Cyble’s Global Cybersecurity Report 2025 paints a stark picture of an attack surface under sustained pressure. Ransomware attacks jumped 50% year‑on‑year to nearly 6,000 incidents, data breaches hit their second‑highest level on record, and a thriving underground market for compromised access has turned initial footholds into a traded commodity. For enterprises, the message is clear: ransomware, supply chain compromise, and vulnerability exploitation are converging into a single, always‑on risk.
Ransomware Volume and Actors Reordering the Market
Cyble recorded 5,967 ransomware attacks in 2025, marking a 50% increase over the previous year and confirming that extortion remains the most disruptive cyber threat. Manufacturing was the most targeted sector, with Construction, Professional Services, Healthcare, and IT also among the top five, reflecting attackers’ focus on industries where downtime is extremely costly.
The group Qilin led overall activity, while Akira emerged as the second‑most prolific operator, running high‑tempo campaigns across Construction, Manufacturing, and Professional Services. CL0P reinforced its position as a zero‑day specialist, launching a mass campaign in February 2025 that compromised hundreds of organizations in a single wave via widely used enterprise file transfer software.
Data Breaches and Access Sales Intensify Exposure
Alongside ransomware, Cyble documented 6,046 data breaches and leaks, with Government and law enforcement agencies accounting for 998 incidents (16.5% of the total) and BFSI for 634. Together, these high‑value sectors represented more than a quarter of all breaches, underlining attackers’ focus on citizen data, payments, and regulated information.
The underground economy for initial access is maturing as well. Researchers identified 3,013 sales of compromised corporate access, with Retail the most targeted sector at 594 incidents (almost 20% of listings), followed by BFSI (284) and Government (175). This trade effectively decouples initial compromise from monetisation, enabling specialist groups to buy ready‑made footholds and scale their operations.
Zero‑Day Exploits and Known Vulnerabilities Power Entry
The report highlights how both zero‑day and known exploited vulnerabilities drove attack volumes. Cyble tracked 94 zero‑days in 2025, 25 of which carried CVSS scores above 9.0, underscoring the severity of available exploits. High‑impact vulnerabilities included Oracle E‑Business Suite and GoAnywhere MFT remote code execution bugs used by CL0P and Medusa ransomware.
Over 86% of entries in CISA’s Known Exploited Vulnerabilities catalog had CVSS ratings of 7.0 or higher, with Microsoft, Fortinet, Apple, Cisco, and Oracle among the most affected vendors. This reinforces the need for disciplined patch management and rapid response around both edge infrastructure and business‑critical platforms.
Geopolitical Hacktivism Reaches Unprecedented Scale
Cyble’s analysis shows geopolitically motivated hacktivism has become a persistent background threat. Researchers observed more than 40,000 data leak and dump posts from hacktivist groups, impacting over 41,400 unique domains across sectors. The Israel‑Iran conflict alone triggered operations by 74 groups, while India‑Pakistan tensions generated 1.5 million intrusion attempts.
North Korea’s IT worker fraud schemes continued to infiltrate global companies, blending revenue generation, access brokering, and espionage. Tactics ranged from DDoS attacks and website defacements to data breaches against government and critical infrastructure, making attribution and response more complex for defenders.
Sector‑Specific Pressures and Supply Chain Risk
The report offers granular insights into sector exposure. Manufacturing remains the most attacked vertical due to its dependence on OT/ICS environments and low tolerance for downtime. Construction is heavily targeted by Akira, where project timelines create leverage; Professional Services firms are hit for client data and supply chain access opportunities. Healthcare continues to face high ransomware risk as attackers exploit the sector’s critical data and service continuity needs.
IT and ITES providers are frequently compromised as stepping stones into downstream customers, underscoring how managed service and technology partners have become high‑value supply chain targets. For India Inc., where IT service exports and manufacturing are strategic priorities, this combination of operational and reputational risk is acute.
