Skip to content
Knowledge base Updated: February 5, 2026

Cyber Security Landscape 2024-2025: tactics, techniques and procedures (TTPs) of cyber criminals

Learn the latest cybercriminals' techniques and procedures for 2024-2025. nFlo analysis reveals the evolution of threats and how to detect them.

Łukasz Szymański Łukasz Szymański

Understanding the constantly evolving tactics, techniques and procedures (TTPs) employed by cybercriminals is absolutely critical to the ability of modern organizations to build effective, adaptive and proactive defense strategies. Between 2024 and 2025, we see a process of further, progressive professionalization, specialization, and adaptation of the methods of a variety of criminal groups, from loosely affiliated collectives to highly organized syndicates operating on a global scale. Analyzing these TTPs, including both the tools, exploits and malware used, as well as the methods of infiltration, movement within the victim’s network and monetization of attacks, allows not only better prediction of future threats, but also more effective configuration of detection systems, prioritization of preventive actions and more effective response to security incidents that have already occurred. Knowing the modus operandi of the adversary is the foundation of modern cyber defense.

Shortcuts

How are ransomware attacks and the Ransomware-as-a-Service (RaaS) model evolving, driving a wave of cyber breaches?

Ransomware attacks, which involve encrypting a victim’s data and demanding a ransom to unlock it, remain one of the most serious, destructive and also most lucrative cyber threats in the current landscape. Their evolution is largely driven by innovative, quasi-business models for cybercriminals, a key one being Ransomware-as-a-Service (RaaS). This model has significantly lowered the barrier to entry for potential attackers, who no longer need to have advanced technical skills to create their own malware. RaaS platforms, operating on a subscription or revenue-sharing basis, offer their “affiliates” (partners) off-the-shelf, often highly customizable ransomware variants, extensive attack management infrastructure (control panels, payment systems), technical support and even ready-made toolkits for data infiltration and exfiltration. RansomHub is an example of such a platform, which is rapidly gaining ground in 2024. It offers its partners extremely favorable profit-sharing terms of up to 90% of the value of the ransom paid, which obviously stimulates the proliferation of attacks and encourages the emergence of numerous new, often ephemeral ransomware groups. Such “professionalization” and “serviceization” of cybercrime makes ransomware a more accessible and scalable threat.

Cybercriminals behind ransomware attacks are using increasingly sophisticated and brutal extortion methods that go far beyond simply encrypting the victim’s files. The tactic of double extortion, which involves exfiltrating (stealing) large amounts of sensitive data before encrypting it, and then threatening to expose it publicly or sell it on the black market if the victim refuses to pay the ransom, has become standard. Such a threat often proves more effective than simply blocking access to the data, especially if the organization has up-to-date backups. Some more aggressive groups go a step further, using triple extortion tactics. In this model, threats are extended to customers, business partners, suppliers and even employees of the victim. Attackers may, for example, inform customers that their data has been leaked, threaten DDoS attacks on business partners, or publish compromising information about employees, in order to put additional, multi-level pressure on the primary victim and force them to pay the ransom as soon as possible.

There is also growing interest in ransomware groups’ exploitation of unconventional vulnerabilities and less obvious attack vectors. Groups such as Akira are demonstrating the ability to exploit unconventional entry points, such as poorly secured webcams connected to the corporate network, to bypass sophisticated endpoint detection and response (EDR) systems and successfully infiltrate internal networks. There is also increasing exploitation of vulnerabilities in Internet of Things (IoT) devices, smart home devices (which employees can use on their home networks and then connect to corporate resources), and poorly configured or outdated office equipment (printers, video conferencing systems), which are often outside the standard security monitoring and regular patching cycle. Analysts also predict that tools such as Robotic Process Automation (RPA) platforms, used to automate business processes, and Low-Code/No-Code platforms, which facilitate the rapid development of applications without deep programming knowledge, may be adopted by ransomware developers in the future to automate various stages of an attack, personalize it and further scale operations.

📚 Read the complete guide: Ransomware: Ransomware - czym jest, jak się chronić, co robić po ataku

What are the distinctive tactics, techniques and procedures of the major ransomware groups in 2024-2025 to watch out for?

