Less Lucrative Ransomware Market Makes Attackers Alter Methods

As the amount of money people pay for ransomware goes down, threat actors are changing how they use built-in tools This article explores ransomware ecosystem 2025. . This week, the Google Threat Intelligence Group (GTIG) released research on the ransomware ecosystem in 2025 and the most common tactics, techniques, and procedures (TTPs) used in incidents that Google's Mandiant group responded to. Some of the most important data points are that about 77% of attacks involved suspected data theft (up from 57% last year); 43% of intrusions targeted virtualization infrastructure (up from 29%); vulnerabilities were used as an initial access vector in one-third of cases (especially VPNs and firewalls); and Dark Web site posts (where attackers name and shame victims) reached record highs in 2025.

According to that last statistic, GTIG found that data leak sites usually only name and publish data from victims who don't pay the ransom. This is in line with reports from companies like incident response firm Coveware by Veeam, which saw a big drop in both average and median ransom payments. Big companies don't pay as often, and mid-sized businesses pay less.

Also, Chinese hackers have been hiding in Southeast Asian military groups for years. "It's not that 'classic' offensive tools are gone; it's that a lot of threat actors are using built-in Windows features (PowerShell, WMI, cmd/batch, etc.) more often to avoid having to add extra binaries that are more likely to stand out," he writes.

He calls this trend "evasion through normalcy." "[Endpoint detection and response, or EDR], which is widely used to detect and model behavior, can easily find and stop purpose-built tools like Mimikatz and Beacon," he says. "This means that deploying them can make it easier to find them and cause operations to fail sooner. "On the other hand, abusing native tools becomes part of the organization's baseline and is harder to tell apart from real administration without strong identity controls and contextual correlation.

This is similar to how a lot of the threat actors we watch work quickly and on a large scale: they try to make things repeatable, reliable, and as frictionless (and undetectable) as possible as they move through an environment to reach their goals.Bavi Sadayappan, a senior threat intelligence analyst at Google and one of the people who worked on the research, agrees that GTIG has seen this move to built-in tools in the last few years. ""Over the past few years, we've seen ransomware actors rely less and less on malware and common intrusion tools for different parts of the attack lifecycle. For example, there was almost no use of Cobalt Strike Beacon in 2025," she says.

"This move toward native utilities and tools that are available to the public for their operations is probably, at least in part, because security postures and endpoint detection systems have gotten better at finding and/or stopping more malicious activity."