Google Threat Intelligence Group (GTIG) and Mandiant present a comprehensive analysis of ransomware tactics, techniques, and procedures (TTPs) observed in 2025 incident response engagements. Key findings include: vulnerability exploitation (especially VPNs and firewalls) was the top initial access vector in a third of incidents; data theft occurred in 77% of ransomware intrusions (up from 57% in 2024); virtualization infrastructure was targeted in 43% of incidents (up from 29%); and REDBIKE was the most prevalent ransomware family at ~30% of cases. The report covers the full attack lifecycle—initial access, foothold establishment, privilege escalation, lateral movement, data exfiltration, and deployment—with specific tools, CVEs, and threat actor clusters named throughout. Despite record-high data leak site posts in 2025, ransom payment rates and average demands are declining, suggesting reduced profitability. Threat actors are adapting by targeting smaller organizations, increasing data-theft-only extortion, integrating AI into operations, and leveraging Web3 infrastructure for resilience.
Sort: