Comprehensive Cybersecurity Analysis from the First Half of 2025

TL;DR: The first half of 2025 revealed critical gaps between security testing and real-world attacks, with over 4,071 ransomware breaches across 109 countries despite a 35% drop in payments. CLOP leads ransomware groups with 411 breaches, while the US accounts for 54.5% of all attacks. Manufacturing and services sectors face the highest risk, with businesses of all sizes targeted.

The cybersecurity environment in early 2025 has exposed a troubling reality – there’s a significant disconnect between how organizations test their security defenses and how real attackers actually operate. Based on Ontinue’s comprehensive 1H 2025 Threat Intelligence Report, this gap is allowing cybercriminals to maintain prolonged access to business systems while security teams remain unaware of their presence.

 The Challenge of Ransomware Payments in 2025

The ransomware payment situation in 2025 presents a complex challenge for organizations. Despite a 35% drop in reported ransom payments in 2024 from $1.25B to $813M, this trend appears linked to stronger resistance to payment and law enforcement actions, rather than a reduction in attacks.

• 4,071 claimed ransomware breaches occurred across 109 countries in the first half of 2025
• Most ransomware incidents now combine large-scale data theft with encryption of critical systems
• Paying for a decryption key provides at least a measurable outcome, even if the tool underperforms
• Paying for a promise to delete stolen data is an unverifiable assurance with no guarantee of compliance

The decision of whether to pay a ransom demand has grown more complex as attackers continue their operations regardless of payment trends, demonstrating that reduced payments don’t translate to reduced risk.

 Top Ransomware Groups Dominate the Threat Environment

The ransomware criminal ecosystem shows clear leaders in terms of activity levels, with the most active groups demonstrating the effectiveness of the affiliate model in scaling criminal operations.

• CLOP dominates with 10.1% of all breaches, claiming 411 successful attacks
• AKIRA follows with 9.4% (382 breaches), and QILIN with 8.4% (344 breaches)
• RANSOMHUB accounts for 5.8% (236 breaches), PLAY with 5.3% (214 breaches)
• SAFEPLAY represents 4.7% (191 breaches), with LYNX at 4.5% (183 breaches)
• BABUK 2.0, INC RANSOM, MEDUSA, FOG, and DRAGONFORCE complete the top twelve
• The top seven groups averaged more than one attack per day
• CLOP and AKIRA claim more than two victims per day each

This concentration of activity among leading groups demonstrates the “force multiplier” effect of the affiliate model used by ransomware organizations to recruit new criminals into their operations.

(Top 12 Ransomware Groups by Breaches Claimed – Source: Ontinue’s 1H 2025 Threate Intelligence Report)

 Geographic Distribution Shows US as Primary Target

The geographic distribution of ransomware attacks reveals a clear concentration in developed economies, with the United States bearing a disproportionate burden of global ransomware activity.

• United States accounts for 54.5% of all incidents with 1,925 organizations attacked
• Canada follows distantly with 6% (213 attacks)
• Germany represents 4% (142 attacks)
• United Kingdom faced 3.7% of attacks (129 organizations)
• Italy accounts for 2.4% (86 attacks) and Spain for 2% (70 attacks)
• France, Brazil, Australia, India, Taiwan, and Singapore complete the top twelve
• Russia notably doesn’t appear in the top twelve targeted countries
• Many multinational organizations list their headquarters as the US, potentially skewing figures

The absence of Russia from the target list likely reflects many ransomware groups’ policy of avoiding Russian businesses to reduce their risk of prosecution by local authorities.

(Top 12 Countries by Organization Attacked – Source: Ontinue’s 1H 2025 Threate Intelligence Report)

 Sector Analysis Reveals Universal Vulnerability

No industry sector proves immune to ransomware attacks, but certain sectors face disproportionate targeting based on their perceived value and vulnerability to operational disruption.

• Manufacturing leads with 12.9% of all attacks (451 organizations)
• Services sector accounts for 16.2% of attacks (567 organizations)
• IT/Communications represents 10.8% of attacks (378 organizations)
• Retail/Wholesale accounts for 9.6% (335 attacks)
• Finance/Investment faces 9.5% of attacks (333 organizations)
• Construction sector represents 8.2% (288 attacks)
• Health/Pharma accounts for 7.8% (271 attacks)
• Transport captures 9.1% (317 attacks)
• Government/Society entities faced 5.8% of attacks (202 organizations)
• Education, Power/Fuel, and Primary Industry complete the sector breakdown

This broad distribution across economic sectors demonstrates that ransomware groups target organizations across the entire economic spectrum, with no industry providing inherent protection from attack.

