New research from Ontinue reveals evolutions in threat actor techniques, with emphasis on ransomware and vishing. By analyzing data from H2 of 2024 and Q1 of 2025, the research also found that malicious actors are becoming more aggressive in their attacks.

Ransomware trends

The report found that ransomware attacks increased by 132%. Nathaniel Jones, Vice President of Threat Research at Darktrace, comments, “Ransomware groups are evolving their tactics beyond phishing to include interactions with IT teams to elicit information to improve access, SaaS-based attacks, and even studying file-transfer technology for rapid exploitation and double extortion methods. For IT administrators and practitioners, it is crucial to prioritize your vulnerability management program and establish possible attack paths across your estate to prevent unauthorize access. This includes applying best practices across the business and wider IT teams.”

Additionally, the report emphasizes that malicious actors are leveraging double extortion, operational disruption and data destruction. 

Jones remarks, “We have also seen ransomware tactics move away from traditional encryption-centric ransomware tactics towards more sophisticated and advanced extortion methods. Rather than relying solely on encrypting a target’s data for ransom, threat actors will increasingly employ double or even triple extortion strategies, encrypting sensitive data but also threatening to leak or sell stolen data unless their ransom demands are met. These trends make it clear that attackers now have a more widely accessible toolbox that reduces their barriers, leaving more organizations vulnerable to attack.”

Another trend the research notes is a decrease in ransom payments. Ransom payments lessened by 35%, indicating that malicious actors are no longer solely focusing on payouts.

Ms. Ngoc Bui, Cybersecurity Expert at Menlo Security, says, “While paying for ransoms might incentivize threat actors, the reality is not paying could be more damaging, especially for organizations involved in critical infrastructure. The disruption from ransomware can be catastrophic, and organizations must prioritize protecting operations and stakeholders. Organizations that suffer a ransomware attack should also use it as a learning opportunity to adjust their security measures and ensure they are using actionable intelligence to do so.”

Casey Ellis, Founder at Bugcrowd, shares more insights on this trend.

“The drop in ransom payments is a fascinating trend, but not entirely surprising when you dig into the dynamics at play,” Ellis states. “The combination of increased law enforcement pressure, better international collaboration, and organizations refusing to pay is clearly making a dent. It's a testament to the fact that the 'pay or don’t pay’ debate is evolving into a broader conversation about resilience and deterrence.

“Will this trend continue? It's possible, but I wouldn’t bet on it. The ransom business-model is an arms race, and threat actors are nothing if not adaptable. When one revenue stream dries up, they pivot. We’ve already seen a shift toward exfiltration-based extortion — stealing data and threatening to leak it if the ransom isn’t paid. This tactic sidesteps some of the technical challenges of encrypting data and plays on the victim’s fear of reputational damage. 

“The decrease in payments might also push attackers to diversify their methods further. For example, we could see more focus on supply chain attacks or targeting critical infrastructure, where the stakes — and the potential payouts — are higher. It’s like squeezing a balloon: pressure in one area just makes it bulge somewhere else.

“Ultimately, this trend underscores the need for a multi-pronged approach to ransomware. It’s not just about making it harder for attackers to succeed, it’s about making the entire ecosystem less profitable for them. That means better defenses, smarter incident response, and continued collaboration between governments, law enforcement, and the private sector. The fight’s far from over, but this is a step in the right direction.”

Vishing trends

In addition to ransomware, adversary-in-the-middle (AiTM) phishing attacks emerged as a notable threat. Voice phishing (vishing) in particular has gained traction with the evolution of AI-driven deepfake voice cloning. 

J Stephen Kowski, Field CTO at SlashNext Email Security+, offers advice for protecting against these attacks, saying, “To protect against vishing attacks, individuals should never share personal information during unexpected calls, even if the caller seems legitimate. Always verify the caller’s identity by hanging up and calling back through official numbers found on websites or statements. Use call blocking tools provided by your phone carrier to filter potential scam calls and consider letting unknown numbers go to voicemail. Remember that legitimate organizations won’t pressure you for immediate responses, so take your time to think critically about any urgent requests for information.”

Proper security measures against vishing attacks may become essential to protecting sensitive information and preventing fraudulent transactions, as in Q1 of 2025 alone, there was a 1,633% increase in vishing-related events. 

Boris Cipot, Senior Security Engineer at Black Duck, comments, “Vishing is a dangerous attack, especially if an organization is not prepared to counter it. It’s less about having technical gizmos and gadgets to help combat the attack, and more about preparing employees how to act when encountering a voice phishing attack.

“Firstly, it’s essential for employees to be skeptical. This is not something new and can also be said when it comes to typical phishing attacks. If something seems off, it’s best to trust your instincts and not move forward. Passing on information, should only be done in official ways that comply with the processes in place within an organization.

“It’s important for organizations to ensure their employees cannot be pressured into a corner. Organizations must have clear instructions on how information can be passed on and what information can and cannot be given over phone or in other forms of communication. Once this is established an understood within an organization, attackers are much less likely to pressure their target into giving them sensitive information based on a sense of urgency or the threat of being penalized.  

“Finally, always report suspicious activity. This applies to all sorts of malicious activity. Be it via an email, an app, or a phone call, you have to report it. Reporting suspicious activities to the appropriate teams within an organization allows them to warn others that such attacks are targeting employees. Organization must have someone appointed to respond and act on these reports in order to further protect their privacy.”