In today’s bulletin, Charlie discusses the recent findings from Check Point’s State of Cyber Security Report and gives an idea of the takeaways from the report.

This week, I have been teaching my two-day cyber course, and I felt inspired to write something on cyber. While browsing the internet, I came across Check Point’s report on ‘The State of Cyber Security 2025’, the 13th edition. I thought I would have a look at what the report has to say about cyber in 2025, and what is useful in the report to us, by which those of us who are not on the technical side of cyber, but are more involved in cyber incident management — the reputational, communications, and continuity of operations side of cyber.

For me, these are the key takeaways and trends in the report which I think we need to be aware of:

1. Ransomware Shifts from Encryption to Data Extortion

The ransomware landscape underwent a fundamental transformation in 2024, with criminals increasingly abandoning traditional encryption-based attacks in favour of pure data exfiltration and extortion (DXF) tactics. According to Check Point’s analysis, the median ransom payment dropped to approximately $200,000, reflecting this strategic shift in cybercriminal operations.

This evolution stems from practical challenges facing ransomware operators. The encryption phase is inherently ‘noisy’ and resource-intensive, increasing detection risk while requiring extensive ‘customer support’ for data recovery—both operationally demanding and profit-reducing tasks.

Data from Coveware dramatically illustrates this trend: encryption-based cases resolved through ransom payments declined from 75% in 2019 to just 32% by Q3 2024, while data exfiltration-only extortion maintained a steady 35% payment rate. This shift coincided with organisations becoming more proficient at maintaining up-to-date backups, making encryption less effective as leverage.

Established groups like BianLian fully transitioned to DXF-only extortion by 2024, while new platforms such as Bashe emerged exclusively as data-selling operations, offering stolen data at different price points and allowing victims to “buy back” their information to prevent public exposure.

This tactical shift presents new challenges for defenders, as DXF attacks are harder to detect without the visible disruption caused by encryption, while still maintaining the same extortion pressure through threats of data exposure and regulatory consequences.

2. Healthcare Becomes Prime Ransomware Target

Healthcare emerged as the second most targeted sector for ransomware attacks in 2024, representing a dramatic shift in cybercriminal ethics and tactics. This surge follows the complete abandonment of previously established ‘ethical’ guidelines that many ransomware operators had publicly declared during the COVID-19 pandemic, when they pledged to avoid targeting hospitals and medical providers to prevent endangering patient lives.

The migration of ransomware groups to targeting healthcare organisations underscores the gradual decline of these self-imposed restrictions over time. Healthcare sector attacks witnessed a 47% increase in average weekly attacks, making it particularly vulnerable due to prolonged service disruptions. The critical nature of healthcare operations means that any downtime can directly impact patient care, making these organisations more likely to pay ransoms quickly to restore essential services.

Several high-profile incidents in 2024 highlighted this troubling trend. The ALPHV ransomware gang attacked UnitedHealth Group’s subsidiary Change Healthcare, stealing six terabytes of data and disrupting prescription processes at military clinics and hospitals worldwide. This attack resulted in a staggering $872 million impact in the first quarter of 2024 alone, including $593 million in direct response costs and $279 million in business disruption. Romania’s healthcare system also suffered a major blow when the Phobos ransomware targeted 25 hospitals, causing operational disruptions at over 100 additional facilities due to their connection to the compromised Hipocrate Information System.

By February 2024, the healthcare and medical sectors became the most targeted sectors for ALPHV, making up approximately 30% of their reported victims, demonstrating how ransomware groups now actively encourage affiliates to specifically target hospitals.

3. Top 5 Ransomware Targets by Industry (2024):

1. Education – 3,574 average weekly attacks (+75% increase)
2. Healthcare & Medical – 2,210 average weekly attacks (+47% increase)
3. Government – 2,286 average weekly attacks (+43% increase)
4. Telecommunications – 2,084 average weekly attacks (+40% increase)
5. Construction & Engineering – 1,579 average weekly attacks

The education sector’s position at the top reflects its vulnerability due to personal information collection, while the high ranking of government and telecommunications demonstrates the strategic value these sectors hold for cybercriminals seeking both financial gain and potential espionage opportunities.