Among the numerous ransomware groups active in 2024-2025, several stand out for their scale of operations, technical sophistication and specific TTPs, dominating the global cyber extortion market. Understanding their individual modus operandi, preferred attack vectors, tools used and methods of operation is key to preparing appropriate, targeted defense and prevention strategies.

The Akira Group, which emerged on the cybercrime scene in March 2023, initially focused its activities exclusively on extortion related to data theft, abandoning data encryption. However, it later also resumed encrypting its victims’ files, effectively using a double extortion model. Akira is known to use ransomware variants written in the Rust programming languages (specifically for VMware ESXi virtualization servers, which are frequent targets due to their storage of multiple virtual machines) and C++ (for Windows and Linux operating systems). The typical initial access vector used by this group is the exploitation of compromised or weak credentials for VPN services that allow remote access to the corporate network. After gaining initial access, Akira operatives often use PowerShell scripts to delete Shadow Volume Copies on Windows, with the goal of preventing the victim from easily restoring encrypted data. They also use popular, publicly available hacking tools such as Mimikatz to extract credentials (passwords, hashes) from system memory and to attempt to disable or bypass EDR software. According to data from Coveware, a company specializing in ransomware incident response, Akira accounted for about 14% of all observed ransomware attacks in the first quarter of 2025.

RansomHub, a platform that operates on a Ransomware-as-a-Service (RaaS) model, rose to prominence extremely quickly in 2024, partially filling the gap created by the disruption or disappearance of other big players such as LockBit and BlackCat/ALPHV. Its success is due in part to offering its partners (affiliates) very favorable ransomware profit-sharing terms (often up to 90% for the affiliate) and having a flexible, cross-platform toolkit capable of successfully attacking Windows, Linux and popular ESXi hypervisors. RansomHub is known for exploiting a wide range of initial access vectors, including vulnerabilities in VPN software (e.g., Fortinet CVE-2023-27997) and launching massive brute-force attacks against RDP (Remote Desktop Protocol) services and poorly secured VPN accounts. After gaining access to the victim’s network, RansomHub operators deploy tools like EDRKillShifter to neutralize or bypass security solutions on endpoints, use PowerShell and WMI (Windows Management Instrumentation) to execute commands, perpetuate infections and gather information, and use popular scanning tools like Nmap and AngryIPScanner to reconnoiter the internal network. They use PsExec and RDP for lateral traffic (spreading through the network), and Mimikatz to steal credentials. For the data encryption process itself, they use a combination of strong cryptographic algorithms, such as Curve25519, ChaCha20 and AES. RansomHub also accounted for about 14% of the global ransomware market in the first quarter of 2025.

The Cl0p group (sometimes spelled Clop) is known for conducting highly targeted, large-scale campaigns, often exploiting zero-day exploits or newly disclosed vulnerabilities (one-day) in popular enterprise software, especially in secure file transfer solutions such as Accellion FTA, SolarWinds Serv-U, PaperCut, GoAnywhere MFT, and most notably Cleo Clarify and Progress MOVEit. Their tactics often involve mass, automated exfiltration of data from many victims at once, without encrypting that data on the victims’ systems. The group then contacts individual companies, threatening to publish the stolen information. This operating model makes their operations particularly severe and difficult to combat with traditional ransomware prevention methods. As of February 2025, the Cl0p group was linked to more than a third of global ransomware incidents, using the CVE-2024-50623 and CVE-2024-55956 vulnerabilities, among others, in their campaigns. In the first quarter of 2025, Cl0p was the main driver of growth in the overall number of ransomware victims, accounting for as much as 17% of all reported cases (which translated into 348 of the 2,063 identified victims during the period).

In addition to those mentioned, other notable groups were also active in the ransomware market in the first quarter of 2025, such as Lone Wolf (with 9% market share), Qilin (a new, fast-growing player that gained 8% share), Medusa (5%), Fog (also 5%) and Inc Ransom (another new player on the list, with 5% share). Also worth noting is the emergence of the FunkSec group at the end of 2024, which quickly gained notoriety for its public statements about using artificial intelligence tools to develop and improve its own ransomware and automate certain stages of attacks.

