Ransomware Evolves: Stealthier Attacks Drive Higher Costs and Prolonged Downtime
A new report highlights a shift in ransomware tactics, with threat actors moving away from high-volume, opportunistic attacks to slower, more targeted campaigns designed to evade detection and maximize financial gain. While the frequency of ransomware incidents has declined dropping from eight to five or six per organization annually the average ransom payment has surged from $2.5 million to $3.6 million over the past year.
Attackers now spend an average of nearly two weeks inside a network before launching an attack, with nearly a third of organizations only discovering breaches after data exfiltration has begun. This delay in detection contributes to prolonged downtime, averaging 37 hours per incident, as organizations take over two weeks to respond and contain threats.
Critical infrastructure and government sectors remain prime targets, with RansomHub (26.8%), LockBit (26.5%), Darkside (25.7%), APT41 (24%), and Black Basta (23.4%) among the most active groups. In government environments, LockBit, Darkside, and Black Basta each accounted for 33.3% of detected threats, while RansomHub was linked to 25.6% of incidents.
Despite advancements in security, phishing and social engineering (33.65%) remain the most common attack vectors, followed by software vulnerabilities (19.43%), supply chain compromises (13.4%), and stolen credentials (12.2%). Expanding attack surfaces particularly public cloud (53.8%), third-party services (43.7%), and Generative AI applications (41.87%) are amplifying risks.
Visibility gaps continue to hinder response efforts, with 41% of organizations citing limited network visibility as a key challenge. Other barriers include alert overload (34%), poorly integrated security tools (34%), and manual SOC workflows (34%), with critical sectors like telecoms, finance, and education facing the greatest difficulties.
The findings underscore how attackers exploit blind spots to move laterally, escalate privileges, and exfiltrate data before detection. Without comprehensive network monitoring and contextual threat analysis, organizations remain vulnerable to prolonged breaches and costly disruptions.
Black & Veatch cybersecurity rating report: https://www.rankiteo.com/company/black-and-veatch
"id": "BLA1768390795",
"linkid": "black-and-veatch",
"type": "Ransomware",
"date": "10/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': ['critical infrastructure',
'government',
'telecoms',
'finance',
'education']}],
'attack_vector': ['phishing and social engineering',
'software vulnerabilities',
'third-party or supply chain compromise',
'compromised credentials'],
'data_breach': {'data_exfiltration': 'Nearly a third of organisations only '
'became aware after data exfiltration '
'had begun'},
'description': 'Shift from quick-hit ransomware attacks to stealthy, '
'persistent threats that are harder to detect and costlier to '
'contain. Threat actors are exploiting expanding attack '
'surfaces and using targeted tactics for greater impact, '
'spending more time inside networks to inflict damage and '
'secure higher payouts.',
'impact': {'data_compromised': 'Data exfiltration occurred in nearly a third '
'of incidents before detection',
'downtime': 'Average downtime of more than 37 hours following an '
'incident',
'financial_loss': 'Average ransomware payment surged from US$2.5 '
'million to US$3.6 million',
'operational_impact': 'Delays in response enable attackers to '
'maximize damage'},
'initial_access_broker': {'reconnaissance_period': 'Threat actors had access '
'to networks for nearly '
'two weeks on average '
'before launching an '
'attack'},
'lessons_learned': 'Threat actors are exploiting new entry points to bypass '
'traditional defences and remain hidden inside networks. '
'Visibility and contextualization of network traffic are '
'critical to detect lateral movement and data '
'exfiltration.',
'motivation': ['financial gain'],
'post_incident_analysis': {'corrective_actions': ['Improve visibility',
'Integrate tools',
'Automate SOC workflows',
'Enhance monitoring'],
'root_causes': ['Limited visibility across the '
'environment (41%)',
'Overwhelming alert volume (34%)',
'Disparate and poorly integrated '
'tools (34%)',
'Manual SOC workflows (34%)']},
'ransomware': {'data_exfiltration': 'Nearly a third of organisations only '
'became aware after data exfiltration had '
'begun',
'ransom_paid': 'Average ransomware payment surged from US$2.5 '
'million to US$3.6 million',
'ransomware_strain': ['RansomHub',
'LockBit',
'Darkside',
'Black Basta']},
'recommendations': 'Enterprises should improve visibility across '
'environments, integrate tools, automate SOC workflows, '
'and enhance monitoring to detect threats early.',
'references': [{'source': 'ExtraHop Report'},
{'source': 'Raja Mukerji, Co-founder and Chief Scientist, '
'ExtraHop'}],
'threat_actor': ['RansomHub', 'LockBit', 'Darkside', 'APT41', 'Black Basta'],
'type': ['ransomware', 'data exfiltration'],
'vulnerability_exploited': ['public cloud',
'third-party services and integrations',
'Generative AI applications']}