Ransomware groups now combine encryption with data theft, third-party pressure, and access purchased from specialist brokers. These tactics change how security teams prepare for an incident.
Ransomware costs can include downtime, recovery, legal work, notification, and lost business in addition to any payment demand. Estimate those components from the organization's own systems and obligations.
The sections below cover ten tactics and operating changes reported in 2025.
1. Double and Triple Extortion Become Standard
Traditional ransomware encrypted files and demanded payment for decryption. In double extortion, attackers also steal data and threaten to publish it. Established groups now use this tactic regularly.
Triple extortion adds direct pressure on customers, partners, or other stakeholders:
- Encrypting the victim's systems (traditional ransomware)
- Threatening to publish stolen data if ransom isn't paid (double extortion)
- Threatening the victim's customers, partners, or stakeholders directly (triple extortion)
In a triple-extortion scenario, attackers contact the victim's customers and threaten to publish their information. The contact adds pressure even if the primary victim refuses to pay.
Trend Alert:
Groups such as BlackCat/ALPHV and LockBit have advertised triple-extortion capabilities. Some maintained databases of victim customers so they could contact those customers directly.
2. Ransomware-as-a-Service (RaaS) Expands Access
Ransomware-as-a-Service platforms lower the technical barrier by licensing malware and infrastructure to affiliates who conduct the attacks.
The RaaS model works like legitimate SaaS:
- Affiliates (attackers) license ransomware from operators (developers)
- Affiliates conduct attacks using the provided ransomware
- Operators and affiliates divide proceeds under terms set by the criminal service
- Operators provide leak sites, negotiation support, and payment processing
This division of labor gives less experienced affiliates access to ransomware built and supported by specialist operators. Groups such as LockBit, BlackCat, and Hive have used the RaaS model.
3. Initial Access Brokers Fuel Attacks
Initial Access Brokers (IABs) compromise networks and sell that access to other attackers. They may exploit a vulnerability or obtain valid credentials, then advertise the access on underground forums.
Typical IAB offerings include:
- VPN credentials for corporate networks
- Remote Desktop Protocol (RDP) access
- Webshells on compromised servers
- Valid domain administrator credentials
Ransomware operators may purchase existing network access, avoiding the work of establishing the initial foothold themselves.
Security teams therefore have to account for direct intrusion attempts and access that another attacker established before the ransomware operator arrived.
4. Supply Chain and Third-Party Targeting
A compromised software vendor or service provider can expose many downstream customers. Ransomware groups use this route to reach organizations through a shared supplier.
Supply-chain incidents can involve managed service providers, software vendors, or cloud infrastructure providers. A compromised supplier may expose more than one downstream customer.
Include vendors with system or data access in security reviews and incident plans.
5. Faster Attacks, Less Dwell Time
Some ransomware operators move quickly from initial access through data exfiltration and encryption. Teams should measure their own detection and containment intervals.
This "smash and grab" approach reduces the window for detection and response. A response plan should not assume a long dwell time.
Opportunistic attackers can scan for a disclosed vulnerability and automate exploitation. Use the organization's exposure and change process to set the patch priority.
Speed Matters:
Periodic reviews leave gaps between review dates. Add ongoing detection controls where the system's risk and response requirements justify them.
6. Targeting Specific Industries
Some ransomware groups specialize by industry:
Healthcare: Patient care, sensitive records, and service availability can increase the operational pressure during an incident. Payment decisions belong to the incident lead, legal counsel, and relevant authorities.
Financial Services: Banks, insurance companies, and fintech face sophisticated attacks because of valuable data and regulatory pressure to maintain operations and protect customer information.
Legal Firms: Law firms hold highly sensitive client information and intellectual property, making them prime targets for extortion. Client privilege concerns create additional payment pressure.
Manufacturing: Production outages can create substantial operating losses. Estimate the impact from the affected site's own production and recovery data.
Education: Universities and schools hold research data, student records, and often have limited security budgets, making them attractive soft targets.
7. Cryptocurrency Remains Preferred Payment Method
Despite law-enforcement attention and fund seizures, attackers continue to request cryptocurrency, particularly Bitcoin and Monero. Reported payment practices include:
- Greater use of privacy coins like Monero for harder-to-trace transactions
- Sophisticated laundering through mixers and exchanges
- Some groups accepting other forms of payment or cryptocurrency
- Increasing use of cryptocurrency ATMs for anonymity
A ransom payment may require cryptocurrency handling, can raise sanctions concerns, and does not guarantee data recovery or deletion.
8. Data Destruction and Wiper Attacks
Some attacks with geopolitical motives deploy data-wiping malware disguised as ransomware. The malware destroys data instead of holding it for payment.
Reports also describe financially motivated groups destroying data after a victim refuses payment. Tested offline backups give the organization a recovery path when the affected data cannot be restored from production systems.
9. Groups Reorganize After Law-Enforcement Action
International law enforcement has seized infrastructure, arrested operators, and recovered cryptocurrency. Some affiliates continue under another group after a disruption.
After actions against operations such as Hive or BlackCat, some operators and affiliates have reappeared under new names. A takedown may disrupt an operation without removing all of its participants.
Organizations still need their own prevention, detection, and recovery controls after a takedown.
10. Artificial Intelligence in Ransomware Operations
Both attackers and defenders are leveraging AI, but attackers are finding creative applications:
- AI-generated phishing emails with superior grammar and personalization
- Automated vulnerability scanning and exploitation
- Machine learning to identify high-value targets and data
- AI-assisted social engineering and impersonation
Ransomware operators may use accessible AI tools during reconnaissance, initial access, and social engineering.
Protecting Your Organization
Organizations can address these tactics with the following controls:
- Implement Dark Web Monitoring: Investigate matches involving your organization on leak sites or credential forums.
- Zero Trust Architecture: Assume breach and limit lateral movement through network segmentation and least-privilege access.
- Risk-Based Patching: Let the vulnerability and change owners prioritize an exposed critical flaw using evidence of exploitation, asset exposure, and operational risk.
- Offline Backups: Maintain immutable, offline backups that ransomware cannot encrypt. Test restoration regularly.
- Multi-Factor Authentication: Apply MFA according to the identity policy, prioritizing VPN, email, and administrative access.
- Third-Party Risk Management: Assess vendor security, require security standards in contracts, and monitor vendors for breaches.
- Incident Response Planning: Have tested IR plans including ransomware-specific scenarios. Know who to call and what to do before an attack occurs.
- Employee Training: Regular security awareness training reduces phishing success, a common initial access vector.
- Endpoint Detection and Response (EDR): Deploy EDR solutions that can detect and respond to ransomware behavior patterns.
- Network Monitoring: Implement continuous monitoring to detect unusual lateral movement, data exfiltration, or communication with known malicious infrastructure.
Conclusion
Ransomware can interrupt operations, expose regulated data, and create legal and recovery costs. Business leaders need to include those effects in incident planning alongside the technical response.
Core controls include patching, tested backups, access control, and monitoring. Each one addresses a different stage of the attack.
Attackers can still get through preventive controls. Detection and a tested response plan limit the time they have inside the environment.
Review the plan against the tactics above, assign owners, and test recovery before an incident.