Learn how ransomware tactics are shifting and what you can do to stay ahead.
• Ransomware volume keeps climbing year over year. The groups change, the tactics evolve, but the entry point stays the same: stolen credentials.
• There’s a gap of days to weeks between when credentials get stolen and when ransomware gets deployed. Credential monitoring catches stolen passwords in that window. That’s your best chance to prevent the attack entirely.
• AI is changing the game. Attackers use it for better phishing emails, automated reconnaissance, and AI-cloned voice calls. Most security teams haven’t deployed AI-powered detection yet.
• 88% of SMB breaches involve ransomware. Small companies get hit harder because they lack dedicated security staff and often pay faster to avoid downtime.
Ransomware attacks keep climbing. The groups behind them keep changing. And the way they get in hasn’t changed: stolen credentials.
The biggest shift isn’t volume. It’s that attackers now steal your data before encrypting, and some skip encryption entirely. Backups alone won’t save you.
Most security teams focus on endpoint detection and backup strategies. That’s important, but it’s reactive. By the time ransomware encrypts your files, the attackers have already been inside for days or weeks.
The real opportunity is detecting ransomware activity before it hits your network. That means watching the dark web where stolen credentials and inital access get sold before attackers exploit them.
Ransomware volume continues to climb. The Verizon 2025 DBIR found ransomware present in 44% of all breaches. Our monthly ransomware reports track the latest victim counts, active groups, and industry targeting.
Ransomware-as-a-Service (RaaS) is the business model behind most modern ransomware. Developers build and maintain the malware. Affiliates pay for access and conduct the actual attacks. They split the ransom, typically 70-85% to the affiliate. This model means you don’t need technical skills to launch ransomware. You just need money to buy access.
The biggest shift is data-only extortion. Groups like Cl0p skip encryption entirely and just steal data. No encryption means backup-based defenses don’t help. Mandiant’s M-Trends 2025 report showed 11% of cases involved data theft without encryption. That number is growing.
Cross-platform capability is now standard. Every major ransomware family supports Windows and Linux. Most also target ESXi hypervisors.
The RaaS model keeps evolving under law enforcement pressure. Operation Cronos disrupted LockBit. The Hive takedown showed the FBI can operate inside criminal infrastructure for months. But new groups fill the gaps fast. We consistently track 50-65 active groups per month, and the number keeps growing.
The ransomware hierarchy shifts constantly. Here are the groups that matter right now based on Breachsense’s tracking data. Here are the groups that matter right now.
Qilin is the current volume leader. They’ve consistently posted 100+ victims per month by offering affiliates 80-85% of ransom payments. That commission structure attracts experienced operators from collapsed groups.
Akira has code connections to the defunct Conti ransomware. They target mid-market companies and their monthly volume swings wildly, suggesting a smaller but aggressive affiliate base.
DragonForce allegedly absorbed RansomHub’s infrastructure after RansomHub’s collapse in April 2025. They’ve grown steadily since then.
LockBit survived the February 2024 Operation Cronos disruption but hasn’t regained its former dominance. Still active, still posting victims, but well below their peak.
The ecosystem is expanding, not consolidating. When one group gets taken down, affiliates scatter and join others. New groups appear regularly.
This is the trend that matters most for prevention. Phishing campaigns now deliver infostealer malware 84% more often than last year according to IBM X-Force 2025. That’s not a random statistic. It’s the feeding mechanism for ransomware operations.
Infostealer malware captures credentials and session tokens from infected devices. Unlike ransomware that announces itself immediately, infostealers operate silently, exfiltrating data to command servers. This stolen data then appears on dark web marketplaces where initial access brokers purchase credentials to sell network access to ransomware operators.
Here’s how the pipeline works:
Step 1: Initial Infection. An employee clicks a phishing link or downloads malicious software. Infostealers like RedLine and Vidar install silently and begin harvesting credentials from browsers. They also grab session tokens from active sessions.
Step 2: Data Exfiltration. The malware sends harvested credentials to attacker infrastructure. This includes VPN credentials and RDP logins. Session cookies that bypass MFA are especially valuable. Remote workers are especially exposed because they often save work passwords in personal browsers.
Step 3: Marketplace Sale. Stolen credentials appear on dark web marketplaces within days. Initial access brokers purchase credentials that provide corporate network access. A single infected employee device can expose dozens of corporate services.
Step 4: Network Access Sale. Initial access brokers verify which credentials still work, then sell network access to ransomware affiliates. The price depends on the target’s revenue and the level of access being sold.
