Cybersecurity Predictions 2025: Hype vs. Reality

Cybersecurity predictions are abundant this time each year, many filled with sensationalism and exaggerated threats. You could easily fill an article with predictions of AI-powered robot armies wreaking havoc or the impending doom of quantum computing. But that's not our style. We believe in predictions rooted in the analysis of data and trends observed in 2024.

However, we also acknowledge that the cybersecurity landscape is unpredictable. A single, unforeseen event – a major geopolitical shift, a powerful proof of concept code, or the emergence of a new, repeatable playbook – could quickly reshape the threat landscape. So, consider these predictions as a framework, a starting point for understanding the potential challenges ahead, while always remaining prepared for the unexpected.

AI: ‘Artificially Inflated’ Threat

Last year, we dedicated an entire article to AI predictions in cybersecurity. Now, while we're huge fans of AI – we've been researching its foundations and innovating since 2008 and use it extensively – we weren't swept up in the hype. We resisted the urge to predict sentient AI that independently hunts vulnerabilities. We predicted that Large Language Models (LLMs) will become more effective at eliminating barriers for social engineering attacks. And guess what? Our predictions for 2025 are similar but with several refinements.

• Increase in Business Email Compromise (BEC) Attacks - BEC remains a significant and often overlooked threat. FBI report from 2023 revealed staggering losses due to BEC – 60 times higher than ransomware. While this threat was always significant, the rise of AI has dramatically increased its potential - from AI-powered deepfakes convincingly impersonating executives to the ability to learn and mimic individual communication styles with uncanny accuracy. This potent combination, coupled with high potential for monetization, low awareness among targets, and the fact that it requires minimal technical skills to execute, makes BEC an increasingly attractive option for cybercriminals, especially when empowered by AI.
  
  
• Business Processes That are not ‘Deepfake-Proof’ Will be Targeted - Once requiring specialized skills, deepfake technology is rapidly becoming more accessible, transforming it from a niche capability to a commoditized cybersecurity weapon. Beyond familiar use cases (e.g. impersonating executives, pig butchering, vishing…), the widespread availability of sophisticated deepfake technology should force businesses to re-evaluate their processes and procedures. For example, visual validation – common in finance and cryptocurrency markets – is increasingly vulnerable. In Brazil, a recent law enforcement operation, "DeGenerative AI," uncovered a large-scale criminal scheme that used deepfakes to bypass account opening procedures in banks. Criminals used AI to create fake videos of real account holders, successfully tricking security systems and creating accounts for money laundering purposes. This scheme resulted in over 550 successful account invasions and movement of approximately $18M through these accounts.
  
  
• LLMs Will be (Wrongly) Blamed - The pressure to demonstrate the value of AI investments is driving a dangerous trend within many organizations. When companies invest heavily in AI, often struggling to achieve tangible business outcomes, teams feel immense pressure to showcase technology’s worth. This pressure can lead to reckless experimentation, with teams eager to implement AI solutions, regardless of the risks. This "catch-up-with-hype" mentality can incentivize teams to cut corners, prioritize speed over security, and potentially ignore critical safeguards. This not only increases the risk of data breaches and compliance violations but also undermines the responsible development and deployment of AI within the organization, leading to shadow AI adoption by individuals or small teams.
  
  
• AI-Infused ‘Super-Malware’ Remains a Thought Leadership Gimmick - Last year, we predicted: that “When thinking about the latest AI malware, don't imagine a complex binary skillfully maneuvering through your network to pinpoint vulnerabilities for exploitation. Instead, picture a code with minor customizations, crafted in a language of your preference. Script kiddies are more likely to find this opportunity appealing compared to experienced malware developers.” This prediction holds true remains for 2025, as malware is already highly dynamic, with security companies like Bitdefender processing hundreds of unique variants every minute. Serious threat actors will find LLMs more valuable for manipulating humans through social engineering attacks rather than developing agentic malware.
  