(Organizations Attacked by Sector – Source: Ontinue’s 1H 2025 Threate Intelligence Report)

 Business Size Provides No Protection

The analysis of victims by employee count reveals that ransomware groups target organizations regardless of size, debunking the myth that small businesses can fly under the radar or that large enterprises are too well-defended.

• Small companies (up to 50 employees) experienced 1,112 attacks
• Medium businesses (51-200 employees) faced 1,012 incidents
• Mid-size organizations (201-1,000 employees) encountered 745 attacks
• Large enterprises (over 1,000 employees) still faced 397 ransomware incidents
• This distribution represents more than 2 million employees whose personal data may have been compromised
• Small companies often serve as entry points for new gangs attempting to establish their operations
• Large enterprises face more sophisticated, targeted attacks with higher potential payouts

The broad targeting across business sizes indicates that no organization can rely on being too small to notice or too large to successfully attack.

(Victims by Number of Employees – Source: Ontinue’s 1H 2025 Threate Intelligence Report)

 USB Malware and Basic Exposure Risks Persist

While cybersecurity discussions often focus on sophisticated threats, traditional attack vectors like USB-delivered malware continue to pose significant risks to organizations that fail to implement basic security controls.

• USB-delivered malware increased 27% compared to the second half of 2024
• Over half of USB-based threats have potential to cause major disruption to enterprise environments
• Malware can bypass network-level defenses through direct endpoint introduction
• Many organizations continue allowing removable media use without strong restrictions
• Device control capabilities and advanced endpoint protection remain underutilized
• A single USB connection can initiate infection chains with consequences disproportionate to the action’s simplicity
• Recent cases show personal USB drives triggering malware infections requiring rapid containment

These findings emphasize that organizations focusing exclusively on advanced threats risk leaving themselves exposed to straightforward attacks that exploit predictable behaviors and overlooked security fundamentals.

(Managed Service Provider Houston Cybersecurity – Source: Ontinue’s 1H 2025 Threate Intelligence Report)

 Third-Party Risk Doubles as Attack Vector

Vendor-related security incidents have emerged as one of the fastest-growing attack vectors, with organizations increasingly vulnerable through their external partnerships and service relationships.

• Third-party vendor breaches doubled year-over-year, now representing approximately 30% of all incidents
• Scattered Spider impersonated M&S employees to social-engineer Tata Consultancy Services helpdesk staff
• Adidas disclosed customer data exposure through external customer service provider compromise
• Weak security in external partners facilitates attacks on major organizations across sectors
• Third-party vendors often serve as initial access vectors or fail to adequately safeguard handled data
• Organizations face challenges monitoring third-party activities compared to internal network security

The doubling of third-party incidents underscores the critical need for organizations to establish comprehensive vendor risk management frameworks that go beyond contractual compliance to include active security monitoring and incident response coordination.

 Advanced Phishing Platforms Mature

Phishing-as-a-Service platforms like Tycoon 2FA have transformed credential theft into an industrialized operation. This platform was responsible for approximately 65% of phishing-as-a-service based credential attacks in the first half of 2025, specifically targeting Microsoft 365 and Gmail users. Weaponized SVG files saw a 40% surge since the beginning of 2025, as attackers discovered that email security tools historically didn’t inspect SVG internals since they were often whitelisted as harmless image formats.

 How CinchOps Can Help

As a managed services provider specializing in cybersecurity for Houston businesses, CinchOps understands the complex threat environment revealed by this intelligence analysis and addresses the critical gaps between security testing and real-world attack scenarios.

• Advanced email security solutions that detect weaponized SVG files and sophisticated phishing attempts beyond traditional filters
• Cloud security monitoring that tracks refresh token abuse and detects abnormal authentication patterns in Microsoft 365 and Azure environments
• Endpoint protection that monitors for USB-based malware and unauthorized device connections with real-time behavioral analysis
• Network security solutions including SD-WAN implementations that provide secure connectivity while monitoring for persistence tactics
• Third-party risk assessment services to evaluate vendor security postures and establish monitoring protocols
• 24/7 security operations center services that detect advanced persistence methods that red team exercises typically miss
• Industry-specific security solutions tailored to manufacturing, services, healthcare, and other high-risk sectors
• Scalable protection for businesses of all sizes, from small companies to large enterprises

CinchOps bridges the critical gap between security testing results and real-world attack scenarios, providing Houston businesses with comprehensive protection based on actual threat intelligence rather than theoretical scenarios, regardless of company size, sector, or geographic location.

 Discover More 

Discover more about our enterprise-grade and business protecting cybersecurity services: CinchOps Cybersecurity
Discover related topics: The 2025 Midyear Cyber Risk Report: Houston Businesses Face Evolving Ransomware Threats
To Download the Accounting Scorecard PDF: Threat actors turning to MFA bypass, USB malware and supply chain attacks

FREE CYBERSECURITY ASSESSMENT