Ransomware continues to be the major threat to large and medium-sized businesses, with numerous ransomware gangs abusing AI for automation, according to Acronis.
Ransomware gangs maintain pressure on victims
From January to June 2025, the number of publicly reported ransomware victims jumped 70% compared to the same period in both 2023 and 2024. February stood out as the worst month, with 955 reported cases.
Cl0p alone was responsible for 335 of those cases, a 300% month-over-month surge that leveraged the mass exploitation of high-severity vulnerabilities in CLEO MFT platforms (Harmony, VLTrader, Lexicom), CVE-2024-50623 (remote code execution) and CVE-2024-55956 (command injection).
The pace of attacks slowed in Q2 2025, with 1,522 victims compared to 2,120 in Q1. This drop was likely the result of law enforcement crackdowns, rebranding pauses by major groups, and stronger corporate defenses.
Manufacturing, retail and technologies were the most targeted industries for ransomware attacks in Q1 2025. Retail, food and drink (12%) and telcos and media (10%) were also popular targets.
MSPs under attack
While the overall number of attacks targeting MSPs fell over the measured time period, the nature of attacks changed significantly; phishing accounted for 52% of all attacks targeting MSPs as compared to 30% in 2024, while Remote Desktop Protocol (RDP) attacks all but vanished.
Despite a small dip from 15% to 13%, credential abuse remains a steady threat, fueled by attackers harvesting valid tokens and passwords through infostealers.
In the first half of 2025, Akira, Play, Cl0p, RansomHub, Qilin, and RALord/Nova stood out as the most active ransomware groups going after MSPs and telecom providers.
Each group has its own approach to getting in. Cl0p, for example, keeps taking advantage of known vulnerabilities in third-party software, while Akira and RansomHub lean more on phishing and stealing credentials, often supported by infostealers.
Attacks on MSPs now occur on regular basis and affect providers of all sizes and in regions around the world.
Attackers are leveraging trust in collaboration tools
Attackers are exploiting the trust users place in real-time communication tools, using tactics like deepfake-based BEC to impersonate CEOs to bypass traditional defenses. The persistence of advanced attacks, though low in volume, indicates that zero-day exploits and AI-driven threats remain a critical concern.
Between January 1 and May 15, 2025, researchers scanned over 714 million emails and nearly 1.28 billion files and URLs. During that time, they detected a total of 7,201,107 attacks, which works out to about 205 attacks per organization each month. Looking closer at the emails, around 30% were flagged as spam, while 1.1% were outright malicious, carrying phishing links, malware, or advanced attack payloads.
Malware in collaboration apps took a big hit, dropping from 82% to 45%. At the same time, phishing jumped from 9% to 30.5%, and advanced attacks climbed from 9% to 24.5%. This shows that attackers are diversifying their tactics, with a growing focus on phishing and possibly AI-driven attacks within collaboration platforms.
Total email attacks fell by 6.5% (7.2 million versus 7.7 million), and attacks per organization per month dropped dropped by 29.6% (205 versus 291).
The spam ratio rose slightly from 27.6% to 30.2%, indicating persistent high-volume, low-effort attacks. The malicious email ratio fell from 1.5% to 1.1%, suggesting attackers are shifting toward more targeted, high-impact attacks.
Phishing dropped from 79% to 69.8% but social engineering and BEC increased from 20% to 25.6%, reflecting the use of AI to craft convincing impersonations.
AI-powered cyberthreats
The rise of AI-powered cyberthreats has fueled the growth of cybercrime-as-a-service (CaaS) models. On the dark web, AI tools and services are being made available to less technically skilled criminals, giving more people access to sophisticated attack capabilities. This trend is lowering the barrier to entry for cybercrime, allowing a wider range of actors to carry out attacks.
“While the endgame for cybercriminals is still ransomware, how they get there is changing” said Gerald Beuchelt, CISO at Acronis. “Even the least sophisticated attackers today have access to advanced AI capabilities, generating social engineering attacks, and automating their activities with minimal effort. The result is MSPs, manufacturers, ISPs, and others are constantly exposed to sophisticated attacks including increasingly advanced deepfakes, and all it takes is one mistake to the put the organizations’ entire future at risk.”
Source link
