CyberProof Global Threat Intelligence Report 2025

Keypoints

• Typical report structure: Executive Summary (high-level findings and themes), Geopolitical Conflicts and Cyber Warfare (conflict-driven operations, actor profiles, case studies), Ransomware and Sector Targeting (industry impacts, notable incidents, extortion trends), Supply Chain Threats (library compromises, cloud/hybrid risks, vendor exposure), Predictions for the coming year, Practical Recommendations, and About the authoring organization.
• Executive Summary purpose: synthesize the year’s defining shifts, offer contextual analysis of how state and criminal actors interacted, and set actionable priorities for defenders and policymakers.
• Geopolitical sections normally break down activity by theater (e.g., Russia-Ukraine, Israel-Hamas, China-Taiwan, DPRK-ROK), describe actor motivations and tactics, and include spotlight profiles of specific groups such as NoName057(16), Storm-1516, Volt Typhoon, and UNC5537.
• Ransomware and sector analysis typically covers revenue estimates, industry-specific impacts (notably healthcare and education), case timelines of major breaches, and analysis of extortion methods (double/triple extortion and RaaS models).
• Supply chain coverage explains methods (malicious library injections, compromised updates, third-party vendor access), quantifies downstream reach, and highlights remediation complexity for affected customers.
• Key statistics from the report: 55% rise in DDoS attacks against critical infrastructure over four years; supply chain breaches up ~68% year-over-year; ransomware generated an estimated $450M in H1 2024 with a 10% YoY increase; 67% of healthcare organizations impacted by ransomware in the past year.
• Notable incidents and data points: the Polyfill.io JavaScript compromise affected hundreds of thousands of hosts; Change Healthcare breach (ALPHV/BlackCat) resulted in ~6 TB exfiltrated and exposure tied to ~100 million individuals; UNC5537’s Snowflake/SaaS targeting led to multi-million-dollar extortion claims; LockBit and other groups demanded multimillion-dollar ransoms in retail and healthcare attacks.
• Major trends: convergence of APT techniques with financially motivated ransomware (state-aligned groups adopting or collaborating with RaaS), expanded use of double and triple extortion, and increased exploitation of cloud misconfigurations and widely used third-party libraries.
• Evolving attack techniques: living-off-the-land (LOTL) for stealth and persistence, rapid botnet rebuilds (e.g., Volt Typhoon activity), credential harvesting to pivot into cloud/SaaS accounts, and weaponization of influence tools including LLMs and deepfakes in election interference campaigns (e.g., Storm-1516).
• Supply chain dynamics: compromises of shared components (Polyfill.io) and vendor pathways enabled broad, simultaneous impact across industries; third-party and OT vendor access remains a critical risk vector for utilities and transportation.
• Sector-specific impacts: healthcare faced disproportionate operational harm—hospital outages, canceled surgeries, billing system failures—with attackers exploiting the sector’s reliance on uptime to pressure payouts; education and retail also experienced high-impact disruptions.
• Shifts in attribution and motive: attackers increasingly mask espionage as financially motivated incidents (ransomware used as a cover for data theft), complicating response and reducing confidence in straightforward attribution.
• Regulatory and market responses: expect tighter global regulation, more mandated incident reporting and baseline security standards, and growing pressure from customers for vendor transparency and stronger third-party risk controls.
• Predictions highlighted: continued targeting of critical sectors in 2025, wider adoption of AI by threat actors (and defenders), more sophisticated extortion and hybrid operations, and further erosion of trust in supply chain relationships unless transparency and vendor security improve.
• Top actionable takeaways and recommendations: deploy AI-assisted detection and response (“AI to fight AI”), maintain robust backups and disaster recovery, segment networks and apply zero-trust, enforce strong authentication for cloud/SaaS, regularly scan and patch dependencies (including third-party libraries), create and exercise playbooks for extortion scenarios, and run continuous phishing/social-engineering training.
• Enduring themes and impact: the blurring lines between hacktivists, APTs, and cybercriminals, the systemic risk of widely shared software components, and the weaponization of geopolitical events for cyber campaigns mean organizations must invest in cross-functional resilience, supply-chain scrutiny, and proactive threat intelligence sharing.