A UK-based cybersecurity services company’s latest CTI (cyber threat intelligence) Annual Report suggests that data theft and extortion have overtaken traditional encryption-only ransomware as the most successful approach for attackers. While encryption-based attacks tend to result in larger ransom payments, often due to the urgency of restoring critical services, data theft and extortion cases are more likely to result in a payment, with attackers leveraging the fear of regulatory penalties and reputational damage to pressure victims into compliance, according to Bridewell.
At the same time, ransomware payments overall have continued to decline year-on-year. The firm attributes this to stricter regulations, more law enforcement coordination and more governmental sanctions on cybercriminal entities. The firm says that those considering payment must now conduct due diligence to avoid inadvertently transacting with sanctioned groups or Ransomware-as-a-Service (RaaS) operations.
The findings include:
Vulnerability exploitation
Bridewell has observed that groups such as Clop and Termite have become highly proficient in exploiting internet-facing systems and edge devices, including Fortinet, Ivanti and others. Exploiting unpatched vulnerabilities remains a primary attack vector, allowing threat actors to compromise many victims at scale and drive larger financial outcomes.
Fragmentation and lone wolves
The ransomware ecosystem is becoming increasingly fragmented. Bridewell threat intelligence links this to both infighting within groups and persistent law enforcement takedowns, which have led to the splintering of major groups such as Conti and AlphV/BlackCat. This has resulted in a broader and more diverse pool of active ransomware actors, making the threat landscape more volatile and difficult to defend against.
Compounding this issue is the rise of lone-wolf actors, or individual affiliates or cybercriminals operating independently. These actors often rely on leaked RaaS source code or publicly available tools to mount ransomware operations without the need for an established group. This trend is partly driven by a lack of trust in larger operations due to the risk of exit scams, where affiliates are denied their share of ransom proceeds.
Tactical shifts
Bridewell says that it continues to observe ransomware actors targeting VMware ESXi environments, aiming to cripple core virtualised infrastructure quickly. Groups like VanHelsing and DragonForce are actively pursuing this tactic in ongoing campaigns. Meanwhile, adversaries are developing or acquiring capabilities to evade Endpoint Detection and Response (EDR) systems, often through the abuse of vulnerable drivers or native software features. The use of Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools has become widespread, allowing attackers to avoid detection and maintain persistent access without deploying traditional malware.
Despite efforts to disrupt its use, Cobalt Strike remains the most widely used offensive security tool by ransomware operators, closely followed by others such as Metasploit, Sliver, Brute Ratel, and more recently Pyramid C2, a Python-based command and control (C2) framework.
Shift to data theft-only
The cyber firm has also observed the continued evolution of data-theft-only ransomware operations, which bypass encryption altogether. This approach is particularly effective in today’s increasingly regulated privacy landscape, where organisations fear substantial fines and long-term brand damage. Attackers are now refining their extortion tactics to exploit this pressure more effectively.
Remote access and patch management
The firm’s findings, aligned with first quarter of 2025 data from Coveware, show that remote access solutions (VPNs, RMMs) and unpatched software vulnerabilities remain leading intrusion vectors. Although phishing incidents appear to be decreasing, it is likely that phishing is now being used indirectly, by access brokers selling credentials to ransomware affiliates.
Gavin Knapp, Cyber Threat Intelligence Principal Lead at Bridewell, said: “We’re seeing a clear shift in ransomware tactics. Encryption-only attacks are proving less effective, while data theft and extortion are leading to more successful payment outcomes. At the same time, organisations are increasingly hesitant to pay ransoms due to growing regulatory pressure and the risk of violating sanctions.
“Our goal with this report is to provide actionable insights that help organisations strengthen their defences and build greater resilience against cyber attacks. Staying ahead of persistent and evolving threat actors is no easy task, but understanding and mitigating the risks posed by adversarial infrastructure must remain a core component of any robust cybersecurity strategy.”
To view the CTI Annual Report, visit: https://www.bridewell.com/insights/white-papers/detail/cyber-threat-intelligence-report-2025
https://professionalsecurity.co.uk/news/commercial-security/threat-intelligence-report-2/