As cyberattackers evolve at a pace defenders can’t match, new research uncovers the threat groups behind today’s most destructive incidents and the organizational weaknesses keeping security teams a step behind. 

Over the past year, we’ve seen tremendous growth in ransomware activity from some of the world’s leading groups, including RansomHub, LockBit, DarkSide, APT41, and Black Basta. 

For the most part, these groups also rely on older tactics to gain access. Phishing remains the top gateway to entry, while other common tactics include social engineering, software exploitation, and stolen credentials. Despite many of these attack tactics looking familiar year after year, organizations still find themselves reacting from a position of disadvantage – constantly starting on the back foot. 

Why Defenders are Still Falling Behind 

If 2025 made one thing clear, it’s that defenders are falling behind due to complexity. Many organizations still rely on legacy tools, which create blind spots for attackers to jump on. Limited visibility was the top barrier that security teams face, among skills gaps, alert fatigue, and siloed tools. Moreover, the biggest vulnerabilities were seen in everyday operational blind spots. Areas including public cloud exposure, third-party integrations, and across generative AI applications lack the most in visibility.  

The lack of visibility directly impacts an organization’s response time. On average, organizations took two weeks to respond to and contain a security alert. That’s the same amount of time (and if not, longer) that attackers spent dwelling inside networks before being detected. In government networks specifically, that window reached a staggering seven weeks on average, allowing attackers ample time to move laterally between systems and devices to exfiltrate data. 

The financial consequences are growing just as rapidly, with the average ransom payout reaching $3.6 million in comparison to 2024’s average of $2.5 million. This upward trend shows that attackers are continuing to gain a high return on investment – targeting the right organizations with the right amount of impact. 

Their success is largely because these groups increasingly operate like sophisticated businesses. Support from affiliate networks is making them more powerful, while many groups deploy AI to help scale operations, create more convincing phishing lures, and evade detection. 

A Deep Dive into 2025’s Most Notorious Threat Groups 

LockBit, DarkSide and Black Basta were among several high-profile groups with a key focus on government agencies. This sector suffered some of the most severe impacts, including ransom payouts nearing $7.5 million on average, making it one of the top vertical victims. 

RansomHub and DarkSide also maintained a wider focus across industries. Their attacks increasingly focused on ransomware with data extortion, seeking sensitive files before encryption to improve their leverage. 

LockBit 5.0’s emergence in September was a key example of the group’s increasing sophistication. Attackers quickly redeveloped following major global takedown actions and expanded their targeting capabilities, such as by advancing its Linux encryptors. Given its persistence and adaptability, LockBit remains one of the most dangerous ransomware-as-a-service (RaaS) groups globally. 

APT41 was tied to a phishing campaign earlier this year, impersonating U.S. Representative John Moolenaar. Targeting trade groups, government agencies, and law firms, the group shows us how phishing remains an effective and dangerous method, and is especially concerning when the end goal is compromising credentials from political leaders. 

Finally, Black Basta was linked to hundreds of attacks, including the 2024 attack on Ascension, which affected over 5 million patients. Making headlines, the incident shows the group’s willingness to disrupt services across both critical infrastructure and the public sector for financial gain. 

Security Teams can Regain the Advantage 

Relying on reactive measures is no longer sufficient and organizations will continue to fall behind without the right visibility, proactive threat hunting, and detection and response capabilities. 

Following today’s top threat actors and how they operate is key. The better threat intelligence you have, the better you can focus on the most critical vulnerabilities and plan proactively. Security leaders must prioritize three essential areas to remain agile. 

• Understand your attack surface: Tackle complexity by addressing redundant or siloed tools, knowing where your assets are, and patching vulnerable legacy infrastructure. 

• Improve your visibility: Listen to your network traffic. As many modern attacks bypass the perimeter and move laterally within large, enterprise networks, keeping tabs on that traffic helps SOCs identify malicious activity before it becomes a bigger problem. 

• Stay ahead of evolving threats: Threat groups are adopting tools like generative AI, leaning into full disruption, and hitting both public and private infrastructure. Understand their tactics and prepare to defend against them. 

A Constantly Shifting Battlefield 

2025 has shown us how dynamic today’s threat landscape is, especially as AI-driven attacks continue to escalate. Success in defenses in the coming years relies on visibility, speed, and preparedness on the basics. 

As threat groups become more sophisticated, organizations with a proactive strategy and tools will gain the upper hand. Those who remain agile to changes will be the real leaders in the future of cyber resilience.