Is ransomware finally cracking under its own weight?
Google Threat Intelligence’s deep dive into 2025 incidents — drawn from Mandiant’s frontline responses — paints a brutal picture. Record-high victim posts on data leak sites, sure. But profitability? That’s cratering, thanks to smarter cybersecurity, quicker recoveries, and stingier payments. It’s the cyber equivalent of a gold rush turning into a ghost town.
Here’s the raw data: a third of breaches kicked off with exploited vulnerabilities in VPNs and firewalls. Shocking? Not really — these are the low-hanging fruits actors chase when margins tighten. And data theft? It spiked to 77% of cases, up from 57% in 2024. They’re not just encrypting anymore; they’re hoarding secrets for use.
Why Are Ransomware Profits Dropping in 2025?
Blame the ecosystem shakeups. LockBit, ALPHV, Basta, RansomHub — all hammered by cops or infighting. Yet Qilin and Akira swooped in, filling the void. Figure 1 from the report shows DLS posts hitting all-time highs. But here’s my take: it’s volume over value. Smaller targets, sure, but payouts shrinking as boards wise up.
REDBIKE led the pack at 30% of incidents. Not sexy, but effective — commoditized via RaaS, lowering barriers for script kiddies. And virtualization infrastructure? Targeted in 43% of cases, up from 29%. Why? Hypervisors like VMware hold the keys to sprawl; nuking them maximizes chaos.
In approximately 43% of ransomware intrusions we responded to in 2025, the threat actors were observed targeting virtualization infrastructure, an increase from 29% in 2024.
That’s straight from GTIG. Chilling stat — your VM farm just became ground zero.
Actors are ditching old tricks too. BEACON and MIMIKATZ? Fading. Remote tools plateaued. Evolution in action, folks.
But wait — smaller orgs in the crosshairs now. Makes sense: fat enterprises patched up, so squeeze the SMBs. AI in negotiations? Web3 for infra resilience? Cute pivots, but don’t buy the hype. It’s desperation dressed as innovation.
My unique angle: this mirrors the 2000s worm era. Back then, antivirus crushed mass malware; worms went targeted. Ransomware’s pulling the same stunt — from spray-and-pray to surgical strikes. Bold call: by 2027, pure data extortion (no encrypt) hits 60% of ops. Profits too thin for the encrypt hassle.
Will Targeting Virtualization Save Ransomware Gangs?
Short answer: temporarily. Here’s why it stings.
Virtualization’s the beating heart of modern IT — ESXi, Hyper-V, you name it. Actors love ‘em because one pop cascades. Enumerate hosts, yank configs, deploy payloads. We’ve seen it in Mandiant logs: 43% ain’t random.
But orgs — listen up. Segment your hypervisors. Patch like your life’s on it (it is). And backups? Air-gapped, tested quarterly. The report nods to their whitepaper on containment; it’s gold.
Shifting targets hit every sector, every region. Asia Pac to South America. No safe havens.
And that REDBIKE dominance? RaaS perfection — affiliates grab access, operators encrypt. 30% share screams market leader.
Profits down means diversification. Secondary monetization: crypto miners in your env? Watch for it. Or straight-up access sales on forums.
Law enforcement’s winning battles — Conti crumbled, LockBit limped — but the war? Crowded field says no. Newbies flood in via RaaS kits.
Here’s the thing: declining payments (orgs recover sans paying) plus disruptions equal adaptation. More aggressive extortion — family threats? Already bubbling.
Why Does This Matter for Your SOC in 2026?
Because TTPs are mutating. Initial access: VPN exploits top the list. Hunt for ‘em in logs.
Data exfil before encrypt — EDR must flag anomalies.
Virtualization focus demands hypervisor hardening. Disable unneeded services, enforce MFA everywhere.
And that uptick in theft? Encrypt traffic, DLP on steroids.
GTIG’s sample skews consulting gigs — bigger fish — but trends hold global.
Prediction time: 2026 sees RaaS fractures accelerate, birthing hybrid models. Pure encrypt dies; extortion reigns.
Don’t sleep on it.
🧬 Related Insights
- Read more: Cisco’s Exposed APIs: Root Access via One Bad Request in SSM On-Prem
- Read more: North Korea’s UNC1069 Turns Axios into a Global Backdoor Dropper
Frequently Asked Questions
What were the top ransomware tactics in 2025?
Exploits in VPNs/firewalls (33%), data theft (77%), virtualization targeting (43%). REDBIKE ruled at 30%.
Is ransomware declining in 2026?
Profits yes, activity no — record DLS posts, new groups like Qilin/Akira thriving. Expect extortion pivot.
How to protect against 2025 ransomware TTPs?
Patch VPNs, secure hypervisors, air-gap backups, deploy EDR for exfil detection. Check GTIG’s whitepaper.
