Ensign Cyber Threat Landscape Report 2025

Keypoints

• The report is structured into several key sections: Editorial Foreword—outlining macro trends and regional focus; Executive Summary—highlighting major threats and strategic insights; Developments and Insights—detailing top cyber threat trends and technological evolution; Regional and Territorial Incidents—exploring localized cyber activities; Outlook for 2025—predictive landscape analysis; Defensive Actions—recommendations for cybersecurity leaders; Contributors and Appendices with technical heatmaps and vulnerability data.
• Key statistics include nearly 40% of regional cyber activities attributed to state-sponsored groups, doubling of organised crime groups targeting the region, and significantly increased incident dwell times, with maximum dwell rising from 49 to 201 days.
• Ransomware remains endemic, described as a “digital flu,” with groups like LockBit, Kill Ransomware, RansomHub, and Sarcoma active in Asia Pacific. Techniques to evade EDR/XDR solutions, use of BYOVD to kill anti-malware processes, and adoption of diverse programming languages such as Golang and Rust enhance attack sophistication.
• Initial Access Brokers (IABs) increasingly employ a “breach once, sell to many” model, facilitating multi-prong ransomware campaigns through subcontracting and multi-income streams in the underground economy.
• Hacktivist groups such as Bjorka, ETHERSEC Team Cyber, R00TK1T, and RipperSec have evolved to more advanced exploit platforms beyond traditional DDoS and defacements, with collaborations extending to cybercrime and state-linked campaigns.
• Organised crime activities have doubled in number, with groups like BITTER, Blackwood, Bronze Highland, FIN11, and FIN7 targeting financial sectors and critical infrastructure, often subcontracted to support sophisticated cyber campaigns.
• The report highlights growing challenges in defending fragmented digital ecosystems composed of Western, open-source, and Eastern technology stacks, complicated by geopolitical, trade tensions, and internal regional strife.
• Industrial Control Systems (ICS) are increasingly targeted, with state-sponsored actors pre-positioning capabilities for future disruption in utilities and transportation critical to infrastructure.
• Incident response dwell times have increased due to technological sprawl and attack sophistication, affecting industries such as Retail and Others, with average dwell times rising significantly.
• Top targeted industries in the region include Technology, Media and Telecommunications (TMT), Banking, Finance and Insurance (BFI), and Public Sector sectors, reflecting motivations for financial gain and disruption.
• Defensive recommendations emphasize comprehensive endpoint inventory, updated and competent EDR/XDR solutions, regular threat hunting informed by threat intelligence, robust backup strategies (3-2-1-1), preparation of golden images for system rebuilds, and consideration of third recovery sites leveraging cloud scalability.
• The report includes detailed MITRE ATT&CK framework mappings and encourages the use of provided heatmaps and JSON files for enhanced cyber defence operations.