Report Reveals Four Critical Shifts in Threat Actor Attack Behaviour

Today’s threat actors are evolving their tactics: extending the length of time to collect valuable data for public exposure tactics, weaponizing trusted supply chain relationships for persistent access, and honing their identity-based threat attacks to move laterally across the business. Identified by Sygnia’s elite incident responders, the exclusive 2025 Threat Report unpacks real-world cases where these evolved techniques were implemented and how organizations can build stronger cyber resilience to safeguard their businesses against each one.

Oren Biderman, Incident Response and Digital Forensic Team Leader at Sygnia said: “Now more than ever, businesses must become cyber ready: creating robust cyber resilience strategies and putting teams in place that can circumvent the stealthy and ever-evolving tactics of today’s threat actors. Our goal is not only to defend our customers, but to give them the intel and tools they need to be better prepared against ransomware and other threat actors sharpening their attack behaviour.”
Sygnia’s 2025 Threat Report offers first-hand actionable insights into the ruthless nature of threat actors and more importantly, guidance for organizations to follow so that they make confident security choices in the event of a breach and are equipped to protect their data.

Key Highlights of the 2025 Threat Report

• Virtualised Infrastructure has Become a Prime Attack Point: Beyond traditional encryption-based attacks, Sygnia’s team observed how ransomware threat actors like Abyss Locker, are targeting under-protected systems like virtualization infrastructure (VMWare ESXi) and Network Attached Storage (NAS) appliances as persistence points to remain stealthy, exfiltrate massive amounts of data for maximum impact, while crippling entire infrastructures with minimal effort.
• Shift to Data Theft Extortion vs. Encryption: Loss of access is no longer the end game. Ransomware threat actors are increasing the impact of their thefts to ensure payment by leveraging the threat of ‘public exposure’ for extortion. While it may only take a few hours to infiltrate and compromise networks to execute their plays, threat actors are on average extending the ‘dwell time’ (from initial infiltration to impact aka breach exposure time) for another one to two weeks, in order to resourcefully collect high-value data, knowing reputational damage from a public data leak outweighs the impact of encryption alone.
• Third-Party Privileges Enable Attackers to Extend their Stay: Notable throughout 2024, APT threat actors are continuing to laterally and extensively move across businesses by infiltrating their weak point: the vendor’s supply chain of contractors and service providers. With limited visibility into the security practices and real-time activity of third-party vendors, threat actors are exploiting the gaps to remain undetected for longer periods of time. By targeting the legitimate third-party vendor permissions of their chosen target, threat actors are increasing the potential for severe disruption by continually bypassing traditional security controls.
• Surge in Identity-based Attacks: MFA, SSO and the Cloud Become Problematic: Not all multi-factor authentication (MFA) implementations are created equal, or provide enough security. Simpler methods of authentication like SMS-based or email-based codes, are increasingly being bypassed by attackers to circumvent standard MFA defences. In the race to digitally transform, businesses opting to migrate to cloud infrastructures are unknowingly paving the way for threat actors to laterally move across cloud ecosystems through forgotten misconfigured Identity and Access Management (IAM) policies and Single-Sign Ons.

For additional information, you can download the full 2025 Threat Report here.