Maryland Business Weekly
SEE OTHER BRANDS
Maryland Business Weekly

News on business and economy in Maryland

Submit Press Release

Phishing is the Leading Cause of Ransomware Attacks in 2025, SpyCloud Identity Threat Report Finds

SpyCloud’s latest research reveals a 10-point rise year-over-year in phishing-driven ransomware attacks, amid growing AI-powered cybercrime and widespread infostealer infections

AUSTIN, Texas, Sept. 23, 2025 (GLOBE NEWSWIRE) -- SpyCloud, the leader in identity threat protection, today released its 2025 SpyCloud Identity Threat Report, unveiling new data on the surge of phishing-driven ransomware, the widening identity exposure gap, and the growing disconnect between perceived and actual cybersecurity readiness.

The market survey report – an evolution of SpyCloud’s annual Malware and Ransomware Defense Report to capture the expanded tactics and identity-focused threats security teams now face – analyzes responses from 507 security leaders and practitioners across North America and the UK. It offers a comprehensive look at how attackers are exploiting the identity exposures, gaps in traditional defenses, and steps organizations can take to adapt.

Key findings from this year’s report include:

  • Phishing has overtaken all other vectors as the leading entry point for ransomware, cited by 35% of affected organizations – up sharply from 25% in 2024. This rise reflects the growing sophistication of phishing-as-a-service (PhaaS) and the use of adversary-in-the-middle (AitM) techniques to bypass multifactor authentication (MFA) and hijack active sessions.
  • Repeat ransomware attacks are the norm, not the exception. 85% of organizations were affected by ransomware at least once in the past year, with nearly one-third (31%) reporting 6-10 ransomware events in the last year.
  • Infostealer malware continues to evade traditional EDR and antivirus defenses, compromising nearly 50% of all corporate users and exposing credentials for downstream attacks.
  • Digital identity exposure is accelerating, with SpyCloud having recaptured a total of 63.8 billion distinct identity records – a 24% year-over-year increase.
  • Credential remediation after phishing is inconsistent, with just 41% of organizations routinely revoking or resetting compromised access.
  • Remediation remains largely manual and reactive, with fewer than 20% of organizations able to automate identity threat response across their systems.
  • AI-powered cybercrime is outpacing AI-powered defense, with 92% acknowledging increased risk from AI-powered threats, yet only 47% using AI in their own security operations.
  • Supply chain exposures continue to plague industries, with the IT, telecom, and software sectors topping the list as the most heavily targeted supply chain vectors – each facing 4-6x more identity threats than average based on SpyCloud’s Supply Chain Identity Threat Index – a new metric assessing third-party exposure risk across industries found in SpyCloud’s recaptured darknet identity exposure data.

“Phishing can no longer be seen as just a nuisance; it’s a primary launching point for ransomware and other identity-based attacks,” said Trevor Hilligoss, SpyCloud’s Head of Security Research. “Attackers are using phishing kits to steal session cookies, bypass MFA, and impersonate users with alarming accuracy. The growth of commoditized tactics like PhaaS has made these capabilities available to even low-skill threat actors, which is why we’re seeing such a sharp spike in ransomware incidents tied directly to phishing. Organizations need real-time insight into the identity data these actors are harvesting – and they need the ability to act on it.”

Additional findings from the 2025 SpyCloud Identity Threat Report include:

Phishing Eclipses Other Vectors as Primary Driver of Ransomware
Over 75% of organizations are ‘significantly’ to ‘extremely’ worried that phishing attacks will trigger more damaging cyber attacks – and that fear is warranted. Phishing attacks became the leading entry point for ransomware delivery in 2025 – jumping 10 points from last year followed by exposed or weak APIs and stolen cookies that enabled session hijacking.

These attacks increasingly leverage phishing-as-a-service (PhaaS) platforms like Tycoon 2FA, FlowerStorm, and Darcula, which use AitM techniques to steal MFA tokens and session cookies and in the case of Darcula, are using AI-powered techniques to make these kits easier to generate and use regardless of the skill level of the bad actor.

