Table of contents
- Cybercriminals shift tactics: less ransomware, more identity theft
- Critical infrastructure under fire: slow patching and outdated tech
- Automated credential theft fuels scalable phishing
- Ransomware shifts to low-risk models
- Emerging threats: AI, Linux, and new targets
- Top targets: Asia, North America and manufacturing
- IBM’s advice: move beyond passive prevention
Cybercriminals shift tactics: less ransomware, more identity theft
According to the IBM X-Force Threat Intelligence Index 2025, cybercriminals are pivoting away from destructive tactics like ransomware, opting instead for more discreet and profitable approaches.
In 2024, nearly one-third of observed incidents involved credential theft, signaling a focus on rapid data exfiltration and dark web monetization.
This shift is driven by a surge in infostealers, lightweight malware that extracts login data within seconds. Emails delivering these malicious tools increased by 84% in 2024, with a further 180% spike in early 2025.
Critical infrastructure under fire: slow patching and outdated tech
Organizations managing critical infrastructure accounted for 70% of all attacks IBM X-Force responded to in 2024. In over a quarter of cases, attacks stemmed from exploited known vulnerabilities.
The use of legacy systems and delayed patch cycles creates systemic weaknesses. Four of the top ten most discussed CVEs on the dark web were linked to sophisticated threat actors, including those with geopolitical motives.
This active exchange of exploit code is fueling a growing underground market targeting energy, healthcare, and industrial systems.
Automated credential theft fuels scalable phishing
Infostealers have become the backbone of identity-based attacks. With the help of artificial intelligence, threat actors can now deliver large-scale, targeted phishing campaigns, including kits capable of bypassing multi-factor authentication (MFA) via Adversary-in-the-middle (AIM) techniques.
Every dark web listing can contain hundreds of credentials, creating a booming black market for unauthorized access. Fast data exfiltration makes these attacks stealthy, scalable, and profitable, leaving little forensic trace behind.
Ransomware shifts to low-risk models
Although ransomware accounted for 28% of malware cases, IBM X-Force observed a year-over-year decline in incidents. Law enforcement crackdowns have pushed cyber gangs toward lower-risk, more distributed operations.
Well-known groups like Wizard Spider and QakBot have either ceased operations or transitioned to short-lived malware variants, seeking alternatives to dismantled botnets.
Emerging threats: AI, Linux, and new targets
The report also highlights the growing risk of AI-related vulnerabilities. While no major attacks occurred in 2024, researchers are racing to secure AI pipelines, as threat actors begin targeting models, data, and infrastructure.
Another relevant trend concerns the Linux system, which is increasingly on the radars of ransomware groups: the Akira, Clop, Lockbit and RansomHub families now support both Windows and Linux versions, making these environments increasingly vulnerable.
Top targets: Asia, North America and manufacturing
Asia (34%) and North America (24%) were the most targeted regions in 2024, making up nearly 60% of global incidents. Meanwhile, the manufacturing sector remained the most attacked industry for the fourth consecutive year, due to its low tolerance for downtime, which makes it an attractive ransomware target.
IBM’s advice: move beyond passive prevention
“Cybercriminals often don’t need to break in, they walk in through identity gaps,” said Mark Hughes, IBM’s Global Managing Partner for Cyber Security Services. Businesses must go beyond prevention and focus on modernizing authentication, eliminating MFA weaknesses, and adopting real-time threat hunting to detect and contain threats before they escalate.
