The ransomware landscape has undergone a dramatic transformation since 2018, when financially motivated attackers increasingly turned to post-compromise ransomware deployments. Today, ransomware remains one of the most significant threats across industries and regions, fueled by the commoditization of the ransomware-as-a-service (RaaS) ecosystem that lowers the barrier for aspiring cybercriminals. However, despite a record number of victims posted to data leak sites in 2025, multiple indicators point to a decline in overall profitability. This shift is driven by improved cybersecurity defenses, greater organizational resilience, and falling ransom payment rates, along with high-profile disruptions—such as law enforcement takedowns and internal group conflicts—that have crippled once-dominant RaaS operations like LockBit, ALPHV, and RansomHub. In their place, established brands like Qilin and Akira have stepped in, maintaining a steady stream of post-compromise ransomware incidents.
Overview of the 2025 Ransomware Landscape
This report examines the tactics, techniques, and procedures (TTPs) observed in ransomware incidents that Mandiant Consulting responded to during 2025, excluding cases involving data theft extortion alone. Key insights include a rise in data theft, increased targeting of virtualization infrastructure, and the emergence of REDBIKE as the most frequently deployed ransomware family. The following sections break down these trends in detail.
Initial Access: Vulnerabilities in VPNs and Firewalls
In approximately one-third of all incidents, initial access was confirmed or suspected to involve exploitation of vulnerabilities in common VPN appliances and firewalls. Attackers continue to target these perimeter devices, often leveraging unpatched flaws to gain a foothold. This trend underscores the importance of rigorous patch management and network segmentation. For more on how initial access leads to further compromise, see the section on data theft trends.
Data Theft on the Rise: 77% of Incidents Involve Exfiltration
Data theft has become an almost universal feature of modern ransomware attacks. In 2025, 77% of ransomware intrusions analyzed by Mandiant included suspected data theft, a significant increase from 57% in 2024. Attackers increasingly steal sensitive information before encrypting systems, using the threat of public exposure as additional leverage. This dual-extortion approach pressures victims to pay ransoms even if they can recover data from backups. The rise in data theft correlates with the decline in overall ransom payment rates, as victims may be less willing to pay when data is already stolen and potentially leaked.
Targeting Virtualization Infrastructure: A Growing Trend
Another notable shift is the increased focus on virtualization platforms. In 2025, 43% of ransomware incidents involved targeting virtualization infrastructure, up from 29% in 2024. By compromising hypervisors and virtual machine management systems, attackers can quickly encrypt or delete a large number of virtual servers, causing widespread disruption. Defenders should prioritize securing virtualization layers, monitoring for unusual administrative activity, and implementing strong access controls. The ransomware families observed often include custom tools for this purpose.
Ransomware Families: REDBIKE Dominates
Among the ransomware families deployed in 2025, REDBIKE was the most prevalent, accounting for 30% of analyzed incidents. While other families such as Qilin and Akira remain active, REDBIKE's simplicity and effectiveness have made it a preferred tool for many affiliates. Its widespread use highlights the ongoing commoditization of ransomware within the underground economy.
Tooling and Tactics: Decline of BEACON and MIMIKATZ
Several tooling trends continued from previous years. The use of traditional intrusion tools like Cobalt Strike BEACON and MIMIKATZ has decreased, as defenders have become better at detecting these signatures. Similarly, reliance on remote management tools with legitimate functions has plateaued, as attackers balance stealth against operational convenience. Attackers are increasingly using custom scripts and living-off-the-land techniques to evade detection. For a deeper dive into overall attack flows, refer back to the overview section.
Conclusion: A Resilient but Shifting Ecosystem
Despite declining profitability, ransomware remains a dominant threat due to its volume and potential for disruption. The ecosystem continues to evolve, with new groups emerging to replace those taken down by law enforcement or internal strife. The data presented here is based on Mandiant engagements and represents only a sample of global activity, but it provides critical insight into the changing TTPs that security teams must prepare for. To stay ahead, organizations should focus on patching perimeter vulnerabilities, improving data loss prevention, and hardening virtualization environments.