The table below synthesizes the key tactics, techniques and procedures (TTPs) of the major ransomware groups, making it easier to understand their specifics:

GroupMain Attack VectorsTools/Techniques UsedForcing methodsTargeted PlatformsMarket share (Q1 2025, estimated)Examples of CVEs used
AkiraCompromised VPN credentials, unsecured devices (e.g., webcams)PowerShell (Shadow Copies removal), Mimikatz, ransomware variants in Rust (ESXi) and C++ (Windows, Linux)Double extortion (file encryption + data theft)Windows, Linux, VMware ESXi14%No publicly dominant CVEs
RansomHubVPN vulnerabilities (e.g., Fortinet), brute-force attacks on RDP/VPN, buying access from IABsEDRKillShifter, PowerShell, WMI, Nmap, AngryIPScanner, PsExec, RDP, Mimikatz, Curve25519/ChaCha20/AES encryption, profit-sharing RaaS platformDouble extortionWindows, Linux, VMware ESXi14%CVE-2023-27997 (Fortinet)
Cl0pZero-day and one-day exploits in file transfer software (MOVEit, GoAnywhere)Highly specialized exploits for specific applications, mass exfiltration of dataMainly mass data theft (often without encryption)Vulnerability-dependent (Windows/Linux servers)17%CVE-2024-50623, CVE-2024-55956

Table: Comparison of TTPs of key ransomware groups (Akira, RansomHub, Cl0p) in 2024-2025.

An analysis of ransomware attack payment trends presents a complex and ambiguous picture, with data from various sources indicating partially contradictory trends. On the one hand, the Verizon DBIR 2025 report indicates some decline in the median amount of ransom paid, which was $115,000 in 2024 (compared to $150,000 in 2023). What’s more, 95% of recorded ransomware payments in 2024 did not exceed the amount of $3 million, while a year earlier this threshold was $9.9 million. The increase in the percentage of victims who categorically refuse to pay the ransom is also significant, with the rate rising to 64% in 2024 (from 50% in 2022).

On the other hand, however, according to Sophos data cited in the Securelist report, the average amount of ransomware actually paid by organizations that chose to do so increased significantly, from $1.54 million in 2023 to as much as $3.96 million in 2024. Coveware, which specializes in negotiating with ransomware groups and responding to incidents, meanwhile, reported a decline in the payment rate itself (the percentage of companies paying ransom) to a record low of 25% in Q4 2024 (down from 29% in Q4 2023). This decline could be the result of a combination of law enforcement actions (such as operations to disrupt ransomware groups), better security and backup strategies on the organization’s side, as well as increasing regulatory and legal pressures discouraging ransomware payments (such as concerns about sanctions violations). However, the latest data from the first quarter of 2025, also from Coveware, shows a renewed increase in median ransomware payments to $200,000.

These apparent discrepancies in the data suggest that while the overall trend may indicate a decline in the willingness of some organizations to pay ransoms (perhaps due to better recovery strategies, a growing awareness that payment does not guarantee recovery or lack of publication, or more effective law enforcement actions), attackers are continually adapting their strategies. They may, for example, increasingly target larger, more solvent organizations from which they can demand much higher sums, or use more severe and multifaceted forms of extortion (like the aforementioned triple extortion) to increase the pressure. Therefore, it remains absolutely critical for any organization to invest in building comprehensive cyber resilience, having robust, regularly tested incident response plans and effective and isolated disaster recovery strategies. These measures are aimed at minimizing the risk of becoming a victim and avoiding the need for any negotiations with cyber criminals.

How are cybercriminals increasingly attacking the software supply chain, and what are the most disturbing examples?

Attacks on the software supply chain are becoming more sophisticated, widespread and, most importantly, increasingly severe in their impact. Cybercriminals, including state-sponsored groups, are increasingly targeting less secure elements of the vast and complex ecosystem of software development, distribution and maintenance to gain indirect access to their targeted, often much better protected organizations. Attackers are focusing their efforts in several key areas: on build pipelines and CI/CD (Continuous Integration/Continuous Delivery) systems of popular open-source projects, on components and libraries included in artificial intelligence and machine learning (AI/ML) software supply chains, and on exploiting hidden, hard-to-detect flaws and backdoors in commercial, closed-source binaries distributed by trusted vendors. The Verizon DBIR 2025 report alerts that the number of security breaches involving third parties, including those resulting directly from supply chain compromises, has doubled recently, now accounting for as much as 30% of all breaches analyzed.

