No, it is not new or notably unique, however after years of assaults, ransomware continues to rank among the many most damaging threats going through international organizations at this time.
Even with safety groups pouring important assets into prevention and detection efforts, attackers are nonetheless discovering methods to bypass their defenses. Double extortion has grow to be the default method, with teams encrypting programs and stealing delicate knowledge for leverage.
Some actors are now skipping the encryption step totally, focusing solely on knowledge theft and extortion to keep away from detection and streamline their efforts.
Picus Safety’s Blue Report 2025 pulls again the curtain to point out simply how simply cybersecurity defenses are slipping.
Drawing on greater than 160 million Breach and Assault Simulation (BAS) outcomes, this 12 months’s Blue Report noticed total prevention effectiveness fall from 69% in 2024 to 62% in 2025. Essentially the most alarming discovering, nonetheless, was knowledge exfiltration: prevention collapsed to simply 3%, down from an already unacceptably low 9% final 12 months. This leaves organizations uncovered at precisely the stage ransomware teams exploit most.
The takeaway is obvious: assumptions do not equal safety, and non-validated defenses will proceed to fail when it issues most.
Parsing the outcomes, it rapidly turns into clear that ransomware readiness cannot be assumed. It must be confirmed. Which means repeatedly validating your group’s defenses towards each long-known ransomware households in addition to the rising strains now lively within the wild.
Breach and Assault Simulation gives that proof, exhibiting in actual time whether or not protections stand or fail.
Why Identified and Rising Ransomware Each Matter
Sadly, with ransomware, familiarity all too typically breeds false confidence. Safety groups could imagine they’re protected towards the big-name strains, however over time, if left alone, their defenses are steadily weakening as configurations drift and environments change.
Ransomware operators, in the meantime, maintain transferring. Code is repackaged, loaders are up to date, and evasion methods are refined to maintain assaults from being detected. Sadly, what labored towards yesterday’s marketing campaign typically will not work towards at this time’s up to date try.
This 12 months’s Blue Report exhibits this all too clearly.
Among the many prime 10 most underprevented ransomware strains, 5 had been new or rising, but they bypassed defenses simply as successfully as long-established names.
-
Identified households nonetheless succeed. BlackByte (26%) stays the toughest ransomware to stop for the second 12 months in a row, exploiting public-facing apps and exfiltrating knowledge earlier than encryption. BabLock (34%) continues to strain victims with double extortion, whereas Maori (41%) leverages fileless supply and regional campaigns. Their persistence exhibits how simply defenses can erode in real-world environments.
-
Rising ransomware strains hit simply as onerous. FAUST (44%), Valak (44%), and Magniber (45%) bypass controls via registry modifications, modular payloads, and staged execution. Almost half of all assaults succeed, proving that new names rapidly grow to be efficient within the wild.
-
Established names adapt. BlackKingdom (48%), Black Basta (49%), and Play (50%) evade defenses with stolen credentials, course of hollowing, and distant service execution. Even after years of documentation, they continue to be troublesome to cease.
-
Superior ransomware operators stay resilient. AvosLocker achieved solely a 52% prevention charge, exploiting privilege escalation and superior obfuscation to compromise important sectors regardless of particularly focused defenses.
These findings illustrate a important level: the excellence between “identified” and “rising” ransomware is changing into much less and fewer significant. When organizations fail to repeatedly check their defenses, each identified and rising strains can, and can ultimately, evade their defenses.
The Greatest Gaps in Protection
Ransomware teams hardly ever rely on a single trick. As a substitute, they hyperlink a number of methods throughout the kill chain and reap the benefits of whichever set of defenses is the weakest.
The Blue Report 2025 exhibits that persistent gaps in prevention and detection proceed to provide attackers precisely the opening they have been in search of.
-
Malware supply: Prevention dropped to 60% (down from 71% in 2024). Regardless of being one of many oldest assault vectors, loaders and droppers are nonetheless bypassing static defenses.
-
Detection pipeline: Solely 14% of assaults generated an alert, despite the fact that 54% had been logged. This log-to-alert hole can simply go away defenders blind to each established households like BlackByte and newer variants equivalent to FAUST and Magniber.
