ExtraHop®, a network detection and response specialist (NDR), has released the 2025 ExtraHop Global Threat Landscape Report, which offers a comprehensive analysis of the ever-shifting cybersecurity landscape. The report examines the ever-expanding attack surface, detailing the evolving tactics threat actors are leveraging to exploit organisations and carry out lucrative attacks.
According to the findings, threat actors are shifting away from broad, indiscriminate attacks to a more targeted approach that yields more impactful results. As IT environments grow increasingly complex and attack surfaces expand, threat actors are able to capitalise on blind spots, spending more time inside an organisation to cause greater damage and achieve higher payouts.
Ransomware payouts skyrocket as attackers evolve their tactics
While the frequency of ransomware attacks has dropped from 8 incidents per organisation to 5-6 incidents in the last year, the average ransomware payment has surged by more than a million dollars, from $2.5M to $3.6M.
The offset between frequency and cost comes as attackers have evolved to move undetected within an organisation’s environment. According to the data, threat actors had access to networks for nearly two weeks on average before launching an attack. In fact, nearly a third of organisations only noticed they were being targeted by a ransomware attack after data exfiltration had already begun.
Delays in response can translate to more downtime
Organisations take more than two weeks to respond to and contain a security alert. This delay in response can give attackers time to maximise damage, with the research showing organisations experience an average downtime of more than 37 hours after an incident occurs.
Threat actors targeting critical infrastructure and government are among the most active
RansomHub (26.8 per cent), LockBit (26.5 per cent), Darkside (25.7 per cent), APT41 (24 per cent), and Black Basta (23.4 per cent) were the threat actors most detected in organisations’ environments last year. Similarly, LockBit (33.3 per cent), Darkside (33.3 per cent), Black Basta (33.3 per cent), and RansomHub (25.6 per cent), were among the groups most active in the government space.
Old tactics are still a favorite for compromising today’s digital landscapes
As attack surfaces expand, organisations say the public cloud (53.8 per cent), third-party services and integrations (43.7 per cent), and generative AI applications (41.87 per cent) pose the most significant cybersecurity risks to their organisation. The tactics they’re using to gain network access varies, with the traditional method of phishing and social engineering (33.65 per cent) taking the top spot, followed by software vulnerabilities (19.43 per cent), third-party/supply chain compromise (13.4 per cent), and compromised credentials (12.2 per cent).
Limited visibility undermines security efforts
The top challenges hindering a timely response to security threats include limited visibility into the entire environment (41 per cent), overwhelming alert volume (34 per cent), disparate and poorly integrated tools (34 per cent), and inefficient or manual SOC workflows (34 per cent). Visibility was a top challenge in critical industries such as telecom, finance, and education.
“This research validates what we’ve been seeing firsthand: motivated attackers are exploiting new entry points to bypass traditional defences and remain hidden inside a network until the time is right to strike,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop. “The reality is, threats will always find a way in, and organisations must be able to detect threats as they move laterally between systems to escalate privileges and exfiltrate data. Enterprises that lack the ability to not only see, but also contextualise, every bit of network traffic will continue being targeted and plagued by costly downtime and ransom payments.”
Share