Ransomware in 2025: How Businesses Can Stay Ahead of the New Tactics
The ransomware landscape is rapidly changing as new arrests are made and prolific groups are taken down. EU Business News heard from Joshua Walsh, Information Security Practitioner, part of the cyber, data and information law specialist team at rradar, on some of the biggest trends he’s seen in ransomware in 2025, and steps businesses can take to mitigate each specific risk to help protect themselves from the data-locking malware. These include:
1. Initial Access Brokers (IABs) are selling entry points on the dark web
Initial access brokers are cybercriminals who specialise in gaining access to corporate environments and then sell that access to ransomware groups and other threat actors. This means that ransomware operators no longer need to perform the initial intrusion themselves; instead, they buy access to a ready-to-exploit network.
Why it matters:
It shortens the attack lifecycle, allowing ransomware to be deployed within hours of purchase while also removing any early warning signs, as the access might have been gained weeks before the actual attack. It also means that an organisation could be a target without ever being directly breached first, such as if the compromise happens via reused credentials or a lightly defended third party.
What to do:
- Monitor for credential exposure using threat intelligence and dark web monitoring tools to detect leaked company credentials early
- Implement multi-factor authentication on all external facing systems including VPNs, remote desktops and cloud consoles
- Audit inactive or underused accounts and services to minimise unnoticed entry points
- Patch internet-facing applications and infrastructure quickly
- Monitor for unusual login patterns, such as logins from new countries, devices or unusual time
2. Supply chain attacks are becoming the go-to entry point
Attackers are increasingly targeting third-party vendors and service providers as a means of gaining access to larger, more significant targets. These may include IT providers, e-commerce platforms, or logistics partners.
Why it matters:
Once inside a vendor’s system, attackers can move laterally into an organisation’s environment or affect multiple downstream businesses at once.
What to do:
- Conduct regular risk assessments on third-party vendors, focusing on those with elevated access to internal systems or data
- Enforce least privilege access, ensuring vendors only have access to what is absolutely necessary and for a limited time
- Implement and monitor multifactor authentication across all third-party connections, including API and backend integrations
- Maintain a centralised inventory of vendor relationships and access rights to revoke unused connections quickly
3. Ransomware groups are introducing payment tiers
Attackers are moving away from flat ransom demands. Instead, they are now starting to offer victims multiple payment options with varying outcomes. For example, one fee might delete the stolen data, another might decrypt systems and a higher tier might do both along with a “guarantee” of no future leaks.
Why it matters:
This tactic increases the psychological pressure and complicates decision making. It’s designed to force quick, larger payments while creating the illusion of choice.
What to do:
- Establish a predefined ransomware response policy that clearly outlines who is involved, when legal or insurance counsel should be brought in and what factors influence decision making
- Engage with a trusted incident response provider in advance so you don’t lose time finding support during an active attack
- Communicate internally that promises by the attacker regarding data deletion or non-leakage are not credible and that paying may not prevent long-term exposure
- Ensure that any decisions regarding ransom payments include thorough assessments of legal, compliance, and reputational risks
The post Ransomware in 2025: How Businesses Can Stay Ahead of the New Tactics appeared first on EU Business News.