-
Knowledge exfiltration: Effectiveness at stopping knowledge exfiltration fell to simply 3% in 2025 (down from 9% in 2024), the worst rating of any assault vector. This weak point fuels the surge in double extortion assaults, the place stolen knowledge is leaked to extend strain on victims.
-
Endpoint safety: Endpoints blocked 76% of assaults, however lateral motion and privilege escalation nonetheless labored in 1 / 4 of circumstances. Households equivalent to Black Basta and Play exploited these weaknesses to unfold inside compromised networks.
General, ransomware thrives not due to cutting-edge methods however as a result of defenses proceed to fail at important factors.
5 of the ten ransomware households highlighted within the report are long-established strains, but they’re evading defenses as successfully as new or rising threats. Attackers do not want novel breakthroughs, solely the power to take advantage of what’s already damaged.
Primarily based on 160M+ assault simulations, Picus Blue Report 2025 exposes why ransomware nonetheless slips previous defenses—prevention dropped to 62% and knowledge exfiltration to simply 3%.
Get the complete findings and see how steady validation closes important gaps.
How BAS Strengthens Ransomware Readiness
Picus Breach and Assault Simulation (BAS) helps shut the hole between what organizations suppose their defenses can do and the way they really carry out towards ransomware.
In contrast to conventional penetration testing, which is periodic and handbook, BAS gives steady, automated checks that present you the place your defenses maintain up towards actual assault behaviors, and the place they do not, in your distinctive and dynamic atmosphere.
Key BAS advantages embrace:
-
Steady Ransomware Simulations. BAS safely simulates and emulates ransomware TTPs seen within the wild, from preliminary compromise via encryption and knowledge theft, to point out precisely the place your defenses break down, throughout perimeter controls and endpoint safety.
-
Validation Towards Identified and Rising Households. Picus updates BAS menace libraries each day with intelligence on each established ransomware and new variants, letting organizations check towards the identical households seen in advisories and people first showing within the wild.
-
Actionable Fixes. When assaults achieve simulation, BAS gives sensible remediation steerage, each vendor-specific and vendor-agnostic, so defenders know precisely what to regulate.
-
Proof of Readiness. BAS generates measurable knowledge on ransomware resilience, together with prevention charges, detection protection, and mitigation standing, giving safety groups tangible knowledge they will present to management and auditors.
Closing the Readiness Hole
Some of the harmful beliefs in ransomware readiness is assuming your defenses are working as a result of they’ve labored up till this level, or since you’ve deployed the “proper” merchandise.
The Blue Report 2025 exhibits how deceptive each of those assumptions could be: almost 50% of ransomware makes an attempt bypassed defenses, and solely 14% triggered alerts.
BAS turns assumptions into proof by answering the questions that matter most:
-
Would your DLP system really cease delicate knowledge from leaving your community?
-
If ransomware slips previous endpoint controls, would your SIEM elevate the alarm in time?
-
Are e mail gateways tuned properly sufficient to dam phishing payloads utilized by BabLock or Play?
-
Would newer households like FAUST or Magniber cross via unnoticed?
With BAS, safety groups do not must guess. They know.
Conclusion
Ultimately, the Blue Report 2025 makes one factor clear: ransomware thrives not as a result of attackers reinvent the playbook, however as a result of defenses are hardly ever examined in observe. The identical safety weaknesses resurface 12 months after 12 months, with prevention slipping, detection lagging, and knowledge theft going virtually totally unchecked.
Breach and Assault Simulation is the lacking piece. By safely emulating end-to-end ransomware assaults, together with preliminary compromise, credential entry, lateral motion, and knowledge theft, BAS pinpoints precisely the place your defenses are and are not working and confirms whether or not fixes are holding. It shifts readiness from trusting and assuming to proving, giving defenders one thing they will measure, enhance, and exhibit day by day.
Ransomware readiness has moved method past asking “Are we protected?”. It is about repeatedly demonstrating proof of resilience, and BAS is the one sustainable technique to get there.
Obtain the Blue Report 2025 to get the complete image, from ransomware and knowledge exfiltration to industry-by-industry efficiency, regional disparities, MITRE ATT&CK tactic and method gaps, and the vulnerabilities attackers are exploiting proper now. See the place defenses are slipping, and why steady validation is the way in which ahead.
Sponsored and written by Picus Safety.