Infostealer Infections Continue to Fuel Identity Sprawl and Access Abuse
Infostealer malware remains one of the most pervasive enablers of identity-based threats – quietly extracting credentials, cookies, and sensitive data from infected devices while evading traditional defenses. SpyCloud has found that nearly 1 in 2 corporate users were victims of an infostealer infection on either a personal or corporate device at sometime in their digital history, and 66% of malware infections occurred on devices that had antivirus or EDR tools installed. Yet despite the scale of the threat, only 50% of organizations have visibility into infostealer malware infections on managed devices, and even fewer (48%) can detect them across both managed and unmanaged endpoints.

SpyCloud monitors data recaptured from more than 80 malware families, providing deep visibility into the behavior and evolution of these threats. In 2025, LummaC2 remained the most dominant infostealer, peaking at 204,045 detections in a single day in February. Meanwhile, macOS-targeting malware like Atomic Stealer surged in activity. While infection volume remains lower than Windows-based threats, this update signals a leveling in the infostealer ecosystem, as infostealers become increasingly platform-agnostic and adaptable to diverse environments.

“We’re watching threat actors industrialize identity theft through commodity malware,” said Hilligoss. “What’s especially concerning is how quickly these tools evolve. Adversaries are refining distribution, evasion, and targeting faster than most defenders can respond. Without continuous visibility into the data siphoned from infected devices, organizations risk staying blind to the very exposures attackers are already exploiting.”

The Confidence Gap: Remediation Lags Despite Ransomware Prevalence
Despite growing awareness of ransomware and other infostealer-driven threats, many organizations still struggle to respond effectively. 86% of leaders express confidence in their ability to prevent ransomware, yet 85% were impacted by such incidents in the past year. Just 35% have workflows in place to remediate identity exposures, and only 33% have protocols in place for investigating identity-related incidents.

The executive-practitioner divide is stark: 45% of CISOs and CIOs report high confidence in ransomware defense, compared to just 28% of security team leads. This misalignment poses serious risks, especially as attackers increasingly automate, diversify, and industrialize identity-driven threats.

Closing the Gap with Identity-Centric Defense
The 2025 SpyCloud Identity Threat Report demonstrates that attackers are exploiting identity exposures faster than organizations can detect and respond. With phishing now the leading as a top entry point for ransomware and 94% of Fortune 50 companies impacted by employee phishing exposures, attackers are using stolen credentials, session cookies, and personally identifiable information (PII) – exfiltrated through phishing, malware, and breaches – to bypass traditional security layers and launch ransomware, account takeover, and fraud.

To break this cycle, organizations must shift from reactive, account-focused defenses to holistic identity threat protection. This means operationalizing identity analytics to uncover exposures across individuals’ full digital footprint – past and present, personal and professional – and taking swift, automated action to close off access.

SpyCloud is the only provider recapturing successfully phished data and phished targeting data at scale, offering rare visibility into identity exposures that traditional tools miss. By analyzing millions of phished records and dozens of phishing kits, SpyCloud delivers early insight into adversary tactics and the stolen data already circulating the criminal underground. This gives security teams the context and confidence to act before those exposures are exploited.

“Today’s threats are not limited to external actors. They often come from within, whether through malicious intent or compromised insiders,” said Damon Fleury, Chief Product Officer at SpyCloud. “From phished employees to contractors using exposed credentials, insider threats are frequently enabled by identity exposures that security teams cannot see. This report makes it clear that organizations need to move beyond reactive, behavior-based defenses and adopt holistic identity protection strategies that close visibility gaps and neutralize risks before they can escalate.”

Click here to access the full report or contact SpyCloud to learn more.

About SpyCloud
SpyCloud transforms recaptured darknet data to disrupt cybercrime. Its automated identity threat protection solutions leverage advanced analytics and AI to proactively prevent ransomware and account takeover, detect insider threats, safeguard employee and consumer identities, and accelerate cybercrime investigations. SpyCloud’s data from breaches, malware-infected devices, and successful phishes also powers many popular dark web monitoring and identity theft protection offerings. Customers include seven of the Fortune 10, along with hundreds of global enterprises, mid-sized companies, and government agencies worldwide. Headquartered in Austin, TX, SpyCloud is home to more than 200 cybersecurity experts whose mission is to protect businesses and consumers from the stolen identity data criminals are using to target them now.

To learn more and see insights on your company’s exposed data, visit spycloud.com.


Contact:
Emily Brown
REQ on behalf of SpyCloud
spycloud@req.co

Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms & Conditions