Ontinue Threat Report Reveals 4,000 Ransomware Breaches in H1

Managed extended detection and response (MXDR) provider Ontinue has released its 1H 2025 Threat Intelligence Report, highlighting the growing sophistication of ransomware, phishing, and state-aligned threat activity in the first half of the year.

Ransomware remains a top threat in first half of 2025 

The report outlined critical cybersecurity developments in the first half of 2025, with Ontinue finding that ransomware remains a prime disruptor among enterprises. Phishing-as-a-Service (PhaaS) campaigns, identity-based attacks, and persistence in Azure environments were also identified as significant emerging threats.

Key findings from the report include:

• Ransomware remained active: More than 4,000 ransomware breaches were claimed globally in H1 2025, led by CL0P, AKIRA, and QILIN, despite a 35% YoY drop in reported ransom payments.
• Phishing-as-a-Service (PhaaS) matured: Tycoon 2FA PhaaS platform was found to be responsible for approximately 65% of all PhaaS-based credential attacks.
• Cloud persistence tactics surged: Nearly 40% of Azure intrusions investigated by Ontinue involved adversaries layering multiple persistence methods.
• Non-traditional phishing payloads dominated: Over 70% of attachments bypassing secure email gateways were in formats such as SVG or IMG, rather than traditional documents.
• Token replay abuse continued: Roughly 20% of live incidents involved adversaries reusing stolen refresh tokens to bypass MFA, even after password resets.
• USB malware resurfaces: A 27% increase in USB-borne malware was observed compared to late 2024, reinforcing the ongoing risk posed by removable media. 
• Third-party risk doubled year-over-year: Nearly 30% of incidents were linked to vendor compromise, including supply chain attacks targeting retailers and manufacturers.

The report also highlighted geopolitical attacks as a rising trend, citing Void Blizzard’s pro-Russian espionage campaigns, Scattered Spider’s social engineering and cloud exploitation attacks, and the Lazarus Group’s $1.5 billion Bybit crypto heist for North Korea as notable incidents.

Craig Jones, chief security officer at Ontinue, emphasized the need to keep pace with threat adversaries, particularly as they evolve their methodologies at breakneck speed.

“Cybercriminals are operating with the speed and adaptability of modern businesses. They pivot, rebrand, and retool in weeks, not months,” Jones said.

“In the first half of 2025, we’ve seen ransomware operators overcome takedowns, PhaaS services scale globally, and state-aligned actors target the private sector with increasing precision. Organizations can’t afford to approach security as a static project, it’s a continuous, intelligence-led process,” Jones added.

Recommended defensive measures

In addition to identifying top threat trends, the report outlined practical defensive measures to help organizations address these challenges head-on.

Specifically, Ontinue recommended implementing phishing-resistant MFA, hardening endpoint configurations, and strengthening vendor risk management to bolster organizations’ security postures. The report also reiterated the importance of foundational security controls such as user training and restricting USB usage.

Ontinue further emphasized that simulated testing alone is no longer sufficient in today’s threat environment. The cybersecurity provider noted that red team exercises and preparation for real-world adversary behavior are crucial, particularly as bad actors continue to refine persistence and evasion tactics in their attacks.

“The attackers we track are blending technical skill with human-focused tactics, leveraging trusted vendors, manipulating identities, and exploiting small configuration gaps that snowball into major incidents,” said Balazs Greksza, director of threat response at Ontinue. 

“The organizations that fare best are those that build resilience into every layer of their environment, from identity controls to incident response,” Greksza continued.