In a startling revelation, Coveware by Veeam has reported a significant rise in ransomware occurrences during the second quarter of 2025. The surge is largely attributed to targeted social engineering tactics and a move towards data exfiltration strategies, which have reshaped the ransomware landscape.
"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook," said Bill Siegel, CEO of Coveware by Veeam. This newfound intensity emphasizes not only the importance of backups but highlights attackers' interest in exploiting human vulnerabilities and data integrity.
"The second quarter of 2025 marks a turning point in ransomware, as targeted social engineering and data exfiltration have become the dominant playbook,"
During the second quarter, various ransomware variants dominated the landscape, with Akira leading at 19%, followed by Qilin at 13%, and Lone Wolf at 9%. Notably, Silent Ransom and Shiny Hunters made their debut in the top five, indicating a shift in tactics among attackers. The insights provide a glimpse into how the threat landscape is evolving, showcasing incessant innovation among malicious actors.
"Credential compromise, phishing, and exploitation of remote services continue to dominate initial access," Siegel noted, stressing the increasingly prevalent role of human error in corporate vulnerabilities. This vulnerability is exacerbated by attackers selecting widely used platforms, such as Ivanti and Fortinet, while the rise in 'lone wolf' attacks illustrates a trend towards decentralized, methodical threats.
"Credential compromise, phishing, and exploitation of remote services continue to dominate initial access,"
The sectors most affected included professional services (19.7%), healthcare (13.7%), and consumer services (13.7%), with mid-sized companies (11 – 1,000 employees) constituting 64% of the victims. This demographic proves attractive to attackers due to a favorable balance of payout potential and comparatively weaker defenses.
A key finding of the report revealed that data theft has overtaken encryption as the primary means of extortion. "Exfiltration was a factor in 74% of all cases, with many campaigns now prioritizing data theft over traditional system encryption,” the report indicated. This tactic not only increases the stakes for victims but also prolongs their suffering, as organizations are often held hostage long after the initial breach.
Ransom amounts have skyrocketed, with average and median payments hitting unprecedented highs of $1.13 million and $400,000, respectively. "This spike is attributed to larger organizations paying out after data exfiltration-only incidents," explained Siegel. Despite this alarming trend, the percentage of organizations opting to pay ransoms remained unchanged at 26%.
"This spike is attributed to larger organizations paying out after data exfiltration-only incidents,"
In this harrowing environment, the techniques employed by groups such as Scattered Spider, Silent Ransom, and Shiny Hunters have shifted dramatically. Each now opts for precision over volume in their attacks, employing intricate social engineering strategies against critical targets—help desks and employees—rather than relying on mass attacks. "Abandoning mass opportunistic attacks for precision strikes has made this quarter particularly concerning," Siegel commented.
"Abandoning mass opportunistic attacks for precision strikes has made this quarter particularly concerning,"
Coveware by Veeam continues to be a vital resource for companies dealing with cyber extortion, providing an array of services designed for rapid response and recovery post-incident. With an emphasis on forensic triage and extortion negotiation, they strive for one primary goal: data recovery from ransomware attacks. This commitment informs their data collection efforts, enabling a nuanced understanding of attack patterns that can be shared with clients to bolster defenses.
Their quarterly report, compiled from first-hand data and expert insights, ensures that organizations are kept abreast of the latest tactics, techniques, and procedures employed by attackers. "By aggregating and analyzing case-specific data, we are able to identify emerging trends and track adversary techniques effectively," Siegel concluded.
"By aggregating and analyzing case-specific data, we are able to identify emerging trends and track adversary techniques effectively,"
The current landscape presents a daunting challenge, making it essential for organizations to bolster their defenses against both immediate threats and long-term implications of ransomware. As cyber extortionists continue to refine their tactics, prioritizing employee awareness and cybersecurity measures will be paramount in combating this persistent threat.
