Data reveals a shift from quick-hit attacks to stealthy, persistent threats that are harder to detect
ExtraHop®, a leader in modern network detection and response (NDR), today released the 2025 ExtraHop Global Threat Landscape Report, which offers a comprehensive analysis of the ever-shifting cybersecurity landscape. The report examines the ever-expanding attack surface, detailing the evolving tactics threat actors are leveraging to exploit organizations and carry out lucrative attacks.
According to the findings, threat actors are shifting away from broad, indiscriminate attacks to a more targeted approach that yields more impactful results. As IT environments grow increasingly complex and attack surfaces expand, threat actors are able to capitalize on blind spots, spending more time inside an organization to cause greater damage and achieve higher payouts.
Ransomware payouts skyrocket as attackers evolve their tactics
While the frequency of ransomware attacks has dropped from 8 incidents per organization to 5-6 incidents in the last year, the average ransomware payment has surged by more than a million dollars, from $2.5M to $3.6M.
The offset between frequency and cost comes as attackers have evolved to move undetected within an organization’s environment. According to the data, threat actors had access to networks for nearly two weeks on average before launching an attack. In fact, nearly a third of organizations only noticed they were being targeted by a ransomware attack after data exfiltration had already begun.
Delays in response can translate to more downtime
Organizations take more than two weeks to respond to and contain a security alert. This delay in response can give attackers time to maximize damage, with the research showing organizations experience an average downtime of more than 37 hours after an incident occurs.
Threat actors targeting critical infrastructure and government are among the most active
RansomHub (26.8%), LockBit (26.5%), Darkside (25.7%), APT41 (24%), and Black Basta (23.4%) were the threat actors most detected in organizations’ environments last year. Similarly, LockBit (33.3%), Darkside (33.3%), Black Basta (33.3%), and RansomHub (25.6%), were among the groups most active in the government space.
Old tactics are still a favorite for compromising today’s digital landscapes
As attack surfaces expand, organizations say the public cloud (53.8%), third-party services and integrations (43.7%), and generative AI applications (41.87%) pose the most significant cybersecurity risks to their organization. The tactics they’re using to gain network access varies, with the traditional method of phishing and social engineering (33.65%) taking the top spot, followed by software vulnerabilities (19.43%), third-party/supply chain compromise (13.4%), and compromised credentials (12.2%).
Limited visibility undermines security efforts
The top challenges hindering a timely response to security threats include limited visibility into the entire environment (41%), overwhelming alert volume (34%), disparate and poorly integrated tools (34%), and inefficient or manual SOC workflows (34%). Visibility was a top challenge in critical industries such as telecom, finance, and education.
“This research validates what we’ve been seeing firsthand: motivated attackers are exploiting new entry points to bypass traditional defenses and remain hidden inside a network until the time is right to strike,” said Raja Mukerji, Co-founder and Chief Scientist, ExtraHop. “The reality is, threats will always find a way in, and organizations must be able to detect threats as they move laterally between systems to escalate privileges and exfiltrate data. Enterprises that lack the ability to not only see, but also contextualize, every bit of network traffic will continue being targeted and plagued by costly downtime and ransom payments.”
Download the 2025 ExtraHop Global Threat Landscape Report.
*This survey was conducted by Censuswide.*