Examples of significant and high-profile attacks on the software supply chain from 2024-2025 include:

  • XZ Utils Incident (March 2024): Detection of a deliberately introduced, highly sophisticated backdoor vulnerability (CVE-2024-3094) in a popular xz compression library (liblzma) used in many Linux distributions. This backdoor, had it not been detected early, could have enabled remote, unauthorized takeover of millions of systems worldwide, including servers and workstations. The incident highlighted the risks associated with reliance on often underfunded open-source projects and the potential for long-term infiltration by determined actors.

  • Justice AV Solutions (JAVS) (May 2024): Compromised commercial video recording software widely used in courts, prosecutors’ offices and other legal institutions in the US. Attackers managed to modify the official installer of this software by adding malicious code (RustDoor malware), allowing them to gain full control over infected systems and potentially access extremely sensitive data.

  • Open-source libraries: Solana, Ultralytics, Rspack: There have been numerous cases of malicious code (e.g., stealing cryptocurrencies, credentials) being injected into popular open-source libraries and packages, such as those related to the Solana blockchain, the Ultralytics AI framework (where a vulnerability in the GitHub Actions mechanism was exploited to steal API tokens and modify code) or the Rspack build tool. Such attacks could affect millions of projects and applications that depend on these libraries.

  • npm package @solana/web3.js: Injected malicious features into two versions of this extremely popular JavaScript API package for the Solana blockchain, which is downloaded hundreds of thousands of times a week and used in thousands of DeFi and Web3 projects.

  • PyPI malicious packages (BIPClip, aiocpa): The publication in the official Python Package Index (PyPI) repository of malicious packages that impersonated popular tools or offered seemingly useful functionality, but actually targeted cryptocurrency wallet users in an attempt to steal their recovery phrases (seed phrases) or implant infostealers (information-stealing malware) on their systems.

  • IPany (South Korea) VPN client: Breached the supply chain of this popular VPN client in South Korea to distribute customized, hard-to-detect malware, possibly for espionage purposes.

Increasing leaks of developer secrets are also a significant, related problem. In 2024 alone, there has been an alarming 12% increase in incidents of critical credentials, such as private keys to code repositories, API keys to cloud services, developer platform access tokens, SSH keys and GitHub tokens, being accidentally or intentionally exposed through publicly available open-source repositories (e.g., on GitHub, GitLab). Secrets stolen or found in this way are then used en masse by attackers to gain unauthorized access to production systems, corporate networks and cloud platforms, steal sensitive data (including all application source code), implant malware and compromise entire software build and deployment (CI/CD) environments.

Security risks in popular open-source software are significant and often underestimated. An analysis of 30 popular open-source packages from major repositories such as npm (for JavaScript), PyPI (for Python) and RubyGems (for Ruby), collectively generating hundreds of millions of downloads per year, revealed the presence of numerous critical CVE vulnerabilities that have been actively exploited by cybercriminals in various campaigns. On average, there were as many as 134.9 known vulnerabilities per PyPI package analyzed, and 43.3 vulnerabilities per npm package. Similar and sometimes even greater risks apply to commercial software. Analysis of more than 30 commonly used commercial binary files (closed source software) revealed ample evidence of unsafe design (e.g., use of obsolete libraries, hard-coded passwords), insufficient application hardening and, equally disturbing, exposed configuration data and developer secrets directly in the binary code.

What is the importance in cybercriminals’ tactics, techniques and procedures (TTPs) of constantly exploiting stolen credentials and system vulnerabilities?

The two main and consistently popular vectors for initial access to an organization’s systems and networks continue to be stolen or weak credentials and the exploitation of known or unknown (zero-day) system vulnerabilities. These two methods are the foundation of many successful cyber attacks and are key elements in the arsenal of tactics, techniques and procedures (TTPs) used by a wide spectrum of cyber criminals, from opportunistic hackers to sophisticated APT groups.

