Ransomware attacks will continue to plague APAC enterprises in 2025, according to Rapid7. The cybersecurity tech vendor expects that more zero-day exploits and changes in ransomware industry dynamics will result in a “bumpy ride” for security and IT professionals throughout the region.
Ransomware incidents have steadily risen over the last couple of years. Rapid7’s Ransomware Radar Report revealed that 21 new ransomware groups emerged globally in the first half of 2024. A separate analysis found that these criminals doubled their takings to $1.1 billion in ransom payments in 2023.
While the Rapid7 report did not specifically detail APAC’s issues with zero-day exploits, PwC’s annual Digital Trust Insights (DTI) survey revealed that 14% of the region identified zero-day vulnerabilities as one of the top third-party-related cyber threats in 2024 — an issue that could linger into 2025.
Despite international efforts like the takedown of LockBit, ransomware operators continued to thrive. Rapid7 predicts increased exploitation of zero-day vulnerabilities in 2025, as these groups are expected to expand attack vectors and bypass traditional security measures.
Ransomware industry dynamics to shape attacks in 2025
Rapid7’s chief scientist, Raj Samani, said the firm has seen ransomware groups gaining access “to novel, new initial entry vectors,” or zero-day vulnerabilities, over the last year. He explained that zero-day events were happening almost weekly rather than about once a quarter as they had in the past.
The firm has observed ransomware operators exploiting zero days in ways that were not feasible 10 years ago. This is due to the financial success of ransomware campaigns, being paid in booming cryptocurrency, which created a windfall that allowed them to “invest” in exploiting more zero days.
In APAC, these conditions are causing global ransomware threat groups to engage in regionally targeted ransomware campaigns. However, Rapid7 previously noted that the most prevalent groups vary based on the targeted country or sector, which attracts different ransomware groups.
SEE: US Sanctions Chinese Cybersecurity Firm for 2020 Ransomware Attack
Samani said the threat posed by zero-day events could worsen in 2025 due to the dynamics within the ransomware ecosystem. He noted that the market could witness an increase in less technically skilled affiliate organisations joining the ranks of those attacking global enterprises.
“The reason why we’ve seen such a growth in ransomware and the demand and exponential increase in payments is because you have individuals that develop the code and individuals that go out and break into companies and deploy that code — so two separate groups,” he explained.
Samani speculated that, while the opaque nature of ransomware makes the situation unclear, a ransomware group with access to zero-day vulnerabilities for an initial entry could use them to attract more affiliates.
“The bigger concern is, does that then mean the operational and technical proficiency of the affiliate can be lower? Are they lowering the technical barriers to entering this particular market space? All of which kind of reveals 2025 could be very bumpy,” he said.
Ransomware payment bans could shake up incident response plans
Sabeen Malik, Rapid7’s head of global government affairs and public policy, said governments worldwide increasingly view ransomware as a “critical issue,” with the biggest global collective to combat the initiative, the International Counter Ransomware Initiative, now having the most members it has ever had.
This comes as some Asian companies remain ready to pay ransoms to keep business going. Research from Cohesity released in July found that 82% of IT and security decision-makers in Singapore and Malaysia would pay a ransom to recover data and restore business processes.
The same was true of Australian and New Zealand respondents to the same survey: 56% confirmed their company had been the victim of a ransomware attack in the previous six months, and 78% said they would pay a ransom to recover data and business processes in the future.
Countries in APAC are considering how to respond with regulation. Australia has just introduced mandatory ransomware payment reporting for organisations turning over $3 million, who must now report a payment within 72 hours.
SEE: Australia’s Cybersecurity Law Includes Ransomware Payment Reporting
However, banning ransomware payments outright could have an outsized impact on the security industry, according to Rapid7. If payments were prohibited, targeted companies could lose an avenue of recovery after an attack.
“The shadow looming over all of us aren’t regulations, but more kind of mandates from governments banning the use of, or payments around ransomware; those types of enormous, behemoth kind of decisions I think could dramatically impact the industry,” Samani said.
“What you have to consider with regards to your BCP [business continuity] planning and your DR [disaster recovery] planning is, if ransomware payments become banned within my territory … how is that then going to impact the way that I do things?” he said.
Tips for preventing ransomware threats
Rapid7 recommended security teams think about several measures to combat threats:
Implement basic cyber security hygiene
Malik said companies are considering how new technologies such as AI overlays can help combat the problem — but they should not forget the basic hygiene practices, such as password management, which can ensure that secure foundations are in place.
“It seems like such a no-brainer, yet we continue to see how many issues we’ve seen with identity management and password mismanagement have led to where we are now. What are some of the basic things we need to make these [hygiene] practices foundational?” she asked.
Ask tough questions of AI security vendors
Samani said newer AI tools could help “disrupt the kill chain quicker and faster” if threat actors breach defences. However, he said “security is not a commodity” and that not all AI models are of equal quality. He recommended teams ask questions of the suppliers and vendors.
SEE: How Can Businesses Defend Themselves Against Common Cyber Threats
As he explained, these questions could include:
- “What is their detection strategy, and what is their response strategy?”
- “Do you have an incident response retainer?”
- “Do you conduct regular testing? What about penetration testing?”
Map, prioritise, and widen your data pipeline
Rapid7 suggested that organisations try to understand and map their entire attack surface, including cloud, on-premise, identities, third parties, and external assets. They also urged companies to prioritise risks by mapping exposed assets to business-critical applications and sensitive data.
Beyond that, Samani said the most important approach is to broaden ingestion pipelines. He said organisations should gather data from many sources, normalise data across sources, and have a methodology for determining an asset.
“Probably the top of mind for your [company] boards is ransomware,” Samani said. “Use this as the opportunity to have that meaningful discussion with them. Be under no illusions: you will be invited to board meetings. Be prepared for that and make sure that you articulate the risk to your senior leaders.”
Read the full article here