Ransomware Is Changing: Watch Out for These New TTPs in 2025

As their attack surface expands, CISOs must adapt to a fast-evolving threat landscape to outwit determined ransomware actors, argues Bharat Mistry

Ransomware actors have been evolving since the scareware days of the mid-noughties. And they continue to do so, as network defenders adjust their own tactics to reduce corporate exposure to service disruption, data theft and extortion. As this arms race continues to unfold, AI represents both a blessing and a curse—offering malicious actors an uplift in coding and social engineering skills, as well as empowering security teams.

In the coming months, expect new techniques designed to make attacks quicker and stealthier. CISOs and their teams will need to be at the top of their game to keep networks safe.

The story so far

Over the years, we’ve witnessed several critical moments in the evolution of ransomware. The switch from consumer-focused “small-fry” attacks to big-game hunting. The emergence of ransomware-as-a-service, affiliate models and initial access brokers. The use of double, triple and quadruple extortion. But the threat landscape is continuously moving forward. It’s the only way to keep the money rolling in.

Most recently, in 2024 we saw vulnerability exploitation and credential theft emerge as popular alternatives to phishing for initial access. These tactics help adversaries to reduce the number of steps they need to work through to achieve their goals, speeding up attacks and increasing their chance of success.

We’ll likely see more of this in 2025, as well as attempts to keep malicious activity hidden from network defenders through the use of legitimate tools for credential collection, lateral movement, privilege escalation and data exfiltration. Cumulatively, these efforts are reducing the time needed to carry out an attack from a week to just a couple of days.

How ransomware is changing

Ransomware actors may also innovate in other areas. As part of their ongoing efforts to stay under the radar, they may look for novel ways to evade or disrupt endpoint detection and response (EDR) tools. Encrypting malicious code so it can’t be scanned by static analysis techniques is an obvious one. But there are more. Bring Your Own Vulnerable Driver (BYOVD) is increasingly popular. Here, threat actors deploy a vulnerable but legitimate driver into a targeted system, and then exploit it to achieve their goals. Because the driver is signed and trusted, it won’t raise any red flags.

Other ways to bypass EDR detection could include attacks at the kernel level, inserting malicious code into legitimate processes, and hiding shellcode inside inconspicuous loaders. The growing popularity of evasion tools like “EDRKillShifter” are testament to the agility of the cybercrime supply chain in meeting the changing demands of the market.

We may also see ransomware groups focus on environments where most organisations don’t have security visibility or coverage, such as mobile, IoT, voice calls (for vishing) and the cloud. The latter is particularly exposed, especially to attacks using stolen, brute-forced or otherwise obtained credentials. Once inside a SaaS tenant, a threat actor may conduct reconnaissance by trawling through document and source code repositories, password vaults, Slack, Teams, and other environments, in order to find privileged escalation entry points. They’ll use this intel to move laterally to other tenants, or even PaaS, IaaS and on-premises environments—wherever the most valuable data is.

The expanding AI attack surface

As AI systems begin to play an increasingly business-critical role for modern organisations, expect these to also come under more intense threat actor scrutiny. Access to underlying training datasets, large language models (LLMs), development environments and the infrastructure used to host these systems could enable malicious groups to encrypt and extort.

Unfortunately, the AI attack surface continues to grow, and developers and operators don’t always follow security best practices. Research reveals that LLMs, LLM-hosting platforms, open source code, and vector databases are riddled with vulnerabilities, and in many cases are exposed to the public-facing internet without any authentication required. That’s an open invitation for a ransomware actor.

Also poorly policed are IoT environments, which could be exploited to help ransomware groups smuggle stolen data out of a targeted organisations. They might use compromised devices to bypass network segmentation controls, for example, and/or employ steganography techniques to hide data in normal IoT traffic.

How CISOs can respond

With such an expansive attack surface to defend, CISOs could be forgiven for thinking that a ransomware breach in 2025 is an inevitability. But it doesn’t have to be this way. By switching focus from traditional malicious file and hash detections to behavioural monitoring across all layers of the IT environment, there’s an opportunity to catch intruders before they can cause any lasting damage. Some AI security tools make this easier through continuous monitoring and more accurate alert prioritisation.

There’s also a lot to be said for getting the basics right. By scanning open source software for vulnerabilities, and ensuring AI system components are properly configured, there will be fewer opportunities for adversaries to strike. Above all, continuous vigilance must be the watchword as we enter a new era of ransomware threats.