Ransomware remains a top cybersecurity threat, but the landscape is evolving. Attackers are adapting to improved defenses, law enforcement crackdowns, and declining ransom payments. This Q&A explores the latest tactics, techniques, and procedures (TTPs) observed by Mandiant in 2025, including changes in initial access, data theft, virtualization targeting, and the most common ransomware families.
Why is ransomware profitability declining despite its continued prevalence?
Ransomware operations are still widespread, but multiple indicators point to a decrease in overall profitability. Improved cybersecurity practices among organizations, such as better patching and robust backup strategies, have made it harder for attackers to succeed. Additionally, more victims are able to recover from attacks without paying, which has driven down both the percentage of ransoms paid and the average amount. Law enforcement disruptions—like takedowns of LockBit, ALPHV, and Basta—have also destabilized key RaaS groups. Internal conflicts among threat actors have further weakened the ecosystem. However, newer groups like Qilin and Akira have filled the void, leading to record victim counts on data leak sites in 2025.
What is the most common way ransomware attackers gain initial access in 2025?
In about one-third of incidents analyzed by Mandiant in 2025, the initial access vector was confirmed or suspected to be the exploitation of vulnerabilities. VPNs and firewalls are the most targeted devices, as they often present a broad attack surface and may run outdated firmware. Attackers leverage known vulnerabilities—sometimes even zero-days—to bypass perimeter defenses and establish a foothold inside the network. Once inside, they move laterally to deploy ransomware. This highlights the critical importance of patching promptly and hardening network edge devices.
How has data theft changed in ransomware attacks?
Data theft extortion is now nearly universal in ransomware intrusions. Mandiant observed suspected data theft in 77% of analyzed incidents in 2025, a sharp increase from 57% in 2024. Attackers increasingly steal sensitive information before encrypting systems, then threaten to leak it unless a ransom is paid. This “double extortion” tactic pressures victims even if they have backups. The rise reflects how ransomware groups have commoditized data exfiltration, often using specialized tools and partnerships in the underground ecosystem.
Why are attackers increasingly targeting virtualization infrastructure?
Virtualization platforms (e.g., VMware, Hyper-V) have become prime targets. In 2025, 43% of ransomware intrusions involved targeting virtualization infrastructure, up from 29% in 2024. By compromising hypervisors, attackers can encrypt entire virtual machine clusters at once, maximizing disruption with minimal effort. Virtualization environments often have weak segmentation or insufficient monitoring, making them attractive. This trend underscores the need for dedicated security controls around hypervisors and for treating them as critical assets.
Which ransomware family was most deployed in 2025, and what does that tell us?
REDBIKE was the most frequently deployed ransomware family, accounting for 30% of analyzed incidents. This indicates a shift away from legacy families like LockBit and ALPHV, which were disrupted by law enforcement. REDBIKE’s rise suggests that new RaaS brands can quickly climb to dominance when established groups falter. The flexibility and low barrier to entry in the RaaS model allow affiliates to switch readily, making the threat landscape highly dynamic.
What older tools are attackers abandoning, and why?
Mandiant noted a continued decline in the use of certain intrusion tools such as BEACON (Cobalt Strike) and MIMIKATZ. This suggests attackers are adopting more customized or stealthier alternatives to evade detection. The use of remote management tools (e.g., AnyDesk, TeamViewer) has plateaued, possibly because defenders have become more adept at spotting them. Instead, threat actors are leveraging living-off-the-land techniques and legitimate cloud services to blend in with normal traffic.
How have law enforcement actions reshaped the ransomware ecosystem?
Law enforcement operations have disrupted major RaaS groups like LockBit, ALPHV, Basta, and RansomHub, causing some to disappear or become severely weakened. However, this created a vacuum filled by other groups. Qilin and Akira are notable examples that successfully absorbed affiliates and infrastructure. As a result, the overall number of victims posted on data leak sites hit a record high in 2025. The ecosystem is resilient: when one group falls, others expand. This highlights the need for continuous monitoring and adaptive defenses.