Top three cyber threats that will persist in 2025

As another year comes to an end, it’s not only Santa who brings presents for those on his nice list. These days, it’s quite common for well-known firms to publish their annual roundups of the most notable events that have taken place in the cybersecurity landscape, together with predictions of what can we expect in next twelve months. As a threat intelligence unit in Outpost24, the analysts at KrakenLabs eagerly consume these publications and have decided to make our own forecast for the upcoming year.

Outpost24 KrakenLabs focus

The cyberthreat world is very populated, and its denizens quite diverse in terms of purpose, resources, and sophistication. Such variety forces threat intelligence units to specialize. Therefore, we mostly focus on threat actors whose primary sources can provide us with the greatest wealth of information. In other words, actors with a lot of presence in what we call the underground ecosystem, the network of underground forums, social media, instant messaging platforms, and data leak sites in which cybercriminals are currently thriving.

Other interesting actors like, for example, nation-state groups that carry out highly sophisticated attacks fall outside our scope; but thankfully, we can rely on reports from other colleagues in the industry to keep tabs with them.

To put it simple, our research is centered on threat actors present in the underground ecosystem that are mostly focused on “maximizing profits while also making a name for themselves”. And they do so by using a collection of malicious activities with varying degrees of sophistication. From this scope, we have selected three types of threat that we believe will continue to have a major impact on the cyberthreat landscape, and have gone into more detail about the prototype of groups behind these.

Persistent threat one: Ransomware groups

After reading the forecast reports for 2025, one thing is clear: ransomware will be the main course on our menu for at least one more year. But don’t worry, it won’t get boring, as we will still be presented with different flavors, since the rate of evolution of this threat does not show signs of slowing down.

It is precisely the adaptability of these groups that allowed them not only to survive, but to thrive and become the threat that they pose nowadays. We saw it first with the adoption of the double-extortion technique, which involved encrypting exfiltrating their victims’ data and threatening them with its publication on dedicated data leak sites if the ransom demands are not met. This skyrocketing the benefits they obtained from the compromises.

We saw it second with the “professionalization” of the groups, when they began creating the Ransomware-as-a-Service projects, which welcomed tons of new, less sophisticated players into the game. And we saw it third with groups deliberately targeting organizations that would allow them to reach such a high volume of indirect victims that it would have been hard to even imagine a few years ago (yes Cl0p, we are referring to your fetish with supply-chain attacks). These groups have been evolving for years, not only to increase the chances of successful extortion, but also to overcome the continuous law enforcement efforts that are being made to stop them.

Ransomware in 2025

So, what can we expect for 2025? We do not know if these groups will adopt new revolutionary techniques like the ones we just mentioned. However, forecasts point to a continuity in the high volume of groups dedicated to this type of attack and the high diversity among them. When we were getting used to the groups carrying out these types of attacks having a certain degree of sophistication, a shift in recent months has shown us how new, less experienced actors or even hacktivist groups have been enthralled by the easy money promised by ransomware attacks. The participation of all these less skilled groups has also moved the targeting from Big-Game Hunting (BGH) to a focus on Small and Medium-Sized Enterprises (SMEs).

Furthermore, the enormous success of the double extortion technique has allowed ransomware groups to earn high revenues from the execution of data exfiltration alone, which seems to have ended up relegating the encryption aspect of the attacks to the background. And for those still relying on ransomware deployment, we have seen a heavy dependence on strains built from leaked source codes of renowned variants like Babuk or LockBit 3.0.

The use of already developed ransomware variants is also related to these lesser sophisticated groups mainly relying on Living-off-the-Land Binaries (LOLBins) or open-source tools to perform their attacks. This allows them to both remain undetected for longer and to be able to carry out their attacks without needing lots of resources.

The pinnacle example of this shift towards simplicity, towards using what is already on the table and doing the bare minimum, has been groups claiming they have successfully carried an attack and threatening their supposed victim with releasing exfiltrated information. However, in these cases they hadn’t even carried out the attack, and were simply using information that the target was already accidentally leaking without their knowledge.

One thing is for sure – we’re bound to get some surprises in 2025.

Generalist diamond model for ransomware groups

Persistent threat two: Financially motivated young cybercriminals (a.k.a ‘show-offs’)

What are Lapsus$, Scattered Spider, and UNC5537 and what do they have in common? Well, let us get into detail as we expect for the next name to be added to this list in 2025. Relying on the lack of adoption of basic cybersecurity measures, either from the user or the company, these groups have starred in some of the most media-covered attacks in recent memory.

Lapsus$ began targeting Brazilian victims but shifted to prominent tech companies across the globe like Nvidia, Okta or Microsoft before diluting onto the hacktivist landscape. Scattered Spider was the director of a smishing campaign whose real objective was to compromise enterprise identity access management tools like Okta and conduct what ended up being a very successful supply-chain attack; again, before getting themselves involved into ransomware operations. Finally, UNC5537 authored the attacks against cloud provider Snowflake’s customer database instances. All of these attacks had something in common: faulty or total absence of basic cybersecurity measures.

