Recent analysis from the Picus Security Blue Report 2025 indicates a significant decline in the effectiveness of security controls against ransomware attacks. The report, which simulates attack techniques, found that overall prevention rates dropped from 69% in 2024 to 62% in 20251. The most critical failure identified is in data exfiltration prevention, which collapsed to a mere 3%, down from 9% the previous year. This creates a scenario where even if encryption is blocked, sensitive data is almost certainly stolen. Furthermore, the report highlights a dangerous visibility gap, with only 14% of simulated attacks generating an alert despite 54% being logged. This data suggests that defensive assumptions about the efficacy of security stacks are no longer valid and require continuous validation.
Erosion of Defensive Capabilities
The Picus Blue Report 2025 provides a sobering statistical overview of the current ransomware landscape. The drop in prevention effectiveness to 62% means that more than one in three simulated attacks successfully bypassed security measures. The near-total failure of data exfiltration prevention at 3% is particularly alarming, as it directly enables the double extortion tactics that are now standard for most ransomware groups. The report also notes that the distinction between “known” and “emerging” ransomware strains is blurring, with both categories proving equally effective. Established groups like BlackByte, with a prevention rate of just 26%, remain highly potent, while new entrants like FAUST and Valak immediately achieve a 44% success rate in bypassing defenses1. This indicates that security products are struggling to keep pace with both old and new threats.
The Modern Ransomware Business Model: Akira Case Study
The Akira ransomware group exemplifies the efficient and destructive Ransomware-as-a-Service (RaaS) model that has become prevalent. Emerging in early 2023, Akira operates with a lean, startup-like structure: a small core team manages the code and infrastructure, while a network of affiliates carries out the attacks for a share of the profits2. The group employs double extortion, combining file encryption with data theft. Notably, some actors are now skipping the encryption phase entirely to focus purely on data theft for extortion, a tactic that helps avoid detection by traditional anti-ransomware tools. Akira strategically targets the “vulnerable middle”—mid-market companies, SMBs, schools, and local governments—which often possess valuable data but lack robust security postures. The group’s cross-platform capabilities, targeting Windows, Linux, and VMware ESXi systems, further increase its threat level. In its first year alone, Akira was linked to over 250 attacks, extorting approximately $42 million2.
Weaponizing Vulnerabilities: The GoAnywhere MFT Example
A primary infection vector for ransomware campaigns remains the exploitation of known, unpatched vulnerabilities in public-facing applications. A recent example is CVE-2025-10035, a maximum severity vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) product. This flaw is a deserialization of untrusted data weakness in the License Servlet component4. It allows for remote command injection, enabling attackers to execute arbitrary code on vulnerable systems without requiring user interaction. The nonprofit Shadowserver Foundation identified over 470 GoAnywhere MFT instances exposed online, presenting a large attack surface. This incident has a direct historical precedent; in 2023, the Clop ransomware gang exploited a previous GoAnywhere zero-day (CVE-2023-0669) to breach over 130 organizations. These events highlight the persistent targeting of file transfer solutions due to the highly sensitive data they process and store.
The Rise of EDR-Killer Tools
A significant tactical evolution in ransomware operations is the systematic targeting of Endpoint Detection and Response (EDR) systems. A January 2025 report by Logpoint details the rise of tools specifically designed to impair, disable, or bypass these critical security controls5. These EDR-killers are deployed during attacks to suppress alerts, evade detection, and ensure the success of both encryption and data exfiltration phases. Prominent examples include EDRKillShifter, used by the RansomHub group; MS4Killer, a custom tool used by the Embargo group; and AuKill & Terminator, used by groups like FIN7 and Black Basta. The accessibility of these tools lowers the barrier to entry for less sophisticated actors; they are readily available on underground markets for as little as $300 and even on some open-source platforms. This trend forces a strategic shift away from relying on any single control and towards more holistic defense-in-depth.
Critical Sector Impact and Future Trends
The real-world consequences of these evolving threats are severe, particularly in critical sectors like healthcare. A September 2025 incident involving the New York Blood Center resulted in a data breach impacting nearly 200,000 people7. This is part of a larger trend, with confirmed ransomware attacks against healthcare providers in 2025 already exceeding 60 incidents and exposing over 5.4 million patient records. The operational disruption from such attacks directly impacts human safety. Looking forward, emerging trends like AI-driven malware, which can mutate in real-time to evade static detection, and the continued evolution of RaaS platforms will further challenge defenders. The average cost to recover from a ransomware attack is now estimated at $2.73 million3, encompassing ransom payments, recovery efforts, regulatory fines, and reputational damage.
The compiled data presents a clear picture: ransomware is adapting and escalating. Defenses are statistically worsening, and threat actors are becoming more efficient through RaaS models and evolved tactics. They exploit human factors, technical weaknesses like unpatched vulnerabilities, and structural gaps in data exfiltration prevention. This landscape demands a paradigm shift from passive, assumed protection to continuous validation and defense-in-depth. Organizations must prioritize rigorous patch management, reduce internet-facing attack surfaces, implement layered security strategies, and adopt Breach and Attack Simulation (BAS) to proactively test their resilience against these evolving techniques.
