Ransomware Gangs Increasingly Prioritize Speed and Volume in Attacks

Advanced evasion techniques have been observed to be the new normal among ransomware groups in 2024, as groups like Lynx, Akira and RansomHub grew more agile. Rather than focusing on high-profile targets, they pursued a quantity-over-quality approach, striking more businesses at a faster rate.

According to the 2025 Cyber Threat Report, published today by Huntress, this shift is further reflected in their speed. While the firm determined the average time-to-ransom (TTR) was just under 17 hours, Akira and RansomHub operated much faster, typically deploying ransomware in around six hours. 

Phishing and RAT Malware Expand Reach

Beyond ransomware, phishing surged in 2024 as attackers refined their deception tactics.

Phishing campaigns increasingly relied on sophisticated lures such as voicemail scams, QR code attacks and image-based phishing, allowing hackers to bypass traditional security filters. Nearly 30% of phishing attacks impersonated e-signature services, with Microsoft and DocuSign being the most copied brands.

RAT malware also became a go-to tool for cybercriminals last year. Huntress found that 75% of remote access incidents involved RATs, with AsyncRAT, Jupyter and NetSupport RAT accounting for a third of all cases. These tools enabled attackers to gain long-term control over compromised systems, using them as steppingstones for more extensive cyber campaigns.

Read more on the RAT tools: Remcos RAT Malware Evolves with New Techniques

Hands-On Attacks Target Key Industries

Hackers have also been observed increasingly moving away from automation, favoring hands-on-keyboard (HOK) attacks that allow them to adapt in real-time. These attacks peaked during US business hours and were most common in industries with critical data and weaker security protections.

Industries hit hardest in 2024:

• Healthcare and education, which together accounted for 38% of all cyber incidents
• Government, where info-stealing malware was the top threat, making up 21% of breaches
• Manufacturing, which saw 17% of incidents linked to malware-based attacks

Additionally, malicious scripts remained the top cyber-threat across multiple sectors. Healthcare and education saw their use in 22% and 24% of attacks respectively, while technology firms faced them in 19% of incidents.

Ransomware’s New Playbook: Speed and Scale

Ransomware groups refined their tactics to maximize impact with minimal resistance. Rather than relying solely on data encryption, they increasingly used extortion – stealing data first, then threatening exposure if victims refused to pay.

The report highlighted several key trends shaping ransomware attacks:

• 71% of incidents involved data exfiltration before deploying ransomware
• Ransomware gangs took an average of 18 actions before executing their final attack
• Play, Dharma/Crysis and Akira executed some of the fastest attacks, often within six hours

Strengthening Defenses Against Evolving Threats

As ransomware evolves into a high-speed, high-volume business model, organizations must bolster their defenses against agile cybercriminals by implementing several key strategies.

These include taking regular data backups and storing them securely, providing comprehensive employee training on recognizing phishing attempts and investing in advanced threat detection tools.

Additionally, network segmentation can limit the spread of attacks, while a robust patch management policy ensures vulnerabilities are addressed promptly. Multi-factor authentication (MFA) adds an extra layer of security, and a well-defined incident response plan is essential for minimizing damage during an attack. 

Finally, participating in threat intelligence-sharing initiatives can enable organizations to gain valuable insights into emerging threats.