With basic cybersecurity measures, we refer, basically, to protecting credentials or implementing safeguards like double factor authentication. As has been proven from their attacks, these groups rely on social engineering techniques to compromise the company’s infrastructure, launching phishing or smishing campaigns against the employees and then, moving laterally to more relevant targets. Moreover, they also rely on open-source or commercialized tools for their activities and, if they end up developing tools, these are simple ones focused on reconnaissance or exfiltration tasks.

Who’s running these groups?

Thanks to the law enforcement operations carried out against these groups, we now know now that the hackers behind these groups are mainly American, British, or Canadian citizens from ages 16 to 25. Having met online, these individuals seem to share a common goal, seeking for notoriety by carrying out big relevant attacks and claiming authorship in underground forums. All that while pocketing significant sums of money.

Being very present in forums or in specialized Telegram channels, they tend to exaggerate the sophistication of their attacks or the real impact of their compromises, likely to gain some respect and admiration from others. Although they start as independent users, once their attacks have gathered enough attention, they seem to lose themselves in the cybercrime ecosystem, diluting like any other cybercriminal in collaborations with hacktivist groups or ransomware projects.

Lapsus$ came into the spotlight in December 2021 and its members were detained through 2022. Scattered Spider became known in August 2022 and kept operating until a series of arrests took place during the first half of 2024. UNC5537‘s earliest evidence of activity has been traced back to April 2024 and most of their members have been recently identified and arrested. What we are trying to convey with this data is that these groups do not seem to stop operating until they are stopped. On the contrary, probably reinforced by the success of their previous campaigns, they dare to venture into carrying out other types of attacks, even collaborating with other cybercriminals.

As we have hinted at throughout the previous paragraphs, cybercriminals tend to observe and replicate what has been a success for others. This could have been indeed the case for these groups and, we ask ourselves, could this also be the case for the protagonist of the biggest compromise of 2025 as well? Who knows, we’ll see what these youngsters have prepared for us.

Generalist diamond model for young cybercriminal groups

Persistent threat three: Traffer groups

For a detailed coverage of these groups, we invite you to check “The Rising Threat of Traffers

Even though notoriety seems like a big deal among cybercriminals, there are also those who simply see cybercrime as an easy source of income. Among these types of actors would be the members of what are known as traffers groups, organized groups of cybercriminals specializing in credential theft using malware, most commonly stealers.

To spread their malware as far and wide as possible, they have formed an industry-like structure of product and service providers, as well as dedicated marketplaces, in the form of Telegram channels, to facilitate the sale of those credentials. The appearance of these groups is an example of the credential theft ecosystem adapting to the increased professionalization of cybercriminal activities.

Traffers in 2025

We have already mentioned that ransomware attacks were going to be the main course in our menu for 2025, meaning they will likely rank as the most frequent and most devastating type of attacks. We have no doubt either that stolen credentials for valid accounts will be the main ingredient in that course, meaning these pieces of personal information will be found as the root cause not only for these ransomware attacks but for plenty of other kinds.

The increase in the use of these stolen credentials, together with the professionalization of the cybercrime with the “as-a-service” business models, has fostered cybercriminals to specialize in compromising credentials solely with the intention of acting as intermediaries between the victim and the actors who will continue the compromise with subsequent attacks.

Among the varied methods for stealing credentials, relying on infostealer malware is still one of the most frequent and, accordingly, that is what the traffers groups are mostly distributing. Although some malware families like RedLine or Raccoon Stealer remained for some time as the preferred ones due to their capabilities, they have also attracted law enforcement agencies efforts onto them. To fill the void left by the disappearance of some of these bigger names, many new families have kept on being developed and advertised in underground forums, facilitating the traffers community with plenty of options for continuing their very profitable operations in the future.

Generalist diamond model for these traffers groups

How to stay secure in 2025

Unlike more traditional and stable espionage groups that tend to persist on time, we have seen that those populating the underground ecosystem possess certain characteristics and rely on methods that make them more volatile and unpredictable. Even though the threat they represent remains, actors and groups vary often, be it because of a law enforcement operation, an exit scam, or internal disagreements that lead to the dissolution of the group.

That’s why identifying specific threat actors that will be a threat in 2025 can seem like an impossible task. It’s likely that several threat actors and techniques that will make cybersecurity headlines are not yet known to us. However, we can be pretty sure that the three threats highlighted in this article will be continuous problems.

Interested to learn how our Threat Intelligence team could help your organization? Get in touch here.

About the Author

Lydia is a Threat Intelligence analyst at Outpost24's KrakenLabs team. She focuses on researching threat actors and on identifying both the existent and the emerging trends in the cyber threats ecosystem to perform contextualized analysis aimed at helping in the decision-making process.