Cybercriminals are adapting their methods to circumvent defenders' increasingly stringent security measures, according to a recent threat report. In ransomware attacks, attackers are increasingly relying on data theft, refining BEC (Business Email Compromise) scams, and exploiting known vulnerabilities to infiltrate organizations worldwide.
Arctic Wolf operates one of the largest commercial security operations centers in the world. The report was compiled based on threat, malware, digital forensics, and incident response case data collected by Arctic Wolf across its security operations framework. It provides deep insights into the global cybercrime ecosystem, highlights worldwide threat trends, and offers strategic cybersecurity recommendations for 2025.
New ransomware business model: stealing data instead of encrypting it
Despite increased law enforcement, ransomware attacks account for the largest share of recorded ransomware cases at 44%. As companies develop increasingly better backup strategies, enabling faster recovery, cybercriminals have adapted their strategy and almost always use data exfiltration in their attacks. For example, in 96% of the analyzed ransomware cases, the attackers stole data. The perpetrators can then resell the stolen data or threaten the company with the release of customer or other sensitive business data.
The manufacturing industry and the healthcare sector are particularly vulnerable to this type of attack, as tolerance for downtime is particularly low, attacks can cause significant damage, and sensitive personal data is used as a means of pressure to pay, especially in the healthcare sector.
$600.000 ransom on average
The average ransom demands are similar to the previous year at USD 600.000 – a lucrative business for cybercriminals. At the same time, the analyses have shown that victim companies can significantly reduce the amounts demanded with the help of professional ransomware negotiators. Companies working with Arctic Wolf, for example, had to pay an average of only 36% of the original amount.
"Ransomware groups have evolved their business model: Even with a sound backup strategy in place, the threat of publishing or reselling stolen customer data puts companies under massive pressure – often with devastating financial and reputational consequences," explains Dr. Sebastian Schmerl, Regional Vice President Security Services EMEA at Arctic Wolf. "This tactic renders traditional backups ineffective as a sole means of protection. Companies must therefore increasingly rely on comprehensive threat detection, zero-trust strategies, and proactive security operations approaches to identify attacks early and prevent data leaks."
Business Email Compromise: Attackers follow the money
Business Email Compromise (BEC) is a type of email phishing scam in which a threat actor attempts to trick members of an organization into submitting funds or confidential data (e.g., account compromise or CEO fraud). BEC incidents account for 27% of observed IR cases, remaining the second most common fraud tactic.
This type of cyberfraud targets organizations that exchange money and payment data on a large scale via email: The finance and insurance industry accounted for 26,5% of BEC-IR cases, roughly twice as many as the second-ranked industry, legal and government. BEC attacks accounted for more than half (53%) of IR cases in finance and insurance—the only industry where BEC exceeded the number of ransomware incidents.
"Phishing and compromised credentials remain the main causes of BEC attacks. AI enables threat actors to launch increasingly sophisticated, personalized attacks, so awareness training alone is not enough to prevent all incidents – but it does help to quickly identify the multitude of poorly executed attacks. Therefore, companies should not only implement training but also strong access controls. A combination of password management and modern multi-factor authentication, such as biometric methods or physical security keys, is crucial to effectively prevent unauthorized access," explains Dr. Schmerl.
Few vulnerabilities are exploited disproportionately often
Intrusions were the third most common cause of recorded IR cases at 24%—a significant increase compared to the previous year (14,8%). Over 2024 security vulnerabilities were recorded in 40.000. Critical and severe vulnerabilities also increased by 134,46%. The financial and insurance sectors (15,3%) and educational and non-profit institutions (15,3%) were particularly affected.
In 76% of intrusion cases, attackers exploited only ten specific vulnerabilities, all of which were already known security holes for which appropriate patching measures would have been available. Most of these incidents involved remote access tools and externally accessible systems and services. In some cases, attackers exploited misconfigurations such as open ports, externally accessible internal websites, or administrative accounts vulnerable to brute-force attacks to gain access. This clearly demonstrates the importance of proactive patch management.
Patch management is essential
"Many companies hesitate to implement patches, even though vulnerabilities have long been known and updates are available. Often, clear processes are lacking, and there are concerns about potential business interruptions or staffing shortages. But every unpatched system is an open door for attackers – and that's exactly what cybercriminals are counting on," says Dr. Schmerl. "Effective vulnerability management with automated patch processes and continuous monitoring of the attack surface and developments in the threat landscape is therefore essential to minimize the risk of successful attacks. If the internal resources to cover this are lacking, companies can work with security partners like Arctic Wolf, who can support them in improving their security posture over the long term."
More at ArcticWolf.com
About Arctic Wolf Arctic Wolf is a global leader in security operations, providing the first cloud-native security operations platform to mitigate cyber risk. Based on threat telemetry spanning endpoint, network and cloud sources, the Arctic Wolf® Security Operations Cloud analyzes more than 1,6 trillion security events per week worldwide. It provides company-critical insights into almost all security use cases and optimizes customers' heterogeneous security solutions. The Arctic Wolf platform is used by more than 2.000 customers worldwide. It provides automated threat detection and response, enabling organizations of all sizes to set up world-class security operations at the push of a button.
Matching articles on the topic