Ransomware Realities: Key Questions on Evolving Tactics and Trends

Since 2018, ransomware has transformed from a niche cyber threat into a dominant force, leveraging a mature ecosystem that lowers entry barriers through ransomware-as-a-service (RaaS). However, recent shifts—including declining ransom payments, improved defenses, and law enforcement actions—are reshaping the landscape. This Q&A explores the tactics, techniques, and procedures (TTPs) observed in 2025, drawing on Mandiant’s incident response data to illuminate how attackers adapt and what defenders must know.

1. How has the ransomware ecosystem evolved since 2018?

Since 2018, financially motivated threat actors shifted from simple data theft to post-compromise ransomware deployment, creating a robust RaaS ecosystem. This model allows affiliates to lease ransomware tools from developers, significantly lowering the barrier to entry. Specialized underground communities now offer services like initial access brokers, money laundering, and negotiation support. As a result, ransomware has become pervasive across industries globally. However, by 2025, signs of pressure emerged: the overall profitability of ransomware operations has declined due to improved cybersecurity practices, higher recovery capabilities, and falling ransom payment rates. Despite these challenges, the number of victims posted on data leak sites reached a record high in 2025, indicating that while per-incident returns may shrink, the volume of attacks remains elevated.

2. What factors are driving the decline in ransomware profitability?

Several interconnected factors contribute to the declining profitability of ransomware operations. First, organizations have adopted better cybersecurity defenses, including more robust backup strategies and incident response plans, reducing the impact of encryption. Second, the rate of ransom payments has dropped—victims are increasingly refusing to pay, and those who do pay smaller sums on average. Third, law enforcement actions, such as the takedown of major groups like LockBit and ALPHV, have disrupted key players, forcing affiliates to rebuild trust and infrastructure. Internal conflicts among ransomware groups have also led to the fragmentation or collapse of prominent operations. Combined, these elements create a less predictable and less lucrative environment for attackers, even as attack volumes remain high in absolute terms.

3. How have law enforcement and internal conflicts reshaped the ransomware landscape?

Law enforcement operations have significantly impacted the ransomware ecosystem by dismantling or debilititating high-profile groups such as LockBit, ALPHV, Basta, and RansomHub. These actions force affiliates to seek new RaaS platforms, often shifting loyalty to emerging or remaining brands. Simultaneously, internal conflicts—like disputes over payment splits or betrayal among affiliates—have caused once-prominent groups to disintegrate. These dual pressures create a vacuum that is quickly filled by established RaaS brands like Qilin and Akira, which have capitalized on the instability to recruit displaced affiliates. The result is a record number of victim posts on data leak sites in 2025, as groups compete for visibility and legitimacy. This churn demonstrates that while law enforcement can disrupt specific operations, the underlying criminal market adapts rapidly.

4. What were the most common initial access vectors in 2025 ransomware incidents?

In a third of analyzed ransomware incidents during 2025, the initial access vector was confirmed or suspected exploitation of vulnerabilities—most frequently in common VPN appliances and firewall devices. This trend underscores the persistent risk from unpatched internet-facing network devices, which serve as gateways for attackers to enter enterprise environments. Other prevalent vectors included phishing campaigns and the use of stolen credentials obtained through information stealers or previous breaches. The reliance on vulnerability exploitation highlights the importance of rigorous patch management and configuration hardening for perimeter devices. Additionally, the shift toward remote work has expanded the attack surface, making VPNs and firewalls even more critical to defend. Organizations that fail to prioritize these vulnerabilities remain prime targets for ransomware affiliates seeking initial footholds.

5. Why is data theft becoming more prevalent in ransomware attacks?

Data theft has become a core component of modern ransomware attacks, with 77% of incidents in 2025 involving suspected data exfiltration—up sharply from 57% in 2024. This shift reflects a strategic evolution: attackers now combine encryption with the threat of leaking sensitive data to increase leverage over victims. Even if organizations can restore systems from backups, the fear of public exposure of customer, financial, or proprietary data often drives ransom payments. Moreover, the stolen data itself can be monetized separately through sale on dark web marketplaces or used for further extortion. This dual-extortion tactic amplifies pressure, forcing victims to weigh reputational damage against recovery costs. Ransomware groups have streamlined their exfiltration processes, using tools like remote management software or custom scripts to quickly compress and transfer data before triggering encryption.

6. What is the significance of targeting virtualization infrastructure in 2025?

In approximately 43% of ransomware intrusions Mandiant responded to in 2025, threat actors targeted virtualization infrastructure—a notable increase from 29% in 2024. Virtualization platforms like VMware vCenter or ESXi are attractive targets because they control multiple virtual machines (VMs), allowing attackers to encrypt or disable entire environments with a single action. By compromising hypervisors, attackers can maximize disruption while minimizing effort, as one set of credentials grants access to dozens or hundreds of servers. This tactic also enables rapid lateral movement and data theft across the virtual network. The growing use of virtualization in enterprise IT makes this trend particularly concerning. Defenders must ensure that management interfaces are heavily restricted, use multi-factor authentication, and are patched promptly to reduce the risk of a catastrophic ransomware event originating from the virtualization layer.

7. Which ransomware families dominated in 2025, and what tool trends emerged?

The most frequently deployed ransomware family in 2025 was REDBIKE, accounting for 30% of analyzed incidents. Its popularity stems from reliable encryption, effective data leak sites, and a well-organized affiliate program. Other notable families include Qilin and Akira, which filled the vacuum left by law enforcement takedowns. Regarding tools, several persistent trends continued: use of the BEACON backdoor and MIMIKATZ credential dumper declined further, as attackers shifted to living-off-the-land and custom scripts to evade detection. Meanwhile, reliance on remote management tools (e.g., AnyDesk, TeamViewer) plateaued, suggesting that groups have reached a saturation point in deploying those techniques. Instead, they increasingly leverage built-in Windows utilities and novel ransomware variants to blend into normal operations. This evolution challenges defenders to adopt behavioral detection rather than static signatures.