Ransomware payments are down. Attacks are not.
Ontinue’s 2025 half-year threat intelligence report shows a 35% decline in reported ransomware payments compared to last year, from $1.25 billion to $813 million. Yet the number of claimed breaches tells another story.
In the first six months of 2025, 4,071 ransomware incidents were recorded across 109 countries. Ninety active groups drove that wave, led by CL0P, AKIRA, and QILIN.
Services, manufacturing, IT and communications, and retail were hardest hit. Affiliate networks kept operating even after takedowns, rebranding, and resurfacing. LockBit, for example, re-emerged in updated 4.0 and 5.0 forms, showing how quickly operators adapt.
“Cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months,” said Craig Jones, Chief Security Officer at Ontinue. “In the first half of 2025, we’ve seen ransomware operators overcome takedowns, PhaaS services scale globally, and state-aligned actors target the private sector with increasing precision. Organizations can’t afford to approach security as a static project, it’s a continuous, intelligence-led process.”
Phishing Evolves
Phishing-as-a-Service is scaling globally. Tycoon 2FA, the most widely used AiTM platform, accounted for roughly 65% of credential theft attacks tracked by Ontinue. Its technique is simple: sit in the middle, capture login data, and bypass multi-factor authentication. Microsoft 365 and Gmail remain the prime targets.
Weaponized attachments are also changing. Ontinue logged a 40% rise in SVG-based phishing campaigns. These files use embedded scripts, not macros, and slip past many filters. Over 70% of phishing attachments that made it through secure email gateways were in non-traditional formats such as SVG or IMG.
“The attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents,” said Balazs Greksza, Director of Threat Response at Ontinue.
James Maude, Field CTO at BeyondTrust, pointed to the root issue: identity. “No matter if an identity is compromised by bypassing MFA or loading a file from a USB drive, the degree of risk is entirely dependent on the standing privileges that identity has.”
Cloud Persistence Outpaces Defenders
Ontinue’s Cyber Defense Center found a widening gap between red team exercises and real incidents. Simulations follow rules. Real adversaries don’t.
Nearly 40% of Azure intrusions investigated involved multiple persistence layers. Attackers combined application permissions, automated jobs, and role escalation for redundancy. In many cases, they tampered with diagnostic settings or conditional access policies to suppress detection. Median dwell time stretched to 21 days.
About 20% of incidents used refresh token replay, allowing adversaries to maintain access even after credentials were reset. That persistence gives them time to monetize environments quietly.
Nivedita Murthy, Senior Staff Consultant at Black Duck, explained: “Despite the availability of advanced monitoring tools, organizations often misconfigure cloud settings, leaving them vulnerable. Traditional phishing tactics, which relied on malicious links and attachments, have become less effective. Attackers now use imagery to make phishing attempts more convincing.”
Malware: Old Dogs, New Tricks
The Lumma C2 infostealer was hit hard in May, with authorities seizing 2,500 domains. Still, the infrastructure is resilient. Lumma is linked to at least 1.7 million stolen credentials, and disruption alone won’t end its reach.
USB-delivered malware is also back in focus. Ontinue tracked a 27% rise compared to late 2024. Though an old technique, it remains effective because removable drives bypass network defenses. A Honeywell study in 2024 showed more than half of USB-borne threats could cause significant enterprise disruption.
Agnidipta Sarkar, Chief Evangelist at ColorTokens, said this mix of the old and new demands better segmentation. “The recent convergence of cloud persistence, token replay attacks, and traditional malware, often disseminated via USB drives, illustrates how adversaries infiltrate environments and navigate freely within breached networks. Implementing micro-segmentation can effectively restrict an attacker’s lateral movements following initial access.”
Advanced Threats and Third-Party Weaknesses
State-aligned groups are still active. Scattered Spider blends social engineering with cloud exploitation, while Predatory Sparrow, a pro-Israeli group, targets Iranian financial and industrial systems.
Void Blizzard, aligned with Russia, continues espionage against NATO-linked infrastructure. Lazarus Group, from North Korea, pulled off a $1.5 billion crypto heist at Bybit.
Third-party breaches are rising even faster. Vendor-related incidents doubled year on year, now implicated in 30% of cases. Attacks on M&S and Adidas highlighted how external partners with weaker defenses can open the door to larger enterprises.
The Bigger Picture
The report shows a threat landscape that is layered and fast-moving. Ransomware remains disruptive even as payment flows dip. Phishing has evolved into a service economy. Cloud environments are both target and launchpad. Malware delivered by USB sticks still works. And supply chains, already stretched, now carry hidden security risk.
Identity is the thread running through all of it. As Maude said, every breach involves the wrong identity, with the wrong privileges, in the wrong hands.
As Jones warned, this is not a problem solved once and for all. It is an ongoing contest against adversaries who “pivot, rebrand, and retool in weeks.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.