Key findings from the 2025 report include the following:
- 70% of all attacks IBM X-Force responded to last year were against critical infrastructure organizations, with more than a quarter of these attacks resulting from the exploitation of a vulnerability.
- More cybercriminals opted for data theft (18%) than encryption (11%), as advanced detection technologies and increased law enforcement efforts force cybercriminals to take faster escape routes.
- Almost one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple ways to quickly access, exfiltrate and monetize credentials.
Cybercriminals usually break in without destroying anything – they exploit identity gaps that occur in complex hybrid cloud environments that provide attackers with multiple access points,” said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. “Organizations need to move away from their ad hoc prevention mentality and focus on proactive measures, such as modernizing authentication management, closing gaps in multi-factor authentication and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”
Patching challenges expose critical infrastructure sectors to sophisticated threats
Reliance on outdated technology and slow patch cycles are proving to be persistent challenges for critical infrastructure organizations, with cybercriminals exploiting vulnerabilities in more than a quarter of the incidents IBM X-Force responded to in this sector last year.
In reviewing the most commonly cited vulnerabilities and exposures (CVEs) on dark web forums, IBM X-Force found that four of the top ten vulnerabilities and exposures are associated with sophisticated threat actor groups, including nation-state attackers, increasing the risk of disruption, espionage and financial extortion. Exploit codes for these CVEs have been traded openly in numerous forums – creating a growing market for attacks on power grids, healthcare networks and industrial systems. This information sharing between financially motivated and nation-state attackers highlights the increasing need for dark web monitoring to support patch management strategies and detect potential threats before they are exploited.
Automated credential theft triggers chain reaction
In 2024, IBM X-Force observed an increase in phishing emails with infostealers, and initial data for 2025 shows an even greater increase of 180% compared to 2023. This upward trend, which is fueling the takeover of more accounts, may be due to attackers using AI to scale distribution.
Phishing credentials and infostealers have made identity attacks cost-effective, scalable and highly profitable for threat actors. Infostealers enable the rapid exfiltration of data, reducing its time on target and leaving little forensic trace. In 2024, the top five infostealers alone had more than eight million listings on the dark web, and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to bypass multi-factor authentication (MFA). The rampant availability of compromised credentials and MFA bypass methods indicates a high demand for unauthorized access, with no slowdown in sight.
Ransomware operators shift to lower-risk models
While ransomware accounted for the largest share of malware cases in 2024 at 28%, IBM X-Force observed a year-over-year decline in ransomware incidents overall, with identity attacks filling the gap.
International efforts to eliminate these threats are forcing ransomware actors to reorganize their high-risk models into more distributed and lower-risk operations. For example, IBM X-Force observed that previously well-established malware families such as ITG23 (also known as Wizard Spider, Trickbot Group) and ITG26 (QakBot, Pikabot) either ceased operations entirely or switched to other malware, including new and short-lived families, as cybercriminal groups attempt to find replacements for botnets that were taken down last year.
Other findings from the 2025 report include:
- Evolving AI threats. Even though there were no large-scale attacks on AI technologies in 2024, security researchers are working hard to identify and fix vulnerabilities before cybercriminals exploit them. Problems such as the remote code execution vulnerability discovered by IBM X-Force in a framework for creating AI agents will become more common. With the expected increase in adoption by 2025, the incentives for attackers to develop special attack toolkits for AI will also increase. It is therefore essential for companies to secure the AI pipeline from the outset.
- Asia and North America are the most attacked regions. Asia (34%) and North America (24%) accounted for almost 60% of all attacks that IBM X-Force responded to globally in 2024. This means they were more victims of cyberattacks than any other region.
- The manufacturing industry was the hardest hit by ransomware attacks. For the fourth year in a row, it was the most attacked industry. With the highest number of ransomware cases last year, investing in encryption for this sector is worthwhile due to its extremely low tolerance for downtime.
- Linux threats. Working with RedHat Insights, IBM X-Force found that more than half of Red Hat Enterprise Linux customers’ environments had at least one critical CVE unpatched and 18% faced five or more vulnerabilities. At the same time, IBM X-Force found that the most active ransomware families (e.g. Akira, Clop, Lockbit and RansomHub) now support both Windows and Linux versions of their ransomware.
Additional Resources
- Download a copy of the IBM X-Force Threat Intelligence Index 2025.
- Register for the IBM X-Force Threat Intelligence Webinar 2025 on Tuesday, April 22 at 11:00 a.m. ET.
- Contact the IBM X-Force team for a personalized report of the findings.
About IBM
IBM is a leading provider of global hybrid cloud and AI solutions, as well as expert consulting. We help clients in more than 175 countries harness insights from their data, optimize business processes, reduce costs and gain a competitive advantage in their industries. Thousands of public and private organizations in critical infrastructure sectors such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to deliver their digital transformations quickly, efficiently and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and consulting provide our clients with open and flexible options.
– – – – – –
Further links
👉 www.ibm.com
Photo: IBM