  
• Critical Infrastructure and ICS Targeting - Building upon our previous analysis, we predicted that AI would lower the barrier of entry for actors to target ICS/SCADA systems. However, reviewing the top cyber threats of 2024, the emergence of threat actor groups like CARR demonstrates a more concerning reality. These groups are targeting critical infrastructure in new and unexpected ways. The successful disruption of a Ukrainian energy company by the FrostyGoop malware, the first ICS malware known to directly manipulate the ModbusTCP protocol, further underscores this evolving threat. This situation becomes even more dangerous when considering the loosening of ethical guidance among some ransomware groups and the resurgence of hacktivism, both trends that we’ll be discussing in the following chapters.

Contrary to the prevailing narrative, we believe that in the near term, AI will be a more potent force for defenders than attackers. While AI can undoubtedly be used to enhance cyberattacks, existing methods remain equally effective and require less effort. This lack of immediate incentive for attackers to significantly innovate with AI provides a temporary advantage to defenders.

Ironically, one of the biggest AI-related security issues is the obsession with fictional threats while neglecting fundamental security best practices.

Ransomware: Elite Clubs, Mid-Level Mobs, and Lone Wolves

2024 proved to be a turbulent year for the ransomware landscape. Following successful takedowns of major players like LockBit and ALPHV/BlackCat, the RaaS market experienced significant upheaval. The disappearance of these prominent actors created a vacuum, leading to a surge in new, less established groups.

Our monthly Bitdefender Threat Debrief, typically consistent in terms of the dominant ransomware actors, showed a marked increase in volatility, with the top 10 ransomware groups shifting almost monthly. These new groups, eager to establish themselves, often lowered entry barriers for affiliates, leading to a noticeable increase in attacks targeting the healthcare sector. Furthermore, we observed a rise in "lone wolf" ransomware operators – individuals or small teams operating independently, outside the traditional RaaS model, and targeting entire networks rather than individual machines (read our ShrinkLocker research for more details). In 2025, we expect to see the following:

• Ransomware Ecosystem will Become More Fragmented - We predict that the ransomware ecosystem will become increasingly fragmented. The recipe for a successful RaaS operation has become commoditized, with readily available playbooks and even leaked codebases from prominent groups like LockBit and Babuk. This lowered barrier to entry enables new actors to quickly launch their own RaaS operations. Furthermore, many RaaS groups are not enforcing exclusivity with affiliates, allowing them to work with multiple groups concurrently. This "multi-affiliation" trend enables affiliates to strategically choose the most effective ransomware variant for each attack based on factors like the target's endpoint security solution. This increased competition and flexibility will lead to a more unpredictable threat landscape.
  
  
• Unhealthy State of the Healthcare Industry - To attract affiliates, many RaaS groups are removing restrictions on target industries, including those previously considered off-limits. This, combined with the shift towards opportunistic targeting, means attackers are less focused on targeting specific companies or industries and more focused on compromising networks based on the software they use. The healthcare industry has proven a lucrative target, as evidenced by the record-breaking ransom payments observed throughout the year (including the highest recorded $75M ransom). While legislative efforts like the “Health Infrastructure Security and Accountability Act” aim to improve cybersecurity in the healthcare sector, the path to significant regulatory change is likely to be long and complex.
  
  
• In with Vulnerabilities, Out with Data - Last year, we predicted ransomware actors would rapidly weaponize newly discovered vulnerabilities. The significant increase in vulnerabilities observed in 2024 (from 18,349 in 2020 to 40,011 according to NIST NVD) validates this trend. This surge, coupled with the continued focus on exploiting vulnerabilities in enterprise software, has fueled the rise of opportunistic ransomware attacks targeting edge devices. Data exfiltration remains a primary objective, despite many organizations still prioritizing data encryption over exfiltration prevention. We expect this opportunistic initial access method trend to continue.
  
