2025 Global Threat Landscape Report

33.3% of government sector threats were attributed to DarkSide in 2024.

39.92% of manufacturing and construction organizations reported limited visibility into their entire environment.

25.6% of government sector threats were attributed to RansomHub in 2024.

29.27% of ransomware incidents involved initial access as the detected phase.

10% of organizations in the government sector experienced ransomware incidents annually.

13.4% of IT and security decision-makers indicated third-party/supply chain compromise as a common entry point for attackers.

70% of organizations reported that they paid the ransom in 2023

The percentage of organizations that never paid a ransom increased from 9% last year to 30% this year

Unnamed Fortune 50 company reported a ransom payment of $75 million

42.22% of finance organizations reported limited visibility into their entire environment.

33.3% of government sector threats were attributed to LockBit in 2024.

4.83% of organizations reported average downtime of one week after a cyber incident.

23.26% of organizations reported average downtime of 11-24 hours after a cyber incident.

5.53% of ransomware incidents involved a ransom demand as the detected phase.

37.50% of agriculture organizations reported limited visibility into their entire environment.

23.08% of government organizations reported limited visibility into their entire environment.

55% of organizations reported experiencing 11 or more hours of downtime on average after a cyber incident.

In August 2024, the Rhysida ransomware group attacked the Port of Seattle, causing systems to be offline for more than three weeks.

2.33% of organizations reported average downtime of more than a week after a cyber incident.

On average, organizations take just over 2 weeks to respond to and contain a security alert from initial detection to resolution.

At least 165 Snowflake customers were affected by the 2024 Snowflake data breach, including major technology organizations like Pure Storage and AT&T

59.2% of security and IT decision-makers in the technology sector perceive the public cloud as a significant cybersecurity risk in 2024

59% of organizations in France expressed the highest level of concern regarding risks, while 36.8% in the UAE exhibited the lowest level of concern.

23.1% of government sector threats were attributed to Volt Typhoon in 2024.

The finance sector had an average ransom payment of $3.8 million

The government sector had an average ransom payment just below $7.5 million

The Ticketmaster/Live Nation breach exposed the personal and financial information of 560 million customers.

The ransomware attack against Change Healthcare involved the exfiltration of sensitive data belonging to an estimated 192.7 million individuals, making it the largest healthcare data breach on record.

The average downtime per cybersecurity incident was 37 hours

The average length of time to respond to and contain a security alert was 2 weeks

70% of organizations experienced ransomware incidents in the last year

Organizations estimated that ransomware actors had access to their systems for an average of 2 weeks

61.6% of security and IT decision-makers in the U.S. perceive the public cloud as the highest cybersecurity risk in 2024

53.8% of global security and IT decision-makers identified the public cloud as a significant cybersecurity risk to their organization in 2024

43.7% of organizations surveyed identified third-party services and integrations as a concern, tying with public cloud as the number one risk within the telecom industry.

Scattered Spider was detected in 22.0% of cybersecurity incidents over the last 12 months.

RansomHub was detected in 26.8% of cybersecurity incidents over the last 12 months.

28.2% of government sector threats were attributed to Midnight Blizzard/APT29/Nobellium/Cozy Bear in 2024.

LockBit registered a 37% detection rate in Germany, indicating a significantly elevated threat compared to other regions in 2024.

13.0% of IT and security decision-makers cited software misconfiguration as a common entry point for attackers.

33.7% of IT and security decision-makers identified phishing and social engineering as the most common infiltration methods in their attacks.

Almost 25% of respondents reported detections related to the Scattered Spider group over the last year.

12.2% of IT and security decision-makers noted that compromised credentials are increasingly becoming a primary gateway for attackers.

Organizations in the UAE paid ransoms that were 26% higher than the global average, with an average payment of $5.4 million

The average ransom payment in Australia was $2.5 million, the lowest among the countries surveyed

The healthcare sector had the highest average ransom payment at $7.5 million

The average ransom payment in 2023 was more than $3.6 million, an increase from last year's average of $2.5 million

Organizations in the UAE faced an average of 7 ransomware incidents, the highest number globally

Australia experienced an average of 4 ransomware incidents per year, the fewest globally

Organizations in the education sector reported an average dwell time of about 5 weeks prior to a ransomware incident.

30.6% of organizations recognized they were being targeted by ransomware during or after data exfiltration had already begun.

Organizations in the government sector reported an average dwell time of about 7 weeks prior to a ransomware incident.

13.11% of ransomware incidents involved encryption as the detected phase.

17.59% of ransomware incidents involved reconnaissance as the detected phase.

29.69% of retail organizations reported limited visibility into their entire environment.

52.63% of travel and leisure organizations reported limited visibility into their entire environment.

51.02% of education organizations reported limited visibility into their entire environment.

ExtraHop detects ransomware every 1.5 days across its customer base.

44.96% of technology organizations reported limited visibility into their entire environment.

37.50% of transportation organizations reported limited visibility into their entire environment.

30.66% of healthcare organizations reported limited visibility into their entire environment.

43.90% of telecom organizations reported limited visibility into their entire environment.

Critical industries globally, such as government and transportation, face an average response time of upwards of 3 weeks to security alerts.

In the United States, organizations experience an average response time of 2.8 weeks to security alerts.

2.61% of organizations were unsure or could not answer regarding their average downtime after a cyber incident.

20.82% of organizations reported average downtime of less than 5 hours after a cyber incident.

Organizations experienced an average downtime of 37 hours after a cyber incident.

Respondents in the transportation industry reported the highest average amount of downtime at 74 hours.

23.99% of organizations reported average downtime of 2 days after a cyber incident.

Nearly one third of organizations reported downtime extended for two days or more after a cyber incident.

6.94% of organizations reported average downtime of 4-6 days after a cyber incident.

14.66% of organizations reported average downtime of 3 days after a cyber incident.

The CDK Global attack resulted in over a billion dollars in estimated losses for the automotive industry.

The average ransomware payout was $3.6 million

41.9% of organizations surveyed perceived generative AI applications as a risk, ranking third compared to legacy systems at 23.5% and endpoint devices at 30.6%.

Midnight was detected in 23.3% of cybersecurity incidents over the last 12 months.

25.6% of government sector threats were attributed to Akira in 2024.

20.5% of government sector threats were attributed to Fin7 in 2024.

33.3% of government sector threats were attributed to Black Basta in 2024.

19.4% of IT and security decision-makers reported software vulnerabilities as the second-most common entry point for attackers.

20% of organizations in the healthcare sector experienced ransomware incidents annually.

7.2% of IT and security decision-makers reported insider threats as a means of infiltration.

The percentage of organizations experiencing 20 or more ransomware incidents annually increased from 0% to 3% year-over-year.

Organizations experienced an average of 5 to 6 ransomware incidents over the last 12 months, marking a 25% decrease from nearly 8 incidents in 2024.

CDK Global reported a ransom payment of $50 million

Organizations cited an average dwell time of nearly 2 weeks for threat actors prior to a ransomware incident.

22.00% of ransomware incidents involved lateral movement and privilege escalation as the detected phase.

12.00% of ransomware incidents involved data exfiltration as the detected phase.