4. Hacktivist Groups Form Strategic Alliances

The cybersecurity landscape in 2024 witnessed the emergence of sophisticated hacktivist alliances, marking a significant evolution from traditionally fragmented operations. The most prominent example is the ‘Holy League’, a coalition demonstrating how previously independent hacktivist groups now organise under shared banners to amplify their impact and coordinate large-scale attacks.

The Holy League incorporates over 20 Russian-affiliated cyber gangs, linking with groups like People’s Cyber Army, NoName057(16), and UserSec. This alliance joined forces with the 7th October Union, a pro-Palestinian hacktivist collective comprising over 40 groups, many linked to Iran. Together, they targeted NATO, Europe, Ukraine, and Israel, with coordinated DDoS attacks and propaganda efforts, including a notable campaign targeting NATO’s 75th Anniversary Summit in Washington.

This trend reflects broader geopolitical tensions, with hacktivist activity mirroring real-world political developments. After South Korea sent observers to Ukraine during North Korea’s involvement with Russian forces, Russian-linked groups NoName057(16) and Z Pentest launched retaliatory DDoS attacks on South Korean entities. The High Society hacktivist collective exemplifies this evolution, claiming to be “the largest alliance in the world”, with more than 70 active hacker groups.

These coalitions blur the boundaries between state-backed cyber warfare and independent hacktivist activities, allowing sponsors to obscure direct involvement while leveraging patriotic rhetoric. This represents a fundamental shift from individual operations to organised, state-aligned cyber warfare units that pose significant challenges for defenders combating increasingly sophisticated and coordinated operations.

5. Hybrid Network Vulnerabilities Enable Lateral Movement

The widespread adoption of hybrid cloud environments in 2024 created a dangerous new attack surface, as organisations increasingly integrated on-premises infrastructure with cloud services through Identity and Access Management (IAM) systems. This integration, while streamlining operations through Single Sign-On (SSO) authentication, inadvertently established bidirectional pathways that cybercriminals now exploit for lateral movement between cloud and traditional network environments.

According to Check Point’s analysis, attackers have learned to weaponise these hybrid integrations, particularly targeting services like Microsoft Entra ID (formerly Azure AD) that connect on-premises Active Directory with cloud resources. When criminals gain control of an on-premises environment, they can now pivot to cloud platforms through established trust relationships, while cloud compromises enable them to access traditional network infrastructure through the same pathways.

Several high-profile incidents in 2024 demonstrated this vulnerability. The financially motivated threat actor Storm-0501 launched multi-stage attacks that compromised hybrid cloud environments, performing lateral movement from on-premises to cloud, deploying backdoor accounts, and ultimately launching ransomware across networks. Similarly, the Iranian-based threat group Mango Sandstorm (aka Mercury) leveraged these hybrid connections to dump email conversations, send emails, and deploy destructive attacks on cloud assets after initially compromising on-premises systems.

Companies using cloud-based email services like Microsoft 365 discovered that compromised on-premises networks could expose their cloud assets when attackers gained control of hybrid user accounts or exploited pathways like Azure AD Connect servers. This interconnectedness means that a single point of compromise can cascade across an organisation’s entire digital infrastructure, making traditional network segmentation ineffective and requiring organisations to rethink their security strategies for these integrated environments.

The challenge is compounded by the fact that these hybrid connections are often necessary for business operations, making it difficult for security teams to simply disable the integration points that enable lateral movement.

Looking at these five trends, we can see that the threat landscape is always changing, and we need to keep up with those changes. The fundamental change for me is the trend of not encrypting files but just exfiltrating data. This trend makes it easier for business continuity practitioners to respond, as if there is no encryption, then the organisation’s operations are not affected, and so the response becomes a purely reputational issue rather than affecting — as has happened with the Marks and Spencer attack — the continuity of service to customers. This is a trend, so encryption attacks haven’t gone away, but for me, it underlines the importance of crisis management in responding to attacks and for organisations to understand what data they hold and the impact if that data is made publicly available.