Ransomware continues to dominate the threat landscape, but recent shifts reveal a complex picture. While victim numbers hit record highs in 2025, overall profitability is declining due to better defenses and lower ransom payments. This Q&A explores key tactics, techniques, and procedures observed in Mandiant's incident response engagements, highlighting how the ecosystem is evolving.
What is the current state of ransomware profitability and why is it declining?
Ransomware remains a pervasive threat, but its profitability is on the decline. Multiple factors contribute to this trend: improved cybersecurity practices across organizations, greater ability to recover from attacks without paying ransoms, and decreasing ransom payment amounts and rates. Additionally, the ransomware ecosystem has faced external disruptions like law enforcement operations and internal conflicts among actors. These pressures have led to the downfall of once-dominant groups such as LockBit, ALPHV, Basta, and RansomHub. Despite these setbacks, the overall volume of ransomware activity hasn't dropped—instead, new groups like Qilin and Akira have risen to fill the vacuum, leading to a record number of victims posted on data leak sites in 2025.
How have law enforcement actions and internal conflicts reshaped the ransomware ecosystem?
Law enforcement actions have significantly disrupted several major ransomware-as-a-service (RaaS) operations, causing them to dissolve or become severely weakened. Internal conflicts among ransomware actors have also played a role. For instance, groups like LockBit and ALPHV have either disappeared or been debilitated due to these pressures. However, the ecosystem quickly adapted as established brands like Qilin and Akira stepped in to fill the void. This resilience shows how the commoditization of ransomware through RaaS models lowers barriers for new entrants. Consequently, despite major takedowns, the number of victims posted to data leak sites in 2025 reached an all-time high, indicating that the threat is far from contained.
What are the most common initial access vectors observed in 2025 ransomware incidents?
In approximately one-third of ransomware incidents Mandiant responded to in 2025, the initial access vector was confirmed or strongly suspected to be exploitation of vulnerabilities, most often in common VPNs and firewalls. This aligns with a longer trend where attackers target perimeter devices to gain entry into networks. Once inside, they often move laterally and escalate privileges before deploying ransomware. The reliance on vulnerability exploitation underscores the importance of patch management and network segmentation as critical defenses.
Why has data theft become more prevalent in ransomware attacks?
Data theft in ransomware intrusions has surged from 57% of incidents in 2024 to 77% in 2025. This increase reflects a strategic shift by attackers to intensify pressure on victims. By exfiltrating sensitive data before encryption, attackers can demand ransoms not just for decryption but also to prevent public leaks. This dual-extortion tactic makes it harder for victims to ignore demands, even if they have backups. The trend highlights the growing sophistication of ransomware operations and the value attackers place on data as a second lever for coercion.
What is the significance of targeting virtualization infrastructure?
In 2025, 43% of ransomware intrusions analyzed by Mandiant involved targeting virtualization infrastructure, up from 29% in 2024. This represents a notable tactical evolution. Virtualization platforms, such as VMware vCenter or ESXi, are central to many organizations' IT environments. By compromising these systems, attackers can encrypt multiple virtual machines at once, maximizing disruption and ransom leverage. This shift underscores a broader trend: attackers are increasingly targeting shared, high-value systems to amplify the impact of their attacks.
Which ransomware family was most deployed in 2025 and what does that indicate?
REDBIKE was the most frequently deployed ransomware family, accounting for 30% of analyzed incidents in 2025. Its prevalence suggests that it has become a go-to tool for many threat actors, likely due to its effectiveness and possibly its availability as a RaaS variant. The dominance of REDBIKE also reflects the dynamic nature of the ransomware ecosystem, where different families gain and lose popularity based on operational success, eviction by law enforcement, or internal group dynamics. Monitoring such shifts helps defenders prioritize their detection and response capabilities.
How have attacker tool usage trends changed?
Several trends from prior years persisted in 2025. The use of certain intrusion tools like BEACON and MIMIKATZ declined, while reliance on remote management tools plateaued. BEACON is a well-known command-and-control framework, and MIMIKATZ is used for credential dumping. Their reduced usage may indicate that attackers are adopting more evasive or specialized tools to avoid detection. The plateau in remote management tool usage suggests that defenders have become better at spotting these common post-compromise utilities. These shifts highlight the continuous cat-and-mouse game between attackers and security teams.
What are the limitations of this analysis?
The insights presented here are based primarily on data from Mandiant's incident response engagements, which represent only a sample of global ransomware intrusion activity. These incidents involved post-compromise deployment of ransomware following network intrusion. Excluded from this analysis are cases of data theft extortion without ransomware deployment. Therefore, the findings may not capture the full spectrum of ransomware tactics. Additionally, the observed trends reflect a specific subset of victims—those who engaged Mandiant for response—and may not generalize to all organizations.