Huntress 2025 Cyber Threat Report

Ransomware gangs took an average of 18 actions before executing their final attack in 2024.

Over 75% of remote access incidents utilized Remote Access Trojans (RATs) such as AsyncRAT and Jupyter.

The average time-to-ransom (TTR) was just under 17 hours in 2024.

Akira and RansomHub typically deployed ransomware in around six hours.

71% of incidents involved data exfiltration before deploying ransomware in 2024.

Play, Dharma/Crysis and Akira executed some of the fastest attacks, often within six hours, in 2024.

Scripts made up 22% of detected attacks, using PowerShell, VBScript, and JavaScript to perform stealthy, efficient attacks

Nearly 24% of incidents involved infostealers designed to extract sensitive credentials, financial data, and other private information.

Nearly 30% of phishing attacks impersonated e-signature services in 2024, with Microsoft and DocuSign being the most copied brands.

In government, info-stealing malware was the top threat, making up 21% of breaches in 2024.

75% of remote access incidents involved RATs in 2024, with AsyncRAT, Jupyter and NetSupport RAT accounting for a third of all cases.

Healthcare and education accounted for 38% of all cyber incidents in 2024.

Manufacturing saw 17% of incidents linked to malware-based attacks in 2024.

Malicious scripts were used in 22% and 24% of attacks in healthcare and education respectively, and 19% of incidents in technology firms in 2024.