Ransomware Under Pressure: Tactics, Techniques, and Procedures in a Shifting Threat Landscape

This report summarizes the 2025 ransomware landscape observed by Mandiant/GTIG, highlighting that exploitation of VPNs and firewalls was a common initial access vector, 77% of analyzed intrusions involved suspected data theft, targeting of virtualization infrastructure rose to ~43% of incidents, and REDBIKE and emergent RaaS brands (Qilin, Akira) were prominent; it also notes declining profitability for ransomware operators and recommends protection and containment strategies.