According to the latest Verizon DBIR 2025 report, stolen credentials were the direct cause of as many as 22% of all security breaches analyzed. Attackers often take advantage of the fact that many users repeatedly reuse the same, often weak passwords across different websites and corporate systems. Even if one of these accounts is compromised as a result of a data leak from a less secure service, criminals can then attempt to use the same credentials to gain access to much more valuable corporate resources (known as credential stuffing). Various forms of phishing, ranging from mass campaigns to highly targeted spear phishing, have consistently demonstrated an equally high success rate for obtaining login credentials. Compromised credentials allow attackers to “legitimately” log into systems, thus bypassing many intruder detection mechanisms.

Exploitation of system vulnerabilities was the second most common initial attack vector, accounting for 20% of all breaches analyzed in the Verizon DBIR 2025 report. Significantly, there was a significant 34% increase in the use of vulnerabilities as an initial attack vector compared to the previous period. Of particular interest to cybercriminals are exploits (code that exploits vulnerabilities), including zero-day exploits targeting network edge devices (perimeter devices) such as firewalls, routers, VPN hubs, and VPN systems themselves. The number of newly discovered vulnerabilities in perimeter devices and VPN software has increased as much as eightfold recently. Also of concern is that, according to the report, only 54% of these critical vulnerabilities are patched by organizations in a timely manner, and the median time it takes to successfully patch them (time to remediate) is as much as 32 days, giving attackers a wide window of opportunity. Cybercriminals are actively scanning the Internet for systems with unaddressed, known CVE (Common Vulnerabilities and Exposures) vulnerabilities, which are cataloged by CISA, among others. Examples of vulnerabilities heavily exploited by ransomware groups in the first quarter of 2025 include CVE-2025-0282 and CVE-2025-22457 (affecting popular Ivanti Connect Secure VPN devices), CVE-2025-23006 (in SonicWall SMA1000 devices), CVE-2024-41713 and CVE-2024-55550 (in Mitel MiCollab communication systems), and the critical vulnerability CVE-2024-0012 (in Palo Alto Networks PAN-OS operating system).

How are human factors and various insider threats (Insider Threats) being used and influencing cybercriminals’ TTPs?

The human factor, which includes an organization’s employees as well as executives, contractors or business partners, invariably remains one of the weakest yet most frequently attacked links in IT security systems. The Verizon DBIR 2025 report emphatically indicates that human error (unintentional acts or omissions) or intentional, malicious actions by employees contributed to as much as 60% of all confirmed security breaches. This includes a wide range of behaviors, such as careless clicks on malicious links or attachments in phishing emails, vulnerability to sophisticated social engineering techniques (e.g., vishing, pretexting), accidentally mistakenly sending sensitive data to unauthorized recipients, using weak passwords, or failing to follow internal security policies.

Insider Threats, i.e., those coming directly from inside the organization, can be either accidental (e.g., an employee error due to lack of knowledge, haste or carelessness) or intentional (e.g., the actions of a malicious employee motivated by a desire for revenge or financial gain, or acting on behalf of a competitor or foreign intelligence service). The third category is compromised insiders, i.e., employees whose legitimate accounts and credentials have been taken over by external attackers (e.g., as a result of phishing or malware), who then use those accounts to operate “from within.” Insider threats are particularly insidious and difficult to detect because they often bypass traditional external security measures (such as firewalls or IDS/IPS systems) thanks to the insider’s possession of legitimate, trusted access to the organization’s systems, applications and data.

However, research shows that investing in regular, engaging cybersecurity awareness training can be an effective countermeasure. Employees who had received hands-on training on recognizing phishing attempts in the past 30 days were as much as four times more likely to correctly identify and report such attempts to the security department. The rate of reporting phishing attempts was 21% in this group, compared to only 5% among employees who had not received training or had received training a long time ago. This shows that building a strong security culture and regularly raising employee awareness is a key element in reducing human factor risks.

How do the increasing specialization and complex economics of cybercrime affect the evolution and availability of advanced TTPs?

The cybersecurity economy observed in recent years is rapidly evolving toward increasing specialization, professionalization and the creation of complex underground service ecosystems. The Ransomware-as-a-Service (RaaS) model, the booming market for selling Initial Access Brokers (IABs), where the number of public announcements of brokers offering access to compromised corporate networks has increased by 50% year-on-year, and the thriving trade in stolen credentials, payment card data or off-the-shelf exploits on closed forums and marketplaces in the darknet - all point to the existence of a developed underground economy with clearly specialized roles and division of labor.