Step 5: Ransomware Deployment. Ransomware operators use purchased access to enter networks and perform reconnaissance. They move laterally before deploying ransomware or exfiltrating data for extortion.
The critical insight: this pipeline takes days to weeks. Credentials appear on dark web marketplaces before ransomware operators buy them. That delay is your detection window.
The 12% increase in infostealer credentials for sale on the dark web (IBM X-Force 2025) means more companies are exposed but haven’t been attacked yet. That exposure is detectable.
AI is accelerating both sides of the ransomware problem.
Attackers use AI to:
IBM’s 2025 report found that 1 in 6 breaches involved attacker-deployed AI. Shadow AI (unauthorized AI tools used by employees) was involved in 20% of breaches and added $670,000 to average breach costs.
Defenders use AI to:
The problem: attackers are adopting AI faster than most security teams. AI-generated phishing accounted for 37% of attacker AI usage. Deepfake impersonation was 35%. The gap between AI-powered attacks and AI-powered defense is where most companies are vulnerable right now.
Industry targeting shifts constantly. The sectors hit hardest change from quarter to quarter depending on which groups are active and what access brokers are selling.
Manufacturing has been the most targeted sector in recent Breachsense tracking data. Manufacturers often run legacy operational technology alongside IT systems, creating a larger attack surface.
Healthcare is always near the top because hospitals can’t afford downtime. Patient care depends on system availability, which gives attackers maximum pressure.
Professional services firms (law, accounting, consulting) are targeted because they hold client data. One compromised firm can expose dozens of clients.
Construction and finance have both climbed the rankings recently. Construction companies manage access for many subcontractors. Financial firms hold data worth both extortion and fraud.
The pattern isn’t fixed. Attackers go where the access is cheapest and the pressure to pay is highest.
The most striking statistic from the Verizon 2025 DBIR: ransomware affects 88% of SMB breaches.
Small and medium businesses get hit harder per capita than enterprises. Why?
What SMBs can do: Start with MFA on everything. It’s free with most platforms and blocks most credential-based attacks. Then mandate a password manager so employees stop reusing the same password across every service. That single change means a breach at one vendor doesn’t hand attackers the keys to your network.
Credential monitoring catches passwords that have already been stolen, and you don’t need a SOC to use it. Keep immutable backups offline and test them quarterly. If you can’t staff a security team, a managed detection service fills the gap.
The groups targeting SMBs aren’t less capable. They’re the same groups. They just know smaller companies have fewer defenses.
The financial impact extends far beyond ransom payments. IBM’s 2025 Cost of a Data Breach Report puts the average ransomware breach cost at $5.08 million when attackers disclose the breach. That’s among the most expensive breach categories.
Recovery costs average $1.5 million according to Sophos’ 2025 State of Ransomware report. This includes incident response and system restoration. Business disruption and remediation efforts continue for months after the attack.
Median ransom payments dropped to $115,000 according to the 2025 Verizon DBIR, down from $150,000 the year before. The figure varies enormously based on target size.
Here’s the shift: the Sophos 2025 report found nearly half of victims still pay. But median ransom demands dropped 50% from $2 million to $1 million, and 53% of victims negotiated lower payments. Companies are getting better at pushing back.
However, refusing to pay doesn’t eliminate costs. Victims still face business disruption and forensic investigation expenses. Legal fees add up. Reputational damage compounds when stolen data appears on ransomware leak sites.
Law enforcement involvement is declining too. Only 40% of victims contacted law enforcement in 2025, down from 52% in 2024 (IBM Cost of a Data Breach 2025). This trend reduces the intelligence available to help other potential victims.
Cyber insurance is tightening. Insurers now require MFA, endpoint detection, and tested backup procedures before issuing policies. Premiums have risen and some carriers exclude ransomware payments entirely. If you don’t meet their requirements, you may not be covered when you need it. Check your policy before an incident.
The economics favor prevention. Detecting threats before attacks is cheaper than responding to them. That’s where dark web monitoring provides the most value.
Most ransomware detection focuses on endpoint behavior after attackers are already inside. Early detection means watching for precursors before the attack begins.
Monitor for Leaked Credentials
Your employees’ credentials may already be circulating on dark web marketplaces from infostealer infections or third-party breaches. Compromised credential monitoring catches these exposures before attackers exploit them.
Credentials from infostealer logs are especially dangerous because they often include session tokens that bypass MFA entirely. Resetting the password isn’t enough in those cases. You need to kill active sessions too.
Track Ransomware Leak Sites
Ransomware groups announce victims on dedicated leak sites before publishing stolen data. Monitoring these sites provides early warning when your company or your vendors appear. This gives you time to assess exposure and begin incident response before data spreads.
