CRD #19

On ransomware stats, vulnerability exploitation, identity compromise and disruptive tactics.

Henry Rõigas

Henry Rõigas

6 min read
CRD #19
Photo by FlyD / Unsplash
The Cybersecurity Research Digest cuts through the marketing fluff and bias to bring you relevant and objective insights on cybersecurity stats and trends, all backed by empirical data.
The post features highlights from trustworthy research sources released between March 4-24, 2025, followed by a list of all monitored reports.

February 2025 saw more ransomware victims than ever

Ransomware victims by month - Feb 2024 to Feb 2025 (Bitdefender)

While ransomware activity month-over-month has remained relatively stable over the past year (monthly average of 417), February 2025 saw a significant surge according to leak site data. The victim count reached 962 in February 2025. This is more than double the monthly average and marks the highest monthly total on record.

Approximately one-third of these incidents were attributed to the Cl0p ransomware group. The fact that most attacks are carried out by a few groups shows that related cyber threat intelligence (CTI) to track the TTPs of these prominent actors can be effective.

Top 10 ransomware groups by number of victims Feb 2025 (Bitdefender)

Some observers attribute this spike to ransomware groups shifting away from highly targeted attacks toward exploiting vulnerabilities at scale. Attackers increasingly use automated scanning techniques, targeting newly disclosed vulnerabilities in edge devices immediately following public disclosure. This allows for fast and efficient abuse of readily available proof-of-concept exploits that facilitate remote control. However, as this approach is not new, it does not fully explain the major spike in reported incidents in February 2025. If this heightened level of activity continues, further analysis will be necessary to understand whether this represents a more fundamental shift in threat actor strategies and efficiency.

Furthermore, leak site data continues to show that the United States remains by far the most heavily targeted country for ransomware attacks (at least according to primarily Western CTI providers).

Top 10 countries most affected by ransomware (Bitdefender)

At the same time, published vulnerabilities continue to steadily increase, posing ongoing challenges for Vulnerability Management teams. In 2024 alone, over 37,000 vulnerabilities were disclosed, a 12% increase from the previous year.

The continuous surge, amplified by regular Patch Tuesday updates and an expanding number of CVE advisories, means that addressing every vulnerability individually is impractical. Organizations thus need to adopt a risk-based approach to patch prioritization

Vulnerability disclosures and exploits, 2024-2025 (Flashpoint)

Identity compromise dominates incident response engagements

Compromised credentials remain the most prevalent initial access vector in serious cybersecurity incidents, consistently highlighted across multiple threat reports analyzing 2024 threat and incident response data.

Insurance claims data from 2024 indicates that nearly half (47%) of ransomware cases involved compromised credentials, typically targeting Remote Desktop Protocol (RDP) and VPN services. This is further supported by data from an MDR provider, showing that identity-related cases accounted for nearly 70% of all incidents in 2024.

Breakdown (percentages) of incident detected by the Expel SOC in 2023 and 2024

Social engineering attacks—now more sophisticated due to Generative AI—continue to play a central role in credential theft. However, data also shows that organizations frequently fail to implement basic security measures effectively as brute-force attacks remain highly successful, contributing to 42% of identity-compromise cases in insurance claims. This aligns with findings from incident response teams, which identified weak passwords and absent multi-factor authentication (MFA) as root issues.

Trends in identity and access management issues from 2023 to 2024 (Palo Alto Networks Unit 42)

Additionally, infostealers have emerged as the dominant malware type deployed in endpoint incidents. The initial access marketplace continues to expand significantly, with 3.2 billion compromised credentials available in 2024—a 33% increase from the previous year—of which infostealers were responsible for approximately 75%.

The extensive and growing reliance on machine identities further complicates these risks. A survey of 1,200 security leaders indicated that half experienced significant breaches directly linked to compromised machine identities, primarily involving API keys and SSL/TLS certificates. With machine identity usage expected to increase by up to 150% within the next year, securely managing these identities has become critically important.

Top machine identities involved in a security incident (CyberArk)

Credential leaks frequently occur even without targeted attacks. Analysis from GitGuardian revealed over 23 million hardcoded secrets publicly exposed on GitHub in 2024—a 25% year-over-year increase, despite GitHub’s preventive measures during code pushes. Notably, repositories utilizing GitHub Copilot experienced a 40% higher incidence of leaked secrets, confirming the security concerns commonly associated with using Large Language Models (LLMs) for code generation.

