing emails, and identify exploitable vulnerabilities at scale. These capabilities drastically reduce the time and expertise required to launch sophisticated operations. In many cases, AI tools now allow lower-skilled actors to execute attacks that once required advanced technical knowledge.

AI systems capable of planning and executing multi-step attacks are also emerging. These autonomous systems can infiltrate networks, escalate privileges, and deploy ransomware payloads with minimal human oversight. They have shown proficiency in complex tasks like data exfiltration and lateral movement across networks.

This trend has been further amplified by the rise of Ransomware-as-a-Service (RaaS) platforms, which now offer AI-enhanced toolkits to paying customers. These services lower the barrier to entry and increase the volume of threats targeting organizations worldwide.

One significant development in this space is GhostGPT, a jailbroken large language model designed for unrestricted use by malicious actors. Distributed through private channels and cybercrime forums, GhostGPT lacks the safety mechanisms of mainstream AI tools, making it an accessible engine for malware development, phishing lures, and exploit creation.

This AI malware tool can generate highly convincing phishing emails, assist in the creation of ransomware payloads, and support the development of customized backdoors and exploits. Its no-logs policy ensures user anonymity, further appealing to ransomware operations seeking to operate without attribution.

To address this shift, organizations must update their security strategies. Traditional filtering and signature-based tools are not enough. Defense now requires behavior-based monitoring, real-time response capabilities, and improved visibility into endpoint activity. Security awareness training must also evolve, helping employees recognize misleading messages and unexpected prompts that may originate from AI-generated campaigns.

Takeaway

The Last Year in Ransomware series has tracked a period of significant change. Over the course of 2024, operators shifted tactics, groups dissolved or reorganized, and unaffiliated actors filled the gaps with fast-moving campaigns. These changes have pushed defenders to focus less on attribution and more on identifying techniques in real time.

One of the clearest takeaways from this series is the importance of timing. Slow patching, limited visibility, and delayed containment continue to provide openings. With more actors using native tools and skipping encryption entirely, the ability to detect and disrupt unusual behavior early has become essential.

Ransomware is evolving to the point where defenses need to adjust in its evolution. These are not theoretical risks. They are ongoing, visible, and escalating. Meeting them requires focus, consistency, and the ability to act quickly when signals appear.

The trends examined point to a threat environment that is faster, more fragmented, and less predictable. Campaigns are shorter in duration but higher in volume, and the use of generative AI has lowered the barrier to entry. Many of the threats expected in 2025 are already in motion.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.