Lights out in a Chicago data center, mid-January 2025. Another ransomware crew had slipped in via a patched VPN flaw, encrypting servers and swiping terabytes of patient records.
That’s the scene repeating worldwide, per Google Threat Intelligence’s latest report on 2025 ransomware TTPs. Record-high victims on data leak sites (DLS) — Figure 1 tallies the top 10 — but here’s the twist: profitability’s crumbling. Improved defenses, better recoveries, stingier payments. Law enforcement takedowns hammered LockBit, ALPHV, Basta, RansomHub. Qilin and Akira stepped up, sure, but the ecosystem’s fracturing.
Why Ransomware Profits Are Finally Cracking
Look, it’s not hype — Mandiant’s hands-on responses to 2025 incidents paint the picture. A third kicked off with exploited vulnerabilities, mostly VPNs and firewalls. That’s up, and it’s no shock; orgs patch slower than actors probe.
Data theft? Skyrocketed to 77% of cases, from 57% last year. They’re grabbing files first, encrypting second — or skipping encryption altogether for pure extortion. And virtualization targets? 43%, double from 2024’s 29%. Hypervisors like VMware, Hyper-V — juicy for lateral spread.
REDBIKE led the pack at 30%. Old reliables like BEACON and MIMIKATZ? Fading. Remote tools plateaued.
But profits? Declining payments, higher recovery rates. Actors pivot: smaller targets, AI in negotiations (chatbots haggling ransoms?), Web3 for resilient comms.
In a third of incidents, the initial access vector was confirmed or suspected exploitation of vulnerabilities, most often in common VPNs and firewalls.
Spot on — that’s Mandiant’s direct observation. Echoes the report’s core: post-compromise ransomware after intrusions, across regions and sectors. No pure data theft here; they deployed the wipers.
Qilin and Akira: Vacuum Fillers or Fading Stars?
Disruptions hit hard. Internal beefs, FBI raids — poof, groups vanish. Yet DLS posts peaked. Qilin, Akira surged. But is this sustainable?
Here’s my take, absent from Google’s analysis: it’s 2017 WannaCry all over again, but reversed. Back then, one worm birthed the RaaS explosion. Now, takedowns spawn fragmentation — more groups, thinner margins. Bold call: by 2026, we’ll see ransomware hybrids, blending encryption with crypto-mining or sustained access sales on Genesis Market remnants. Profits too low? Monetize the foothold twice.
Actors adapt fast. Smaller orgs now in crosshairs — easier marks, less scrutiny. AI? Not revolutionizing attacks (yet), but smoothing ops. Web3? Tor’s edgier cousin for C2.
And those TTPs? Consistent grinds: initial access via vulns or phishing (suspected), then creds dumping, lateral moves. Less Cobalt Strike, more living-off-the-land.
Is Your Virtualization Layer the New Bullseye?
43% targeting vSphere, ESXi, the works. Why? One pop, whole farms go dark. Recovery? Nightmarish.
Org defenses improved — sure. But actors smell weakness. 77% data grabs mean double extortion’s table stakes. Pay or leak; sometimes pay and leak anyway.
Google predicts persistence into 2026, with shifts: more data-only ops, aggressive tactics, secondary hustles. Fair. But don’t buy the doom spin — payments down proves pressure works. LE ops, hardening, backups. It’s bending the curve.
Yet complacency kills. That Chicago data center? They skipped multi-factor on VPN. Don’t be them.
Crowded field, sure. Record DLS. But ecosystem’s wobbling — commoditization cut barriers, now it’s oversupply. Like Uber drivers flooding streets, fares tank.
Mandiant’s sample? Biased to big engagements, APAC-heavy. Still, gold-standard data.
Ransomware TTPs: The Unsexy Reality Check
Vulns first. VPNs (Pulse Secure, Fortinet), firewalls. Patch ‘em.
Then creds: rarely Mimikatz now; PowerShell, SAM dumps.
Lateral: RDP, SMB. Virt targets for max pain.
Deploy: REDBIKE, others. Exfil first.
Short: defenses evolve faster than actors innovate. That’s the win.
Expect 2026 pivots. Pure extortion rises. Hybrids, as I said. Target shifts — SMBs, sure, but critical infra lingers.
Google nods to their whitepaper: endpoint hardening, containment. Read it.
But my edge: this squeeze foreshadows decline. Like physical bank heists post-ATMs — cyber’s hitting that wall. Actors scatter to infostealers, fraud. Ransomware? Niche pain, not king.
🧬 Related Insights
- Read more: North Korean Hackers Slip 1,700 Poison Pills into npm, PyPI, and Beyond
- Read more: Storm Infostealer: Hackers Now Decrypt Your Passwords on Their Servers
Frequently Asked Questions
What are the most common 2025 ransomware initial access methods?
Exploits in VPNs and firewalls topped the list in a third of Mandiant incidents; phishing suspected in others.
Why are ransomware groups targeting virtualization more?
43% of cases hit hypervisors — encrypt one host, cripple dozens. Massive disruption, tough recovery.
Will ransomware profits keep falling in 2026?
Likely, with better defenses and LE pressure; expect actors to hybridize with data extortion or access sales.
