SpyCloud’s new research highlights a 10% year-over-year increase in phishing-driven ransomware attacks, fueled by the rise of AI-powered cybercrime and widespread infostealer infections.
Phishing has overtaken all other attack vectors to become the leading cause of ransomware in 2025, according to new SpyCloud research.
In the release of its 2025 SpyCloud Identity Threat Report, the identity threat protection company has uncovered fresh insights into the surge of phishing-driven ransomware, the widening gap in identity exposure, and a growing divide between perceived and actual cybersecurity readiness.
This year’s survey — an evolution of SpyCloud’s annual Malware and Ransomware Defense Report — reflects the expanded tactics and identity-centric threats facing security teams. Drawing on responses from 507 security leaders and practitioners across North America and the UK, the report provides a view of how adversaries exploit identity exposures, where traditional defenses fall short, and the measures organizations must take to adapt.
“Attackers are using phishing kits to steal session cookies, bypass MFA, and impersonate users with alarming accuracy. The growth of commoditized tactics like PhaaS [phishing-as-a-service] has made these capabilities available to even low-skill threat actors, which is why we’re seeing such a sharp spike in ransomware incidents tied directly to phishing,” said Trevor Hilligoss, SpyCloud’s Head of Security Research.
More than 75% of organizations report being “significantly” to “extremely” concerned that phishing will serve as the launchpad for more damaging cyberattacks. Exposed or weak APIs and stolen cookies enabling session hijacking followed as the next most common vectors.
Today’s phishing campaigns are increasingly powered by PhaaS platforms such as Tycoon 2FA, FlowerStorm, and Darcula. These services employ adversary-in-the-middle techniques to steal MFA tokens and session cookies. Darcula, in particular, has begun integrating AI-driven capabilities, lowering the barrier to entry by making sophisticated phishing kits easier to generate and deploy — regardless of the attacker’s skill level.
Infostealer malware continues to be one of the most pervasive enablers of identity-based threats, silently siphoning credentials, cookies, and sensitive data from compromised devices while evading traditional defenses. SpyCloud found that nearly half of all corporate users have, at some point, been victims of an infostealer infection on either a personal or corporate device. Alarmingly, two-thirds (66%) of these infections occurred on machines that had antivirus or EDR tools installed. Yet only 50% of organizations have visibility into infostealer activity on managed devices, and even fewer (48%) can detect it across both managed and unmanaged endpoints.
SpyCloud tracks data from over 80 malware families, offering insight into their behavior and evolution. In 2025, LummaC2 remained the most active infostealer, peaking at more than 204,000 detections in a single day in February. Meanwhile, macOS-targeting malware such as Atomic Stealer surged in activity. Although still less prevalent than Windows-based infections, this trend signals a shift toward platform-agnostic infostealers that are increasingly adaptable across diverse environments.
Awareness of ransomware and infostealer-driven threats is rising, yet effective response remains elusive. While 86% of security leaders say they are confident in their ability to prevent ransomware, nearly the same proportion — 85% — experienced an attack in the past year. Despite this prevalence, only 35% of organizations have workflows to remediate identity exposures, and just 33% have formal protocols for investigating identity-related incidents.
A striking executive-practitioner divide compounds the issue. Nearly half of CISOs and CIOs (45%) report high confidence in ransomware defense, compared with only 28% of security team leads. This disconnect highlights a dangerous blind spot, as adversaries continue to automate, diversify, and industrialize identity-driven attacks.
The 2025 SpyCloud Identity Threat Report reveals that attackers are exploiting identity exposures faster than organizations can detect or respond. The stats show 94% of Fortune 50 companies affected by employee phishing exposures — and adversaries are weaponizing stolen credentials, session cookies, and personally identifiable information.
To break the cycle, SpyCloud says organizations need to move beyond reactive, account-centric defenses and embrace holistic identity threat protection. This requires operationalizing identity analytics to map exposures across the entire digital footprint — past and present, personal and professional — and enabling swift, automated remediation to eliminate access before it can be exploited.
Datamation is the leading industry resource for B2B data professionals and technology buyers. Datamation's focus is on providing insight into the latest trends and innovation in AI, data security, big data, and more, along with in-depth product recommendations and comparisons. More than 1.7M users gain insight and guidance from Datamation every year.
Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved
Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.
