Dive Brief:
- Ransomware gangs are adapting to stronger enterprise defenses and increased law enforcement pressure with more sophisticated tactics, according to Huntress' 2025 Cyber Threat Report.
- In 75% of the ransomware incidents Huntress observed in 2024, threat actors used remote access Trojans (RATs), while 17.3% of attacks featured abused of remote monitoring and management products like ConnectWise ScreenConnect, TeamViewer and LogMeIn.
- In an effort to evade EDR protections, threat actors are shifting to data theft and extortion attacks instead of deploying ransomware and increasingly relying on "living off the land" techniques with legitimate system administrator tools.
Dive Insight:
Huntress found that ransomware gangs are broadly using the kinds of advanced tactics and techniques that were first tested on large organizations, such as tampering or disabling cybersecurity products. "The gap between sophistication in attacks on large enterprises and smaller businesses has narrowed -- in fact, it's all but disappeared," the company said.
Based on threat monitoring data for more than 3 million endpoints, Huntress observed infostealer malware in nearly 24% of attacks in 2024 while malicious scripts, which were used automate attacks and evade detection, were featured in 22% of incidents. Greg Linares, principal threat intelligence analyst at Huntress, told Cybersecurity Dive the increased use of sophisticated evasion techniques largely stems from the competitive nature of ransomware ecosystem
"Now, more than ever, if malware families are not staying up to date with detections, they will get caught and attackers are quick to drop them for others that work," Linares said via email. "And malware that gets caught these days becomes irrelevant fast."
Speed was also a key attribute of many ransomware gangs in 2024, according to Huntress' time-to-ransom data. The average TTR, which measures an attack time between the initial access to the delivery of the ransom note, was nearly 17 hours. But several gangs, including Play, Akira and Dharma/Crysis, were even faster last year with an average TTR of approximately 6 hours.
Huntress also observed a shift in strategy as many ransomware gangs simply exfiltrated sensitive data from victim organizations instead of encrypting it. The company said this pivot is a response to stronger defenses as well as increased law enforcement actions that took down notorious gangs such as Lockbit.
That has presented problems for enterprises – even those that have invested in EDR and ransomware protection services. "While these defenses have thrived, data loss prevention services have hardly made any advances and are often only installed in mature corporate environments," the report said. "Attackers are becoming more aware of these circumstances and are opting to steal data and hold it for ransom."
Linares said that DLP tends to be an afterthought for many organizations and is least present in corporate environments that have work-from-home and BYOD policies, which have increased in recent years. Additionally, he said such DLP protections typically focus on the endpoints requesting sensitive data from cloud instances rather than having a fully monitored and controlled network.
"In the last few years, reviewing data breach reports and working with response teams," Linares said, "I can say the number of times DLP detecting activity was low, and DLP actually preventing exfiltration was even lower."