The RaaS model, as previously mentioned, significantly lowers the barrier to entry, allowing less technically skilled actors to launch sophisticated and highly profitable ransomware attacks. RaaS platform operators handle the development and maintenance of the malware itself and the infrastructure, while their “affiliates” focus on gaining access to victim networks and deploying the encryption payload. Access brokers (IABs) specialize exclusively in gaining initial, unauthorized intrusion into corporate networks (e.g., through phishing, exploitation of vulnerabilities, compromised RDP) and then resell this established access to other criminal groups, such as ransomware operators, spy groups or data exfiltration specialists, who focus on further monetizing this access. There is also an active market for stolen databases, credentials for online services, and even off-the-shelf toolkits for certain types of attacks (e.g., phishing kits, exploit kits).

This means that modern cybercrime is becoming increasingly “industrial,” with a clear division of labor, specialization of individual groups or units, and the creation of complex value chains. This structure significantly increases its overall efficiency, the scale of its operations, and its ability to adapt and avoid detection. It forces defenders to use multi-layered, defense-in-depth security strategies that address not only the final stage of an attack (e.g., ransomware detonation), but also all its earlier phases, such as credential compromise, purchase of access from IABs, internal reconnaissance or lateral movement. It is also becoming necessary to actively monitor the activity of access brokers, analyze trends in the black market, and invest in advanced threat intelligence platforms that help understand this complex ecosystem and anticipate new threat vectors.

Key Takeaways:

Impact of the cybercrime economy: A developed underground economy with specialized roles (RaaS, access brokers, data and tool trading) significantly increases the availability of advanced TTPs to a wider range of attackers, forcing organizations to employ multi-layered and proactive defense strategies.

Professionalization and specialization of TTPs: Cybercriminals are operating in an increasingly organized manner, using business models such as RaaS and specializing in particular stages of attack, which increases their efficiency and scale of operations.

Ransomware dominance and evolution: Driven by the RaaS model, ransomware attacks are using increasingly brutal extortion methods (double, triple extortion) and unconventional access vectors, and key groups (Akira, RansomHub, Cl0p) are constantly refining their TTPs.

Complex trends in ransomware payments: Despite some signs of declining willingness to pay ransoms, attackers are adapting strategies, leading to discrepancies in payment amount and frequency data; building resilience and recovery plans remain key.

Escalating supply chain attacks: Compromising elements of the software development and distribution ecosystem (open-source, AI/ML, commercial) and leaking developer secrets are becoming a more common and dangerous vector for advanced attacks.

The unchanging role of key access vectors: Stolen or weak credentials and the exploitation of known and unknown system vulnerabilities (especially in edge devices and VPNs) remain the main methods of gaining initial unauthorized access to an organization’s network.

Human Factors and Insider Threats as an Ongoing Challenge: Human error, vulnerability to social engineering, and various forms of insider threats (accidental, malicious, compromised) are an important component of TTPs, and regular cyber security training is key to minimizing these risks.

Learn key terms related to this article in our cybersecurity glossary:

  • Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
  • Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
  • Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
  • NIST Cybersecurity Framework — NIST Cybersecurity Framework (NIST CSF) is a set of standards and best…
  • Network Security — Network security is a set of practices, technologies, and strategies aimed at…

Learn More

Explore related articles in our knowledge base:

Explore Our Services

Need cybersecurity support? Check out:

Tags:

Ransomware Cybersecurity Vulnerabilities Network Backup

Share:

Talk to an expert

Have questions about this topic? Get in touch with our specialist.

Product Manager
Grzegorz Gnych

Grzegorz Gnych

Sales Representative

+48 664 003 003grzegorz.gnych@nflo.pl
Response within 24 hours
Free consultation
Individual approach

Providing your phone number will speed up contact.

Want to Reduce IT Risk and Costs?

Book a free consultation - we respond within 24h

Response in 24h Free quote No obligations
Book a Call +48 22 487 86 36

Or download free guide:

Download NIS2 Checklist