Advanced ransomware, cloud attacks, and AI-based cyber warfare will threaten corporate cybersecurity in 2025. Phishing is the most common method of distributing malicious files. Educational institutions are the most frequently attacked sector worldwide.
Check Point Software Technologies, a pioneer and global leader in cybersecurity solutions, presented key findings from its latest EMEA Threat Intelligence Report at CPX Vienna 2025, the company's annual cybersecurity event. CPX Vienna brings together industry leaders, cybersecurity experts, and policymakers to discuss emerging threats, the impact of AI on cyberwarfare, and the latest security innovations.
The latest findings show that AI-driven cyber warfare, the shift from ransomware to data extortion, and vulnerabilities in cloud and edge infrastructures are the biggest security challenges for organizations in the EMEA region.
The most important cybersecurity insights for EMEA
Companies in the EMEA region were exposed to an average of 1.679 cyberattacks per week over the past six months, slightly below the global average
The five most frequently attacked industries in EMEA:
- Education and research (4.247 attacks per week)
- Communication
- Military
- Health services
- Trade (contrary to the global trend, where energy and water utilities rank fifth)
62 percent of malicious files in the EMEA region were delivered via email in the last 30 days, confirming phishing as the dominant attack vector. FakeUpdates (SocGholish) remains the most widespread malware in EMEA and serves as a downloader for further cyber infections. Infostealer malware attacks increased by 58 percent, facilitating credential theft and allowing cybercriminals to sell access to corporate systems.
The most important cybersecurity trends in EMEA
AI-driven cyber warfare and disinformation
Cyberattacks are increasingly shifting from direct disruption of infrastructure to influence operations, disinformation campaigns, and AI-enabled cyber warfare. Nation-state actors are using AI tools to manipulate information, spread disinformation, and conduct sophisticated cyberattacks.
- AI was used in at least one-third of major elections between September 2023 and February 2024 to influence voter sentiment, spread disinformation, and manipulate public trust.
- Russian, Iranian, and Chinese cyber groups have used AI-generated deepfakes and fake news campaigns to influence elections in the United States, Taiwan, Romania, and Moldova.
- The Paris Olympic Games became a prime target for cyber influence operations with coordinated misinformation efforts aimed at discrediting the event and disrupting Western unity.
"The rise of AI-driven disinformation is fundamentally changing the cybersecurity landscape. From deepfake-generated political attacks to large-scale influence campaigns, we are witnessing an unprecedented escalation of AI-driven cyber warfare," said Lotem Finkelsteen, Director, Threat Intelligence & Research Area.
DeepSeek AI hit by large-scale cyberattack
DeepSeek AI, a China-based artificial intelligence platform, was the victim of a large-scale cyberattack that forced the company to restrict new user registrations. While the identity of the attackers is not yet known, the attack raises concerns about the security of AI platforms and the potential vulnerabilities in AI-powered ecosystems.
"As AI becomes increasingly integrated into daily IT operations, their infrastructure becomes a prime target for cybercriminals and state actors. Organizations must prioritize AI security to prevent large-scale breaches that could have far-reaching consequences," said Eli Smadja, Security Research Group Manager at Check Point Software.
The attack on DeepSeek underscores the growing trend of targeting AI infrastructures and highlights the need for AI-powered services to implement robust security measures to protect themselves from evolving cyber threats.
The evolution of ransomware: The shift towards pure data extortion and attack on critical sectors
Ransomware remains one of the most persistent and damaging cyber threats, but attackers are changing their tactics from traditional encryption-based extortion to pure data leak extortion.
- Ransomware groups are now focusing on stealing sensitive corporate data and threatening to leak it instead of encrypting files.
- The crackdown by law enforcement on major ransomware groups like LockBit and ALPHV has led to a fragmented ransomware industry, with new groups like RansomHub taking advantage of the power vacuum.
"The shift toward extortion through data leaks presents an even more insidious risk—organizations no longer only face IT business disruptions, but also the public exposure of sensitive data. Security strategies must evolve, focusing on early detection, strong data encryption, and robust access controls to mitigate these threats," said Omer Dembinsky, Data Research Group Manager at Check Point Software.
Infostealers and Initial Access Brokers: The Shadow Economy of Cybercrime
The explosive spread of infostealer malware is leading to an increase in stolen credentials, session hijacking, and corporate breaches.
- The number of infostealer attacks increased by 58 percent, with more than 10 million stolen credentials offered for sale on underground cybercrime markets.
- AgentTesla, Lumma Stealer, and FormBook were among the top malware threats in the EMEA region, often targeting VPN credentials and authentication tokens.
- Session hijacking is one of the most important techniques used today to bypass multi-factor authentication (MFA), allowing attackers to gain permanent access to corporate environments.
"Cybercriminals are no longer just breaking into systems, they are also selling access to them. The rise of infostealers and initial access brokers has created a shadow economy where stolen credentials enable a wider range of cyberattacks, including ransomware and financial fraud," says Sergey Shykevich, Group Manager of Threat Intelligence at Check Point Software.
Cloud and edge vulnerabilities expand the attack surface
As hybrid cloud environments become the backbone of modern businesses, attackers exploit misconfigurations, weak access controls, and vulnerabilities in edge devices to gain initial access.
- Cloud misconfigurations have led to several high-profile data breaches that exposed government, healthcare, and financial data.
- Threat actors exploited single sign-on (SSO) vulnerabilities to move around cloud environments.
- China-backed APTs used compromised IoT and VPN devices as Operational Relay Boxes (ORBs) to gain persistent access to global networks.
"Organizations need to rethink cloud security. Attackers are no longer just penetrating on-premises systems; they are penetrating cloud environments, targeting credentials, and leveraging legitimate mechanisms to facilitate bidirectional lateral movement. A proactive security approach is critical," said Michael Abramzon, Threat Intelligence & Research Architect at Check Point Software.
More at CheckPoint.com
About check point Check Point Software Technologies GmbH (www.checkpoint.com/de) is a leading provider of cybersecurity solutions for public administrations and companies worldwide. The solutions protect customers from cyberattacks with an industry leading detection rate for malware, ransomware and other types of attacks. Check Point offers a multi-level security architecture that protects company information in cloud environments, networks and on mobile devices, as well as the most comprehensive and intuitive “one point of control” security management system. Check Point protects over 100.000 businesses of all sizes.
Matching articles on the topic