top of page

2025: the turning point that reshaped cyber risk

  • Feb 14
  • 3 min read

2025 in one sentence: cybercrime became an industry, built around access and identity


In 2025, we were no longer dealing with a handful of isolated gangs. We were looking at a structured cybercrime economy, with a supply chain (malware-as-a-service, infostealers, initial access brokers, hosting, money laundering…) that increasingly build a SaaS ecosystem on the attacker side.


Two defining signals stood out in 2025:

  • Industrialization: more actors, more tooling, more intermediaries.

  • A decisive shift to identity: attacks increasingly start by “logging in” rather than “breaking in.”ENISA confirms the broader escalation (including hacktivism/DDoS) and highlights infostealers as a key contributor to initial access in modern cybercrime.



Ransomware: record volume, a pressured business model… which drives harsher extortion


Ransomware remained the most “visible” threat in 2025 — and the best indicator of an organization’s real cyber maturity, because it blends technology, crisis response, and business decision-making.


What 2025 showed, with hard numbers

  • 4,701 ransomware incidents recorded from January to September 2025, versus 3,219 over the same period in 2024 (+34%).

  • At the same time, the ecosystem continued to fragment: Rapid7 reported 96 active ransomware groups in the first half of 2025, up from 68 in the first half of 2024 (+41%).


“more attacks” doesn’t automatically mean “more revenue”.


Victims are paying less often (or not at all), which forces attackers to hit more targets and raise pressure through more aggressive extortion:

  • double/triple extortion (encryption + theft + pressure),

  • targeting backups and recovery capabilities,

  • harassment of partners/customers, data leaks, “name & shame”.


Operational translation: 2025 normalized ransomware as a business interruption risk, not an “IT incident.” Where downtime is expensive, extortion becomes highly effective.



2025 was the infostealer year: identity became the real security perimeter


Ransomware gets the headlines but the engine of cybercrime in 2025 was stolen credentials and sessions.


The scale-changing signal

Flashpoint reported 1.8 billion compromised credentials in the first half of 2025, with a reported 800% increase, stemming from millions of infected hosts.


That flood fuels everything downstream:

  • log marketplaces,

  • cheap initial access,

  • SaaS compromise (email, file sharing),

  • BEC/fraud,

  • and, very often, ransomware.


The key idea: “log in” is replacing “exploit”.

ENISA documents the role of infostealers as a major enabler of the cybercrime chain and names Lumma among the most prevalent stealers observed in 2025.


Identity (accounts, privileges, tokens, sessions) is the new security perimeter. Weak MFA deployment or poor session governance can neutralize major security investments elsewhere.



AI: 2025 was the inflection point for “credibility + speed”


2025 marked the arrival of AI in attacker tooling at scale: not necessarily “more advanced” in every case, but far more convincing and far more scalable.


Common offensive uses (and accelerating trends):

  • automated reconnaissance (target scoring, leak correlation),

  • highly localized phishing and social engineering (role-aware, flawless language),

  • deepfakes (voice/video) for fraud and “urgent approval” scenarios.


ENISA also highlights the geopolitical background noise, the rise of hacktivist activity, and evolving tradecraft in a context where AI increases efficiency for influence operations and social engineering.


“fraud risk” and “cyber risk” are converging. The response cannot be purely technical it must include business verification protocols.



OT / critical sectors: from disruption to systemic risk


2025 confirmed a shift toward critical sectors (manufacturing, healthcare, energy, transport…). In the January–September 2025 numbers cited via KELA reporting, roughly 50% of incidents affected critical sectors.


Two board-level implications:

  1. Extortion seeks maximum leverage: production, logistics, or service downtime.

  2. IT/OT convergence and shared dependencies (identity, networking, remote access, backups) mean “physical” impact can begin with an IT-side compromise.



Hacktivism & DDoS: constant noise that drains capacity (and can mask deeper attacks)


ENISA reports a strong rise in hacktivist activity, with DDoS dominating many incident datasets (including against public administrations).


Executive translation:

  • Individually, these may be less destructive,

  • but they consume security capacity and can serve as diversion while quieter intrusions unfold elsewhere.



What 2025 forces as executive priorities


If we translate 2025 into leadership decisions, it’s this:

  1. Treat identity as a critical assetAccess governance, phishing-resistant MFA for sensitive accounts, fewer permanent privileges, better token/session monitoring.

  2. Put resilience on the same level as preventionProven backups (real restorations), extortion playbooks, multi-function crisis readiness (IT, legal, comms, operations).

  3. Shrink the exposure windowInternet-facing asset inventory + risk-based patching prioritized by exploitability and business criticality (not just “patch compliance”).

  4. Raise the bar on third parties and remote accessNamed access, expiration, logging, strong MFA, segmentation.



Conclusion: why 2025 was a true turning point


2025 locked in a threat “triangle” that now structures the landscape:(1) ransomware/extortion, (2) infostealers/identity, (3) AI to accelerate and increase credibility.


Most importantly, 2025 made it undeniable that cyber risk is business risk: downtime, fraud, data exposure, regulatory pressure, and reputation impact.

 
 
 

Recent Posts

See All

Comments

bottom of page