2. Mid-size organizations are highly vulnerable: Industry data shows mid-size organizations remain highly vulnerable to ransomware attacks. “CISOs need to be aware that ransomware is no longer just targeting large companies, but now even mid-sized organizations are at risk. This awareness is crucial,” says Christiaan Beek, senior director, threat analytics, at Rapid7.Companies with annual revenue around $5 million are falling victim to ransomware twice as often as those in the $30-50 million range and five times more frequently than those with a $100 million revenue, according to Rapid7’s 2024 ransomware report.In 2025, the threat remains, and with many mid-sized organizations lacking a dedicated CISO, they’re more vulnerable to ransomware disruption, according to Beek. Larger organizations stand better prepared because they have a central, senior person and resources to go with it. “CISOs often have larger security teams and better tools to defend against attacks,” he says.Cyber criminals are going after these companies believing they’re large enough to hold valuable data but lack the protection of larger organizations. Meanwhile, larger organizations need to consider that supply chains and third-party partners that include smaller, mid-size outfits without a dedicated security leader can increase their exposure to risk.In the case of an attack, mid-market organizations may lack the visibility of data leaks and the forensic tools of more mature enterprises to effectively validate ransomware claims, according to Ashwin Ram, cyber security evangelist for Check Point. “Many of these organizations haven’t fully embraced external attack surface management and dark web monitoring to the same extent as the more advanced organizations.”Beek recommends CISOs conduct ransomware attack simulation exercises at least twice a year to thoroughly assess all aspects of their incident response preparedness. “It helps identify gaps and ensure they’re ready to respond effectively,” he says.
3. Data exfiltration attacks require a critical shift in security priorities: In recent years, ransomware attackers have shifted away from encryption-based extortion to data exfiltration and double-, triple and even quadruple extortion, that targets the organization and individuals and help launch distributed denial-of-service (DDoS) attacks, according to CheckPoint’s Ram.According to data from Coveware, 87% of observed cases in the last quarter of 2024 involved exfiltration and either leads into encryption-based attacks or is the primary objective of the attack.”Threat actors are exfiltrating sensitive data and using the threat of public exposure to force victims into paying ransoms and it’s most effective in the healthcare sector with medical records and the finance sector, where PII could facilitate financial scams and identity fraud,” says Ram.It’s changing the ransomware ecosystem. Many established cyber-criminal groups such as BianLian and Meow have adopted exfiltration techniques while new entrants such as Bashe have sprung up offering “data selling platforms”, according to CheckPoint’s 2025 State of Cyber Security report.There are numerous reasons for the changing nature of attacks. As organizations have improved their backup and recovery capabilities and law enforcement actions have disrupted attacks, bad actors have shifted their focus to data exfiltration to streamline operations, evade detection, and find other avenues for lucrative attacks, the report noted.However, without the obvious signs of data being locked up, security practitioners face the challenge of quickly determining if organizational data has been stolen and verifying any claims. In some cases, bad actors may claim a data breach by recycling information already available. “Attackers might get hold of some accounts, but they don’t have the entire organization’s credentials or they have one or two customer databases or certain customers in particular,” Ram tells CSO.Ram recommends CISOs review and strengthen their organization’s defenses around data protection, monitoring, and rapid threat detection. This requires a multi-layered approach and above all else, the organization’s “crown jewels” or most critical data assets need the highest priority. “CISOs are going to have to rewrite some of their playbooks for incident response, where that validation piece is going to play a key part,” he says.
4. Heightened risks for critical infrastructure: Attacks on critical infrastructure are on the rise, with energy, utilities and power infrastructure facing escalating threats and public healthcare organizations impacted in large numbers.In public healthcare, resources are usually stretched, while in others, such as manufacturing, utilities and power infrastructure, digital transformation is bringing operating systems online, creating new vulnerabilities.There is a raft of complicating factors, such as patches not being available for legacy and end-of-life technologies. “If an attacker finds a way into those industries that were traditionally offline, it presents much more of a problem,” says Sophos’ Bugal. Many organizations in the energy and utilities market tend to have older software and technologies that are more prone to security gaps. “It provides opportunities for attackers to gain access and then move laterally within environments, ultimately leading to ransomware incidents,” Bugal tells CSO.Complicating matters, as organizations grow, their IT infrastructure increases in both size and complexity and this can result in attacks, particularly those that start with an unpatched vulnerability. In the case of an attack, it’s harder for IT teams to have full visibility of all their exposures and patch before they are exploited, according to the Sophos’ report.Attacks on critical infrastructure are expected to continue into 2025, according to Arctic Wolf Labs 2025 predictions report. It also warns that while these ransomware attacks may follow the typical playbook, they can hide intrusions from hostile nation-states, potentially laying the groundwork for future digital conflict. “These incidents may have also been intended to distract from a strategic objective of establishing stealthy persistence within these environments,” the report noted.
5. Breakdown of perimeter defences: As an organization’s digital perimeter expands, the attack surface grows, with edge services and devices increasingly targeted by threat actors as entry points in ransomware attacks. The perimeter now includes IoT devices, cloud applications, VPN gateways, a host of internet connected devices and other network access tools, making it more challenging to secure access controls and monitor networks.In 2024, software vulnerabilities within devices from Palo Alto Networks and SonicWall were exploited and used to launch ransomware attacks.Looking ahead, organizations can expect more threats to its attack surface, according to Arctic Wolf Labs 2025 predictions report. Perimeter devices remain vulnerable to the misuse of valid accounts, exploitation of vulnerabilities, gaps in multi-factor authentication (MFA) and weaknesses in identity management practices.CISOs face increasing pressure to maintain robust patch management processes and strengthen access configurations across the board. At the same time, the expanding digital perimeter brings more exposure to zero-day vulnerabilities. The manufacturing industry remains particularly vulnerable, the report noted, accounting for 44% of all cases investigated by the lab.While advanced security technologies and tools are important, it doesn’t take away from the need to secure the organization’s digital front door, says Beek. Yet it’s an area that still has room for improvement. “We still see common security lapses, such as weak passwords on security devices or unsecured remote access that can provide an entry point for attackers,” he tells CSO.In addition, having access to insights about observed attacks helps in understanding the chain of events and the potential risks they may pose in the CISO’s own organization, according to Beek. They can then review their processes and whether there is the right technology and trained people to notice the same kind of attack. “As a CISO, if you can understand the chain of attack, you can see if there are tripwires in place and visibility of this happening in your own organization,” he says.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3825545/5-things-to-know-about-ransomware-threats-in-2025.html
