Less Lucrative Ransomware Market Makes Attackers Alter Methods
Summary
Google’s Threat Intelligence Group and incident-response reporting show the ransomware economy shifting in 2025. Payment rates have fallen to record lows while data theft and public shaming via leak sites surged. Rather than rely on commodity offensive tools, many ransomware operators are increasingly ‘living off the land’ — abusing native Windows utilities (PowerShell, WMI, cmd, ipconfig, netstat, nltest) and standard protocols (RDP, SMB, SSH) to move, reconnoitre and exfiltrate data. Cobalt Strike Beacon use plunged to about 2% of incidents in 2025 (down from 11% in 2024 and ~60% in 2021), while Mimikatz remained in use but slightly declined. Vulnerability exploitation (notably VPNs and firewalls) and stolen credentials remain common initial access vectors, with RDP used for lateral movement in roughly 85% of attacks.
Key Points
- Data theft appeared in an estimated 77% of ransomware incidents in 2025 (up from 57% the prior year).
- Ransom payments frequency hit all-time lows (Coveware reported ~20% of victims paid last quarter), though a few large payouts skew averages.
- Use of external offensive tooling dropped sharply — Cobalt Strike Beacon seen in only ~2% of attacks in 2025.
- Attackers now favour built-in Windows tools and public software to blend with legitimate administrative activity — a tactic described as “evasion through normalcy.”
- Common initial access methods include exploited vulnerabilities (about one-third of cases), stolen credentials (~21%), and exposed services like RDP and SMB for lateral movement.
- Defenders are improving at recovery and detection, and factors such as law enforcement action and actor infighting have disrupted the ransomware market.
- Practical implication: detection must move beyond signature-based EDR to identity, contextual telemetry and strong access controls.
Context and relevance
This is a notable tactical pivot in the threat landscape. As the economics of ransomware decline, attackers optimise for stealth and scale by abusing legitimate OS capabilities instead of noisy, signatured malware. For security teams that means the biggest gaps are often identity, lateral movement visibility and how well you correlate benign admin activity from malicious abuse. The shift also explains why leak sites and data extortion remain central — attackers double down on exfiltration when direct ransom success rates fall.
Why should I read this
Short version: ransomware isn’t going away — it’s getting craftier. If you only skim one item today, read this so you know to stop looking just for flashy malware and start hunting for hobbyist-looking PowerShell, odd AD queries and unexpected RDP/credential use. Saves you the pain of missing the new quiet ways attackers break in.