  
• Ransomware as a Tool of State-Sponsored Operations - Ransomware operations, previously the domain of cybercriminal groups, are becoming more popular with APTs. Firstly, ransomware payments generate significant revenue, funding state-sponsored initiatives such Russia's military operations, and North Korea's weapons programs. Secondly, ransomware attacks can be used as a tool for disruption, causing significant economic damage and social disruption within targeted nations. The intersection of APT activities with ransomware operations blurs the lines between cybercrime and state-sponsored espionage, making attribution more challenging and potentially reducing the perceived risk of consequences for state actors. This blurring allows state-sponsored actors to leverage the financial and disruptive capabilities of ransomware while maintaining plausible deniability.

Hacktivism: A Resurgence with a Ransomware Twist

For the past several years, the cybersecurity landscape has been dominated by financially motivated attacks, while hacktivism was a niche player, representing less than 1% of all cyberattacks. While we don't expect a dramatic shift in the overall threat landscape, several factors point towards a resurgence of hacktivism in 2025.

• Goodbye Banners and DDoS, Hello Ransomware - We expect to see a convergence of hacktivism and cybercrime, with hacktivist groups increasingly leveraging cybercrime tools and techniques to fund their activities and achieve their political or social objectives. This trend is evident in the rise of groups like CiberInteligenciaSV, which are increasingly targeting critical infrastructure.
  
  
• GenZ Cybercriminals - The emergence of groups like Scattered Spider or Lapsus$, comprised primarily of young males aged 16-25 from the US, UK, and Canada, highlights a new breed of cybercriminal. Driven by a combination of financial gain and a desire for notoriety, these groups have demonstrated a capability in executing high-profile attacks. While law enforcement arrested multiple Scattered Spider members, their decentralized nature and large membership base (1K+ members) make it challenging to fully dismantle their operations.
  
  
• Russian Tech Meets Western Hustle - we expect to see an increase in collaborations between English-speaking and Russian-speaking cybercriminal groups. These collaborations, exemplified by the success of groups like Scattered Spider, leverage the strengths of both factions – the technical expertise of Russian-speaking groups and the social engineering capabilities of native English speakers.

While evidence of this trend is still emerging, we've been observing the potential convergence of hacktivism and ransomware for some time. In our last Bitdefender Threat Debrief, we reported on two hacktivist groups, CyberVolk and KillSec (a group that even made it into our top 10 RaaS list), that have adopted a ransomware-as-a-service model. These early examples suggest that the lines between hacktivism and cybercrime are blurring.

Quantum Computing: The Leap (Not) Too Far

While the widespread availability of powerful quantum computers may still be a few years away – our estimates suggest that commercially viable systems are likely to emerge towards the end of this decade – it is time to start with proactive planning and preparation for the quantum computing.

• Harvest Now, Decrypt Later - The potential impact of quantum computing on cybersecurity is undeniable, as it poses a significant threat to current encryption standards, which are primarily based on mathematical problems that quantum computers can solve relatively easily. But why worry about it now if we still have a few more years? Cybercriminals frequently use the "harvest now, decrypt later" strategy, stealing encrypted data today with the knowledge that they may be able to decrypt it using future quantum computers. To mitigate these risks, the National Institute of Standards and Technology (NIST) has been leading the development of post-quantum cryptography (PQC) standards. NIST has finalized three key PQC standards: FIPS 203, FIPS 204, and FIPS 205 (with FIPS 206 expected soon).

While the widespread availability of powerful quantum computers may still be some years away, risks are already present, and companies should start with risk assessments and planning.

Conclusion

In summary, 2025 is anticipated to be another year when all avenues of attack will continue to see growth. However, it’s critical to recognize that the ransomware business model has evolved significantly since 2017 and continues changing and evolving every year. Staying informed about the latest trends is crucial, as is prioritizing fundamental strategies like defense-in-depth and multilayered security. The emphasis should be on acquiring capabilities rather than tools, covering prevention, protection, detection, and response capabilities.

We've combined our current understanding of ransomware tactics with available security controls in our white paper, "Stopping Ransomware: A Technical Deep Dive into Attack Vectors & Mitigation Strategies with Bitdefender." We continuously update this white paper to reflect the latest trends and best practices.