2025 Ransomware TTP Analysis: Virtualization and Data Theft Trends

Analysis of Shifting Ransomware TTPs

According to Google Threat Intelligence, the Ransomware landscape in 2025 is defined by a paradox: while overall profitability for threat actors appears to be declining, the volume of victims posted to Data Leak Sites (DLS) has reached record highs. This trend is driven by a Ransomware-as-a-Service business model evolution 2025 that has lowered the barrier to entry, even as law enforcement disruptions impact prolific groups like LockBit.

Security professionals are observing a strategic pivot. As larger organizations improve their recovery capabilities, attackers are increasingly targeting smaller entities and shifting toward data-theft-only extortion. Mandiant investigations revealed that 77% of intrusions now involve suspected data theft, a sharp increase from 57% in 2024.

Initial Access and Edge Exploitation

In one-third of analyzed incidents, the initial access vector was the exploitation of a CVE. Threat actors continue to prioritize edge-facing infrastructure, particularly VPNs and firewalls. Common targets include CVE-2024-55591 and CVE-2024-21762 (Fortinet), CVE-2024-40766 (SonicWall), and CVE-2024-3400 (Palo Alto).

There is also a notable rise in Zero-Day exploitation. For instance, UNC6357 was observed attempting to exploit CVE-2025-53770 and CVE-2025-53771 in Microsoft SharePoint to deploy LOCKBIT.WARLOCK. Defenders should focus on detecting ransomware exploitation of Fortinet VPN vulnerabilities and similar edge exposures by auditing C2 traffic and unusual authentication patterns on administrative interfaces.

Mitigation Steps for Virtualization Infrastructure Ransomware

Perhaps the most significant technical shift is the maturing capability of threat actors to target virtualized environments. Approximately 43% of 2025 intrusions involved targeting virtualization infrastructure, primarily VMware ESXi. Attackers are moving beyond manual commands to automated scripts that can change root passwords, disable security policies, and execute payloads across multiple hypervisors simultaneously.

Key TTP observations in virtual environments include:

• Exploitation of Hypervisor Vulnerabilities: Use of CVE-2024-37085 to gain Privilege Escalation on ESXi hosts.
• Automated Deployment: Use of Python and Bash scripts to terminate virtual machines (VMs) and delete snapshots before encryption.
• Persistence via SSH: Enabling SSH on ESXi hosts and using tunnelers like CHISEL or CLOUDFLARED to maintain access.

Establishing mitigation steps for virtualization infrastructure ransomware requires organizations to implement strict network segmentation between management interfaces and the broader network. Furthermore, the SOC must monitor for the disabling of the ExecInstalledOnly setting on ESXi hosts, which is a common precursor to executing custom ransomware binaries.

Post-Compromise and Data Exfiltration

Once Lateral Movement is achieved, often via RDP or SMB, threat actors focus on data exfiltration. The use of Rclone was observed in 28% of confirmed data theft incidents. Actors are also increasingly using legitimate cloud storage services, such as MEGA and Azure, to stage stolen data.

To hinder recovery, actors frequently perform Privilege Escalation to disable EDR solutions and delete volume shadow copies. While the use of Cobalt Strike BEACON is declining (appearing in only 2% of incidents), it is being replaced by alternative frameworks like AdaptixC2 and Mythic. Defenders should utilize SIEM rules to detect unauthorized registry modifications that disable Windows Defender, as this remains a primary anti-detection tactic for families like REDBIKE and Akira.