Dive Brief:
- Ransomware actors extorted consumer and industrial products vendors, consulting firms and manufacturing companies more than any other organizations in 2025, the security firm Intel 471 said in a report published on Tuesday.
- The U.S. was, by far, the most affected country, accounting for more than half of all extortion victims.
- Cyber threat actors exploited more than 40% of the 520 vulnerabilities disclosed in 2025, according to Intel 471, which predicted that AI would further reduce the time needed to exploit these vulnerabilities in 2026.
Dive Insight:
The number of extortion-related cyberattacks increased by roughly 63% in 2025 to 6,800, according to Intel 471’s report, which is based on data from the company’s analysis of dark-web forums. The previous year saw the “rapid ascension” of the Qilin ransomware gang, Intel 471 said, although the Sp1d3r Hunters alliance (composed of Scattered Spider, LAPSUS$ and ShinyHunters hackers) and the Cl0p gang grabbed most of the headlines with high-profile operations.
Businesses should be particularly alert for supply-chain attacks leveraging vulnerabilities in their contractors’ products, the report warned. By compromising a managed service provider or software vendor to access its customers’ systems, a supply-chain attack “leverages established trust, allowing attackers to bypass robust defenses and achieve a much greater impact with significantly less effort,” Intel 471 researchers wrote.
Cleo and Salesloft experienced major breaches that led to significant downstream intrusions in 2025, with researchers attributing the former campaign to Cl0p and noting the potential involvement of Sp1d3r Hunters in the latter campaign. Qilin launched a campaign in September that compromised at least 20 South Korean companies through an intrusion into one of their IT service providers.
Intel 471’s data on initial access brokers’ techniques offers a road map for how businesses should lock down their systems and put their employees on alert. Remote access portals topped the list of IABs’ targeted technologies, while their most frequent entry method was the abuse of legitimate credentials.
“Access brokers tend to rely on a recurring set of tools to demonstrate proof of compromise,” researchers said. “From a defender’s perspective, understanding the adversary behavior and their tools of preference can serve as early indicators of intrusion activity.”
On the prediction front, Intel 471 forecasts that supply-chain attacks will pick up due to the increasing prevalence of “worm-like automation”; that ransomware payments will decline as more organizations exhibit a reluctance to pay, forcing threat actors to rethink their pressure tactics; and that AI will remain only “a force multiplier” rather than “the core driver” of cyberattacks.
“There is little incentive for profit-driven adversaries to adopt malware dependent on LLMs due to increased cost, complexity, and reliance on external infrastructure, especially when proven loaders or stealers remain effective,” Intel 471 said. “We predict targeted escalation in areas where AI demonstrably increases the return on investment — such as deepfake-driven impersonation, AI-generated voice fraud targeting high-value individuals, and amplified synthetic media in influence operations.”
