1️⃣ Ransomware ≠ Encryption
-
Traditional encryption is no longer the primary monetization method.
-
The main business model has shifted to data theft and extortion-first.
-
Leading actors: RansomHub, Akira, INC/Lynx.
-
The focus is on stealing sensitive data and applying pressure through potential leaks and publications.
2️⃣ RAT + RMM as Standard Access Vectors
-
75% of remote accesses are achieved via Remote Access Trojans (RATs).
-
Widespread abuse of Remote Monitoring and Management (RMM) tools.
-
Attackers blend in by mimicking legitimate IT administration activity.
3️⃣ Living off the Land: Abusing Built-in Admin Tools
-
Attackers extensively leverage native system tools to evade detection.
-
IOC-based detection is becoming useless; only behavioral analytics remain effective.
4️⃣ Targeted and Sophisticated Phishing Campaigns
-
Social engineering has reached a new level:
-
QR code phishing
-
E-signature spoofing
-
OSINT-driven personalization
-
Image-based phishing
-
-
Traditional anti-phishing filters can no longer provide sufficient protection.
5️⃣ SMBs Are No Longer “Too Small to Target”
-
The gap between enterprise and SMB targets has fully disappeared.
-
SMBs are increasingly targeted due to weak SOC capabilities, absence of DLP, and immature access controls.
6️⃣ Attack Speed: Hours, Not Days
-
Average Time-to-Ransom: 17 hours.
-
Top groups (Akira, RansomHub, INC/Lynx) execute attacks within 4–7 hours from initial compromise to final payload delivery.
-
Incident response must happen in near real-time, not during post-incident log analysis.
Protection Takeaways for 2025:
✔️ The traditional model (Firewall + AV + Backups) no longer works.
✔️ Full-scale SOC, behavioral analytics, DLP, RMM control, and supply chain security are mandatory.
✔️ Any integration or SaaS service may become an entry point.
✔️ Cutting cybersecurity costs creates only a false sense of stability — risks escalate much faster today.