Watch Initial Access Broker Activity
Initial access brokers advertise network access for sale on hacker forums and dark web marketplaces. These listings often appear days or weeks before ransomware deployment. If you detect your network access being sold, you know an attack is coming.
Monitor Threat Actor Channels
Attackers use Telegram channels and hacker forums to sell network access and share stolen data. Monitoring these channels catches mentions of your company or your data being sold. This provides early warning that your network may already be compromised.
Detect Third-Party Exposures
Your vendors may be compromised before you know about it. Monitoring for third-party breaches that could expose your data provides advance warning of supply chain attacks.
The common thread is shifting from reactive endpoint detection to external threat intelligence. Stolen credentials and network access appear on the dark web before ransomware operators use them.
Generic advice like “implement MFA and maintain backups” isn’t wrong, but it’s incomplete. Here’s what actually prevents ransomware attacks.
Patch Exploited Vulnerabilities Fast
Stolen credentials and exploited vulnerabilities share the top spot depending on which report you read. The Sophos 2025 report puts vulnerabilities first. Beazley’s data puts credentials first. Either way, both need attention. For vulnerabilities, prioritize the ones actively exploited by ransomware groups, tracked through CISA’s Known Exploited Vulnerabilities catalog.
Monitor for Compromised Credentials
Don’t rotate passwords on a schedule. That just leads to weaker passwords. Instead, monitor for your credentials on dark web marketplaces and infostealer logs. When one shows up compromised, reset it immediately. That’s targeted response, not busywork.
Segment Networks to Limit Lateral Movement
When attackers gain initial access, network segmentation determines how far they can spread. Ransomware operators need time to move laterally and identify valuable targets. Proper segmentation buys you detection time and limits the blast radius.
Assume MFA Bypasses Happen
Infostealer malware steals session tokens along with passwords. With a valid session token, attackers skip the login entirely and land inside an already-authenticated session. MFA never triggers because the attacker isn’t logging in. Don’t rely on MFA as your only defense layer.
Know How Attackers Actually Get In
Most ransomware groups are opportunistic. They attack whoever they can buy access to. But knowing their current tactics (stolen credentials, exploited VPNs, phishing with infostealers) tells you where to focus your defenses. If 48% of attacks start with stolen VPN credentials, that’s where your monitoring should be too.
Test Backup Recovery
Backups matter, but many companies discover their backups don’t actually work during the one moment they need them. Ransomware groups now target backup systems specifically. Test full restores regularly so you know you can recover before you’re under pressure.
Ransomware isn’t slowing down. AI is making attacks harder to catch. SMBs are getting hit hardest. And the defense that matters most is catching the precursors, not reacting to the encryption.
Scan your dark web exposure to see what’s already leaked. Check our monthly ransomware reports for the latest data on which groups are active and what they’re targeting.
For real-world context on how these trends play out, see our 15 famous ransomware examples.
Ransomware operators typically purchase access rather than hack in directly. They buy stolen credentials from infostealer logs or acquire network access from initial access brokers on dark web markets. VPN and RDP credentials are especially valuable. This purchasing model means stolen credentials circulate on the dark web before attacks begin.
Infostealers capture credentials from infected devices, including VPN and RDP logins. These credentials get sold on dark web marketplaces to initial access brokers, who then sell network access to ransomware affiliates. The entire pipeline can take days to weeks, creating a detection window.
Monitor ransomware leak sites where groups announce victims and publish stolen data. Watch threat actor channels for mentions of your company or your credentials being sold. Track initial access broker listings for your network access being advertised.
Ransomware operators prioritize VPN credentials and RDP access. Domain administrator accounts are especially valuable for lateral movement. Credentials from infostealer logs often include session tokens that bypass MFA entirely.
Prevention starts with detecting precursors. Monitor dark web markets for your credentials and reset any that appear. Patch vulnerabilities that ransomware groups actively exploit. Use unique passwords across services so one breach doesn’t expose multiple systems.
Attackers use AI to write more convincing phishing emails, automate target research, and scale attacks that used to require manual work. Some groups combine ransomware with AI-generated voice calls that clone executives. On the defense side, AI-powered detection catches behavioral anomalies faster. But attackers are adopting AI faster than most defenders.
Data Breach Prevention Credential Monitoring Dark Web Monitoring Cybersecurity
What is data breach prevention? Most security tools watch for attackers inside your network. By then, it’s often too …
Threat Intelligence Dark Web Monitoring Infostealer Malware Ransomware Identity Security
What 2025 actually looked like Breachsense has indexed 90+ billion identity records across third-party breaches, …