ReliaQuest

44% of true-positive security alerts from cloud security tools in Q3 2025 were driven by identity-related weaknesses.

52% of all confirmed identity-based alerts were due to identity-related privilege escalation.

99% of cloud identities were found to be over-privileged, creating significant security risks.

33% of raw CSPM alerts were identity-related, contributing to the operational burden on security teams.

As of October 2025, there are over 14,700 Jenkins servers exposed to the internet that remain vulnerable to CVE-2024-23897.

71% of critical vulnerability alerts in Q3 2025 originated from just four legacy CVEs.

The US remained the most targeted country by ransomware, accounting for 67% of the total organizations named on ransomware data-leak sites in Q2.

Spain and other Spanish-speaking countries each accounted for less than 4% of Qilin's total victim volume in Q2.

DragonForce emergence: December 2023.

DragonForce activity was up 119% between Q1 and Q2 2025.

Lynx experienced a 41% drop in activity between Q1 and Q2 2025.

80% of the organizations named by Qilin in Q2 were based in the US.

Qilin showed an 80% increase in activity in Q2 compared to Q1 2025.

Akira has already listed 15% more victims in the first half of 2025 than it did throughout the entirety of 2024.

Germany rose to second most targeted country by ransomware in Q2 2025, climbing two spots from fourth in Q1 2025.

Q2 2025 saw a 31% decrease in named ransomware victims compared to the previous quarter, marking a return to more typical levels.

In Q1 2025, Clop named 389 victims on its data-leak site in February alone.

SafePay's activity increased by 42% in Q2 2025 compared to Q1 2025.

Akira listed approximately 130 organizations to its data-leak site each quarter in 2025.

LockBit named just 24 organizations on its data-leak site in Q2 2025. This figure represents only 11% of its Q2 2024 victim count.

Retail trade accounted for only 4% of total ransomware victims in Q2 2025.

Construction was the third most targeted sector by ransomware in Q2 2025.

Akira showed a 348% rise in the number of organizations named in Q2 2025 compared to the same period last year.

Qilin emerged as the top ransomware threat in Q2 2025.

80% of ransomware attacks in the last year focused on data exfiltration only.

After initial access, "breakout time" typically takes just 48 minutes, with some groups achieving lateral movement in as little as 27 minutes.

Exfiltration-only ransomware attacks are 34% faster than those involving encryption.

A quarter of active intrusions started with exploitation of public-facing applications.

Compromised service accounts were present in 85% of breaches last year.

Two-thirds of critical hands-on-keyboard incidents involved legitimate software like remote access tools last year.

"Akira" more than doubled its Q3 count and listed 71 organisations on data-leak sites in December alone.

The fastest recorded lateral movement occurred in just 27 minutes.

Roughly 20% of the domains registered by Scattered Spider imitated Gateway and Network Infrastructure.

Only a small fraction (0.02%) of alerts led to lateral movement, meaning attacks are getting faster.

LockBit's victim count decreased from 176 in May 2024 to only five in December.

Initial access listings on cybercriminal platforms surged by 142% in the same period.

66% of customer ransomware incidents in 2024 involved initial access likely purchased from an IAB.

Approximately 15% of domains registered by Scattered Spider imitated VPN and Secure Access.

The average breakout time in 2024 was 48 minutes, which is 22% faster than in 2023.

Newcomers in Q4 like “SafePay” and “FunkSec” quickly ramped up their activity, claiming 45 and 82 victims, respectively.

Ransomware attacks reached an all-time high in December 2024.

In Q4 2024, there was the highest jump of the year with 13 new ransomware groups emerging.

There was a >50% increase in infostealer logs posted on the dark web in 2024 compared to 2023.

17% of incidents involved voice phishing for initial access, indicating help-desk scams.

The number of active ransomware groups increased from 60 in 2022 to almost 100 last year.

Attack speed increased by 22% in 2024 compared to 2023.

The median ransom payment rose from $199,000 in 2023 to $1,500,000 in 2024.

Nearly half of the 1,110 initial access listings collected in Q4 2024 were related to US-based companies.

"BlackLock" activity rose 1,425% from Q3 to Q4 2024.

The mean time to contain (MTTC) attacks using manual incident containment strategies is 8 hours and 12 minutes.