Due to the constant evolution of the threat landscape, the common reputation of ransomware is no longer representative of reality. While many think of ransomware solely as hackers compromising and encrypting sensitive files in order to extort money from organizations in exchange for the return of the data.
However, current data revealed by research like Picus Security’s Blue Report 2025 paints a different picture of the ransomware environment. Threat actors are increasingly relying on stealth-focused approaches over strictly disruptive attacks, using more persistent and evasive tactics than the popular attacks of years ago.
The Credential Crisis
According to the report, 46% of tested environments saw at least one password hash successfully hacked in 2025, a steep increase from 25% in 2024. Tests also revealed a 98% success rate in attacks using valid credentials. Identity-based attacks cannot be stopped with traditional defense measures, demanding layered tools and policies to prevent sophisticated threats. These attacks are often built specifically to circumvent known security measures by use of evasive technologies and insidious social engineering tactics.
This information in the report demonstrates a serious lack of identity and credential security in many environments. “This latest research provides strong evidence that poor credential hygiene remains a persistent and deeply entrenched weakness in organizational cybersecurity,” says Darren Guccione, CEO and Co-Founder at Keeper Security. “The data suggests both attacker capability and organizational vulnerability are moving in the wrong direction.”
Data Exfiltration: A Gaping Hole
This research also shows a massive gap in data security, putting vast amounts of potentially sensitive information at risk. An alarmingly low 3% of data exfiltration attempts were blocked, down from 9% in 2024. With double extortion and information resale attacks on the rise, this trend is especially concerning. Attackers are no longer relying solely on the tried-and-true methods of classic ransomware attacks, undermining the effectiveness of many security measures against modern attacks.
Traditional encryption-focused defenses are not effective against these attacks as threat actors continue to advance their techniques in order to favor stealth and prevent detection. The low rate of success in blocking data exfiltration revealed by this research spells trouble for any organization that falls victim to a data breach.
Ransomware Strains Still Matter — But Differently
While the prevalence and the risk of ransomware is persistent, how it manifests in the threat landscape shifts over time. The most popular ransomware families still prove extremely difficult for organizations to protect against, but the tactics and goals are often different from the traditional conception of what ransomware looks like. While awareness and efforts toward ransomware resilience are high, it continues to be difficult for organizations to actually protect against these attacks.
According to the data in the report, the most challenging ransomware variant in 2025, as in 2024, is BlackByte, prevented in only 26% of cases. It is closely followed by BabLock with a 34% prevention rate and Maori with 41%. Among the most popular ransomware actors, encryption is now only one of several commonly used tactics, not necessarily the primary or sole goal of ransomware attacks.
Detection Deficit: The Blind Spot Problem
One of the major factors in the ongoing challenge of protecting against threats is a lack of visibility and monitoring of the systems involved. Adversarial discovery techniques like system network configuration discovery and process discovery have prevention rates below 12%, demonstrating significant gaps in early-stage detection.
Attackers are often able to achieve lateral movement within a network without being detected by security tools. Especially with attacks that leverage stolen credentials, much lateral movement takes place using the legitimate infrastructure of the infiltrated system against itself, which can escape detection by security measures searching for threat signatures or specific unauthorized actions.
The Shift Security Teams Must Make
The methods used in the past to counteract ransomware attacks are no longer effective in fighting modern ransomware and related threats. Organizations must change their approach to maintain security. “Protecting identity today requires an organizational shift towards a zero-trust mindset, continuous validation, and proactive mitigation of credential-related risk. Failure to do so by organizations will put them at risk,” says Guccione.
Now it is more important than ever to shift toward identity-first defenses to protect against advanced and evolving threats. Organizations are encouraged to implement behavioral analytics tools, continuous monitoring, and network segmentation. It is also vital to reassess the prioritization of attack prevention and detection measures.
Securing Against the Invisible
While robust backup and recovery capabilities are still essential for mitigating a wide range of risks, they are not sufficient to protect against attacks that are increasingly expanding beyond traditional extortion tactics. The next frontier of ransomware defense isn’t fighting encryption — it’s stopping attackers before they blend in and disappear with your data.