New secreted detected on GitHub (millions) (GitGuardian)

Importance of resilience capabilities as threat actors seek disruption

Incident response data from 2024 underscores a growing emphasis by threat actors on causing intentional operational disruption. Financially motivated attackers have increasingly shifted their strategies toward deliberate sabotage—destroying systems, restricting access to critical resources, and causing extended downtime—to maximize pressure on victims and compel ransom payments. According to Unit 42, 86% of incidents in 2024 resulted in measurable business impacts, including:

  • Complete operational disruption
  • Asset loss and fraud
  • Reputational and market damage resulting from publicly disclosed attacks
  • Increased operational, legal, and regulatory costs

The ongoing creativity of threat actors in identifying new pressure points highlights the critical importance of developing comprehensive resilience capabilities. This includes not only robust cyber resilience measures, such as effective backups and technical recovery processes, but also holistic organizational incident response plans incorporating operational, business continuity, and communication strategies.

Prevalence of extortion tactics in extortion-relates cases (Palo Alto Networks Unit 42)

Reports monitored: 4-24 March

To take a deeper dive in the topics most relevant for you, find below a list of all the monitored research reports (31) that were published during the observed period.

Title Organisation(s) Topic(s)
Featured reports
Bitdefender Threat Debrief | March 2025 Bitdefender ransomware / threat intel
Cyber Threat Index 2025 Coalition insurance insights / general / IR data
2025 Annual Threat Report Expel threat intel / general
Flashpoint 2025 Global Threat Intelligence Report: Stay Ahead of Emerging Threats Flashpoint threat intel / general
2025 State of Machine Identity Security Report CyberArk machine identities
Global Incident Response Report 2025 Palo Alto Networks / Unit 42 IR engagement data
Other reports monitored
2024 Annual OT/ICS Cybersecurity Report TXOne Networks OT/ICS
2025 ICS/OT Cybersecurity Budget: Spending Trends, Challenges, and the Future OPSWAT / SANS OT/ICS / budgets / threat intel / general
MSP Horizons Report 2025 N-ABLE MSPs / general
How are Healthcare Leaders Staying Cyber Resilient? FinThrive / HIMSS healthcare
The State of AI Cybersecurity 2025 Darktrace AI security
Cybersecurity at the Crossroads Fastly general
SoSafe 2025 Cybercrime Trends SoSafe general
Building cyber resilient healthcare BT healthcare
2025 MSP Threat Report ConnectWise MSPs / general
CYBER THREAT OVERVIEW 2024 ANSSI ANSII threat intel / national
Security Approaches Around the Globe: The Confidence Gap KnowB4 awareness / training
Unlock the Resilience Factor: Why 'Resilient by Design' is the next cyber imperative Zscaler zero trust / general
The dragon’s hour: how Incident Response turns ruin into resilience Kaspersky IR insights
The State of Human Risk 2025 Mimecast / Vanson Bourne human risk
Voice of Security 2025 Tines leaders' perspective  / SOC / AI / automation
New Zealand Business Cyber Security Report Kordia New Zealand
State of WordPress Security In 2025 Patchstack Wordpress / vulns
Under the Surface: Uncovering Cyber Risk in the Global Supply Chain Bitsight supply chain / external scanning
2025 Enterprise Data Security Confidence Index Bedrock Security data visibility / AI governance
2025 State of Cybersecurity Report: Paradigm Shift Ivanti leader perspectices / various
OT/IoT Cybersecurity Trends and Insights Nozomi Networks OT/IT/IoT
Hacked and Exposed: What Business Leaders Need to Know About Cyber Threats Egnyte consumers / individuals
025 CIS MS-ISAC K-12 Cybersecurity Report: Where Education Meets Community Resilience Center for Internet Security education / US
State of Browser Security Menlo Security browsers
2025 State of Secrets Sprawl report GitGuardian Docker Hub / leaks / secrets
ThreatLabz 2025 AI Security Report Zscaler AI security
Cyber Security in Critical National Infrastructure: 2025 Bridewell Critical infrastructure / UK
2025 Threat Detection Report Red Canary threat intel / general
2025 Digital Trust Index Thales consumers / trust

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)

Read more