Ransomware in 2025: RaaS Groups Expanding Activity, Capabilities

LockBit accounted for 22.2% of all detected ransomware attacks in 2023, maintaining its position as the most prolific ransomware operation worldwide. In Q2 2025, ransomware activity surged to one successful attack every 87 minutes, with manufacturing (26% of incidents) remaining the top target sector. Healthcare and biopharma are also heavily targeted—healthcare alone suffered 95 ransomware attacks in Q2, averaging one breach every 22 hours.

How are RaaS groups evolving?

LockBit and other ransomware-as-a-service (RaaS) groups such as Cl0p, RansomHub, and Akira are expanding capabilities and rapidly exploiting zero-day vulnerabilities in widely used software and third-party tools. For example, Cl0p’s exploitation of a file-transfer platform this year compromised dozens of organizations. Double extortion remains the dominant tactic, combining data encryption with theft for additional leverage.

Threat actors are also pivoting toward credential theft and covert access. Infostealer malware delivered via phishing increased 84% year-over-year, enabling attackers to log in with stolen credentials rather than deploy noisy malware. Nearly 30% of intrusions in 2024 involved valid account use, highlighting the rise in stealthy, identity-based attacks. Generative AI now powers highly convincing phishing lures and deepfake content, enhancing social engineering effectiveness at scale. Meanwhile, 25% of breaches still begin with the exploitation of unpatched public-facing applications.

Nation-state campaigns remain active—such as “LilacSquid,” which targeted pharmaceutical firms to exfiltrate research data—demonstrating that industrial espionage continues alongside financially motivated cybercrime.

What can CISOs do to defend against these attacks?

CISOs should enforce rigorous patch management, network segmentation, immutable backups, and continuous user awareness training. They must also operationalize incident response by maintaining and regularly testing crisis playbooks through realistic tabletop exercises. Proactive measures such as full-scope penetration testing, red-team operations, and MSSP-backed 24/7 monitoring can significantly improve resilience. Organizations that align the right tools, skilled personnel, and well-rehearsed processes will be best positioned to defend against today’s rapidly evolving threat landscape.

‍

Sources

CyberMaxx Q2 2025 Ransomware Report

IBM X-Force Threat Intelligence Index 2025

CybelAngel

Optiv

HHS/HC3 & H-ISAC Reports

The Hacker News (LilacSquid)

Cyber Management Alliance

‍

Published By: Daniel Parker, VP of Ethical Hacking, NetWorks Group

Publish Date: August 21, 2025