Building on insights from Rapid7’s Q1 and Q2 2025 ransomware trend reports, it’s clear that the ransomware economy continues to evolve – and not just in volume, but also in business maturity. As threat actors shift tactics, tools, and partnerships, defenders face a complex landscape shaped by affiliate churn, rising ransom demands, and increasingly sophisticated social engineering campaigns.
This blog explores the latest ransomware trends 2025, threat intelligence, and practical takeaways to help security teams stay ahead of the threat.
1. Known vulnerabilities are still the easiest way in
Despite widespread patching awareness, attackers continue to exploit known vulnerabilities as a primary entry point. CVEs listed in the CISA Known Exploited Vulnerabilities (KEV) catalog remain popular, particularly in widely deployed third-party tools.
Rapid7’s Exposure Command platform continues to surface and prioritize these high-risk exposures, especially those tied to ransomware groups. But even when fixes exist, patch coverage can be uneven due to complex infrastructure or reliance on third-party vendors.
Q2 analysis highlighted consistent exploitation of vulnerabilities in Fortinet, Ivanti, and VMware, reinforcing that unpatched, externally exposed systems remain one of the most reliable attack paths.
Security takeaway:
Adopt risk-based vulnerability management. Focus on exposures most likely to be exploited in the wild, and close patch gaps in external-facing systems as a priority.
2. Social engineering dominates initial access
From Q1 through Q2, one access vector has remained consistently dominant: social engineering. Whether through phishing, help desk manipulation, or impersonating IT support via Microsoft Teams, identity-centric tactics outpace technical exploits in modern ransomware campaigns.
Rapid7’s Q1 report revealed that over 50% of ransomware intrusions began with compromised credentials or weak MFA. That pattern held in Q2, with several campaigns including a surge in Scattered Spider activity, leveraging voice and chat-based pretexts to manipulate internal teams into granting access.
Security takeaway:
Lock down your help desk. Enforce strict caller verification, limit high-risk password resets, and run simulations involving fake IT or vendor support calls. MFA is not enough, it must be phishing-resistant and behavior-aware.
3. Ransomware’s business model continues to evolve
Ransomware groups operate like mature businesses, using a layered model: initial access brokers gain entry, affiliates escalate privileges and exfiltrate data, and RaaS operators deploy encryption.
A stark example is the May 2025 ransomware attack on Marks & Spencer. The breach (which began with social engineering) resulted in data exfiltration and encryption. While the specific entry method wasn’t disclosed, tactics closely resembled Scattered Spider’s known impersonation techniques. Pay2Key, a ransomware group linked to Iran, was reported to have deployed the payload (BleepingComputer, The Hacker News).
Adding to the complexity, one of the attackers tied to the campaign is reportedly just 17 years old (BBC News). This highlights just how accessible ransomware tooling has become, enabling younger, less experienced actors to operate within a professional criminal ecosystem.
These developments point to two ransomware trends in 2025:
-
Campaigns are collaborative and multi-stage, with intrusion and encryption separated by roles
-
Motivations are blending financial and geopolitical goals, complicating attribution and response
Security takeaway:
Invest in multi-vector detection. Monitor for lateral movement, unauthorized RMM usage, and data staging, regardless of attacker sophistication level.
4. Exfiltration is still dominant, but infrastructure takedown is back
In both Q1 and Q2, ransomware incidents overwhelmingly featured data exfiltration before encryption, confirming that attackers prioritize leverage and extortion over disruption. According to Q2 data:
-
Exfiltration was used in 74% of extortion campaigns
-
Lateral movement was present in 60% of observed ransomware incidents
-
Common techniques included PowerShell abuse, native tooling, and stealthy cloud data transfer
However, a newer, more aggressive trend is emerging: ransomware groups- especially those linked to Scattered Spider are increasingly targeting virtual server infrastructures directly. According to recent threat reports, Scattered Spider has specifically attacked VMware vSphere and ESXi hypervisors as a way to cripple entire environments quickly and achieve maximum operational disruption, particularly in sectors like retail and insurance.
Unlike traditional ransomware playbooks, this tactic moves beyond endpoint encryption—threat actors gain access via social engineering and help desk impersonation, escalate to vCenter, enable SSH on ESXi hosts, reset root passwords, then deploy ransomware at the hypervisor level. The effect: the destruction of backups, virtual machines, and recovery infrastructure in a single operation, dramatically increasing pressure to pay.
Security takeaway:
Look beyond endpoints. Build ransomware detection around infrastructure activity, not just file encryption, including access to hypervisors, backup systems, and unusual VM shutdowns or deletions.
5. The affiliate ecosystem is volatile… and thriving
Rapid7 observed 65 active ransomware groups in Q2 2025, down slightly from Q1 but that doesn’t mean the threat is shrinking. A total of 96 distinct groups have been active so far in 2025, marking a 41% increase over the same period in 2024.
This turnover is driven by affiliate drift: when major RaaS programs shut down, their affiliates often shift to other platforms. For example, the closure of RansomHub led to a rapid reallocation of talent to newer groups like Akira, Qilin, and ShinyHunters.
Security takeaway:
Don’t chase names. Instead, map detections to MITRE ATT&CK TTPs, focus on patterns like credential abuse, scheduled tasks, and C2 behavior. Threat actor brands change tradecraft usually doesn’t.
Responding to the modern ransomware model
The ransomware landscape in 2025 is dynamic, fast-moving, and more industrialized than ever. While group names may shift, the fundamental playbook remains consistent: infiltrate, persist, exfiltrate, extort.
What security teams can do now:
-
Continuously map and monitor your external attack surface
-
Patch high-impact vulnerabilities before attackers do
-
Elevate identity controls with phishing-resistant MFA and access policies
-
Build detection aligned to adversary behavior, not malware signatures
-
Run tabletop exercises that simulate help desk fraud, exfil-first ransomware, and affiliate switching
Because in 2025, defending against ransomware isn’t about stopping encryption, it’s about disrupting the business model that makes it profitable in the first place.