Acronis Cyberthreats Report H1 2025: Some good news and a lot of bad news

What’s the good news? Some of the numbers in Acronis Cyberthreats Report H1 2025 suggest that cybersecurity measures are working.

However, other statistics show that many familiar threats to organizations continue to grow more dangerous all the time. The report, from the Acronis Threat Research Unit, confirms — no doubt to little surprise — that ransomware continues its relentless assault. It also reveals that attackers are using less familiar vectors, particularly collaboration applications, to strike organizations.

Based on data from over a million unique global endpoints, the Acronis Cyberthreats Report H1 2025 provides not only crucial statistics but also actionable advice for managed service providers (MSPs) and IT professionals.

Ransomware remains a dominant threat to businesses of all sizes. The number of publicly known ransomware victims from January 2025 to June 2025 surged by nearly 70% compared to the same period in both 2023 and 2024, totaling 3,642 claimed victims. February 2025 marked the highest peak with 955 victims, largely driven by the Cl0p ransomware group, which was responsible for 335 cases — a 300% month-over-month increase.

Key ransomware trends included:

• A sustained high cadence of attacks fueled by ransomware-as-a-service (RaaS) operations, which capitalize on fragmented patch management and delayed mitigations.
• A tactical shift towards quieter data-theft extortion and zero-day exploitation, with more surgical and stealthy intrusions rather than volume-based attacks.
• Attackers going after the manufacturing, retail and technology sectors, which were the most targeted industries for ransomware attacks in Q1 2025.

MSPs, IT consulting firms and system integrators continue to be high-value targets due to their privileged access to numerous client environments. One bit of good news is that the overall number of reported initial access incidents involving MSPs declined from 90 to 67 in H1 2025 compared to the same period in 2024. But attacker tactics shifted significantly.

Phishing surged to 52% of all initial attacks on MSPs in H1 2025, a major shift from 30% in the same period in 2024. This indicates a move toward social engineering and exploiting human behavior, amplified by AI-generated lures and hybrid work environments.

Unpatched vulnerabilities remained a problem, increasing from 23% to 27% of initial attacks on MSPs, with attackers consistently exploiting known flaws in widely used third-party software, especially those integral to MSP operations.

Another positive data point involved exploits based on remote desktop protocol (RDP), which dropped sharply from 24% to just 3%, suggesting that widespread multifactor authentication (MFA) adoption and improved endpoint hardening are effective deterrents.

Abuse of valid accounts or credentials also decreased, though only slightly, from 15% to 13%. Attackers continue to harvest tokens and passwords via infostealers.

AI's integration into cybercrime intensified in H1 2025, fueling the proliferation of cybercrime-as-a-service (CaaS) models on the dark web. AI democratizes sophisticated attack capabilities, lowering the barrier to entry for less technically skilled criminals. Trends include:

• Ransomware automation: The FunkSec group, which emerged in late 2024, gained notoriety for using AI to automate malware creation and enable rapid development of encryption tools and evasion techniques.
• Deepfake social engineering: Attackers are using AI-generated deepfake technology to impersonate public figures in fraudulent investment schemes on social media platforms, tricking users into engaging with scams.

These trends point to the need for a greater focus on behavioral analysis to detect subtle impersonation tactics and a healthy skepticism from users towards investment advice or financial endorsements.

While email remains a prime target, cybercriminals are increasingly focusing on collaboration applications, such as Microsoft 365 and Microsoft Teams.

• Acronis Email Security detected 7,201,107 attacks from January 1, 2025, to May 15, 2025, averaging 205 detections per organization per month. Of scanned emails, 1.1% were malicious.

• Phishing in collaboration apps rose sharply from 9% of attacks to 30.5%, and advanced attacks increased from 9% to 24.5%. Conversely, malware in collaboration apps fell from 82% to 45%.

• Phishing remains the dominant type of email attack at 69.8%, followed by social engineering or business email compromise (BEC) at 25.6%.

• Almost 1.5% of Microsoft 365 email backups scanned were affected by malware, with 40% of URLs being phishing links and 30% malicious links.

This shift underscores the need for comprehensive security that extends beyond traditional email protection to include collaboration platforms. Organizations must ensure robust security measures are in place for all communication channels.

Malware remained a thorny issue, with a rapid proliferation of variants and an increase in vulnerabilities:

• The average lifetime of a malware sample in May 2025 was just 1.4 days, indicating attackers' use of automation to rapidly create new and personalized malware variants.

• Approximately 5,000 common vulnerabilities and exposures (CVEs) were published from January 2025 to April 2025, a significant increase from around 4,000 in the same period of 2024.

• Nearly 5% of organizations monitored had unpatched vulnerabilities in TeamViewer, a remote management tool frequently exploited in attacks.

The evolution of cyberthreats isn’t making service providers’ jobs any easier, but following a few best practices can help MSPs keep their clients safe.

A holistic cyber protection strategy that natively integrates advanced detection, response and recovery capabilities is essential to client protection. An integrated cyber protection platform with tamper-proof backups is crucial for rapid data restoration and minimizing disruption. Regular testing of restoration processes is also vital.

MSPs need to implement multilayered technologies, including AI-based detection, extended detection and response (XDR), endpoint protection, web filtering and robust email and collaboration app security. Those capabilities proactively identify and neutralize threats across client environments.

Service providers can also take care of themselves and their clients by rigorously applying patches to operating systems, applications and especially remote monitoring and management (RMM) tools, which are frequent entry points for threat actors. In fact, MSPs should treat RMM infrastructure as a high-value asset, continuously monitoring it for unusual remote access behavior.

The report serves as a reminder that there are some basic practices everybody — both service providers and other types of organizations — should follow.

• Prepare for phishing attempts: Teach users to be vigilant against deceptive emails and messages and not to click suspicious links. The surge in AI-generated lures makes this even more critical.
• Ensure cybersecurity solutions are properly configured: A well-configured security solution is vital for effective defense. A solution that’s not set up properly can leave a huge security hole.
• Be on the lookout for AI-generated content: Verify investment advice or financial endorsements from public figures through official channels, as deepfake technology is used in fraudulent schemes.

By understanding evolving threats and implementing comprehensive cyber protection strategies, organizations can significantly enhance their resilience against sophisticated cyberattacks.

For much more information on cyberthreat statistics, best-practice advice and details about specific cyberattacks, download the full Acronis Cyberthreats Report H1 2025.

Report

Acronis Cyberthreats Report H1 2025

…