They Don’t Encrypt Files, Don’t Demand Money — But Cause Even Greater Damage. Who Are They?
Backups are intact, servers are running, yet the business collapses — here’s what hackers are doing differently in 2025.
Backups are intact, servers are running, yet the business collapses — here’s what hackers are doing differently in 2025.
Ransomware operators and infostealer groups are changing tactics faster than companies can adapt their defenses. Even major investments in ransomware resilience — primarily in backups and recovery — are increasingly failing to prevent real damage. According to the Picus Security Blue Report 2025, the most devastating incidents are no longer always tied to encryption: attackers are shifting to “quiet” tactics — credential theft, covert data exfiltration, and rapid lateral movement across networks, staying undetected for as long as possible.
The Blue Report’s numbers back up these concerns. The share of prevented exfiltration attempts has dropped to just 3% — the lowest ever recorded — even as “double extortion” incidents rise. Password guessing and cracking succeeded in 46% of tested environments — nearly twice as often as in 2024. Using valid accounts (Valid Accounts, T1078) was successful in 98% of cases, clearly showing how easily stolen or weak credentials bypass defenses.
The reason “quiet” operations succeed lies in a visibility imbalance. Organizations have become better at intercepting inbound threats — malicious attachments, phishing emails, loaders — but are far worse at tracking outbound traffic and low-profile data flows. The report names three main gaps: insufficient outbound monitoring, weak enforcement of DLP policies, and limited behavioral analytics. Modern infostealers are no longer just opportunistic password-grabbers from browsers; they are targeted, persistent tools in complex campaigns, blending in with legitimate access, hiding in normal network noise, and exfiltrating information over days or weeks — often without triggering a single alert.
The evolution of ransomware now relies on pressure rather than encryption, so reliable backups are no longer a silver bullet. Criminals don’t need a decryptor if they hold a trove of stolen documents and a platform to publish them. Notably, some ransomware families have consistently low prevention rates in the Blue Report: BlackByte — 26%, BabLock — 34%, Maori — 41%. The vulnerability to these groups stems not from backup strategy gaps, but from the fact that on the path to extortion, credential theft, lateral movement, and exfiltration are rarely blocked. Even if recovery goes perfectly, the damage is already done the moment data is leaked.
The season’s key takeaway is blunt: infostealers are thriving, ransomware is getting stealthier, and exfiltration too often goes unchallenged. If you rely on guesswork, static rules, and outdated detection logic, your risk picture will be false. Experts recommend relying on hard evidence and testing defenses “in battle” before attackers do it for you.
