IBM has released their 2025 X-Force Threat Intelligence Index. Some highlights from the report include:
- Manufacturing felt the brunt of ransomware attacks. For the fourth consecutive year, manufacturing was the most attacked industry. Facing the highest number of ransomware cases last year, the return on investment for encryption holds strong for this sector due to its extremely low tolerance for downtime.
- International takedown efforts are pushing ransomware actors to restructure high-risk models towards more distributed, lower-risk operations. For example, IBM X-Force observed previously well-established malware families like QakBot as either completely shutting down operations or turning to other malware,.
- Cybercriminals are continuing to pivot to stealthier tactics, with lower-profile credential theft spiking. Nearly one in three incidents observed in 2024 resulted in credential theft.
- There was an 84 percent increase in emails delivering infostealers in 2024 compared to the prior year.
- In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top 10 have been linked to sophisticated threat actor groups, including nation-state adversaries. Exploit codes for these CVEs were openly traded on numerous forums — fueling a growing market for attacks against power grids and industrial systems.
- This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.
- More cybercriminals opted to steal data (18 percent) than encrypt it (11 percent) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths.
“Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points” said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM.
Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations, as cybercriminals exploited vulnerabilities in more than 25 percent of incidents that IBM X-Force responded to last year. Additionally:
- IBM X-Force observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an increase of 180 percent compared to 2023. This upward trend may be attributed to attackers leveraging AI to create phishing emails at scale.
- Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable. In 2024, the top five infostealers alone had more than eight million advertisements on the dark web, and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent multi-factor authentication (MFA).
- Critical infrastructure organizations (which includes healthcare and educational facilities as well as utilities and manufacturing) accounted for 70 percent of all attacks that IBM X-Force responded to last year, with more than one quarter of these attacks caused by vulnerability exploitation.
A copy of the report can be downloaded here.