How Cybersecurity Teams Can Stay Ahead in 2025 and Beyond | #ransomware | #cybercrime

This year is shaping up to be a turning point in defense tactics. 

We’ve already seen major disruptions across the ransomware ecosystem. Groups like LockBit and RansomHub have gone dark or been disrupted, prompting a flurry of speculation. But if defenders are hoping this signals a downturn in attacks, they’ll be disappointed. Newly emergent groups like DragonForce or Shinyhunters are taking their places, so while the names have changed, the extortion harms remain the same.

The reality is that while ransomware culprits shift, the underlying tactics are stabilizing and getting stealthier. Attackers are evolving faster than many defenders can respond, and they’re doing it by exploiting persistent vulnerabilities and overlooked infrastructure.

This year, two major research efforts have helped shed light on how ransomware is evolving and what defenders can do to stay ahead:

These initiatives (among others) show that even as awareness grows, gaps in protection remain. We have to track the tactics and techniques of miscreants, and turn it into education for security teams. We also need to get predictive, and understand what the threat landscape of tomorrow will be like.
 

Cybersecurity Lessons From the Black Basta Chat Logs

Black Basta’s rise in 2022 marked a new phase in ransomware-as-a-service operations. But it wasn’t until 200,000 of their internal chat logs were leaked that the community got an unfiltered look at how one of these groups actually functions.

Analyzing the chats revealed the inner workings of a well-organized, role-based team. There were members assigned to reconnaissance, social engineering, infrastructure management and credential harvesting. 

Their tactics weren’t flashy, but they were effective: 

• Publicly available business intelligence tools like ZoomInfo and LinkedIn were used to identify and score targets.
• Teams tested for two-factor authentication and initiated phone-based social engineering campaigns to trick employees into installing remote management tools like Pulseway.
• SSH keys were systematically abused to maintain long-term access.
• Ransomware payloads were deployed after weeks of quiet reconnaissance and lateral movement.

The chats also confirmed active exploitation of 63 exposures, many of which were years old. This isn’t about zero-days. It’s about reliability, patching and good old fashioned cyber risk management. 

These findings confirm what many suspected: ransomware is no longer a smash-and-grab scheme. It’s a patient, persistent operation, and defenders need to shift their mindset accordingly.

More on Cybersecurity6 Steps to Take After a Cyber Attack

 

Why Known Vulnerabilities Still Get Exploited

Despite an abundance of threat intelligence and patching tools, many organizations remain vulnerable to attacks that exploit well-known weaknesses. Why? According to our recent Vulnerability Forecast, security teams struggle to determine which vulnerabilities are most likely to be exploited. Standards like EPSS can help you patch common vulnerability exposures (CVE) that matter, and de-prioritize the ones that don’t. 

It’s not that they aren’t aware of the issues, it’s that they’re overwhelmed by volume, competing priorities and limited resources, which is why forecasts help security teams step back from the fire, and take a moment to plan for next year or next quarter.

This patch exhaustion is the gap ransomware actors are counting on. They don’t need to find new holes. They just need to find old ones that haven’t been closed everywhere yet.

 

What the Vulnerability Forecast Tells Us About the Rest of This Year

This year’s Vulnerability Forecast offers a data-backed warning: defenders are about to be stretched thinner than ever. We project that 2025 will see between 41,000 and 50,000 new CVEs: a record pace. And if current trends continue, 2026 could top 51,000. Here’s how the forecast breaks down by quarter:

• Q1: approximately 11,400 new CVEs
• Q2: approximately 12,130 new CVEs
• Q3: approximately 12,110 new CVEs
• Q4: approximately 12,580 new CVEs

The forecast team intentionally weighted long-term trends over 2024’s unusual volatility to give a more reliable sense of expected volume. These projections aren’t just about data, they’re a planning tool for defenders:

• Vulnerability disclosure teams use forecasts to budget time and staff.
• Enterprises use them to guide patch cycles and prioritize staffing.
• OT/ICS operators use them for predictive maintenance planning.
• Cyber risk teams use them to assess potential exposure over time.

What unites these groups is the need to move from reactive patching to proactive resource allocation.

More on CybersecurityThese Cyber Attacks Could Have Been Prevented. Here’s How.

 

Empowering Defenders Through Collaboration

So where do we go from here? One answer has been building collaborative spaces where practitioners from all backgrounds can pool knowledge and develop shared defenses. These kinds of alliances are where real change happens.

A few takeaways from our community’s work:

• Don’t just map endpoints, map persistence mechanisms. SSH key management, RMM usage and misconfigurations deserve as much scrutiny as external attack surfaces.
• Layer threat intel into your vulnerability prioritization. Not all CVEs are equal. Knowing which ones are trending among ransomware groups can sharpen your focus.
• Simulate the slow burn. More attackers are embedding themselves before launching ransomware. Your tabletop exercises should reflect this shift.
• Practice recovery. Ransomware is low risk but high impact, so spend part of your time and energy on practicing recovery. Spending all your time on prevention isn’t a cost-effective risk management strategy, but building a ransomware response playbook will help reduce the cost of an incident in a crisis.

Ransomware isn’t retreating. It’s regrouping. And the lessons from Black Basta, paired with the forecasted flood of vulnerabilities, show that defenders can’t afford to chase alerts. They need to think strategically.

Let’s shift the focus from reacting to building resilience. Share what works. Learn from others. Make use of tools like the vulnerability forecast to plan ahead, not just clean up afterward.

If you’re looking for a place to start, the broader incident response community is always ready to welcome new voices. There’s strength in shared insight, and a seat at the table for anyone willing to pull up a chair.