Ransomware groups aren’t backing down—just shifting gears. As ransom payments shrink, attackers are adapting their playbook, placing critical infrastructure firmly in their crosshairs.
Recent cybersecurity research highlights this unsettling trend. According to Ontinue’s latest threat analysis, cybercriminals are no longer relying on old methods. Instead, they’re refining tactics to sustain their lucrative schemes. Four evolving strategies stood out: malware delivery through browser extensions and malvertising, sophisticated phishing and vishing attacks, growing IoT and OT device targeting, and persistent ransomware advancements.
One glaring revelation is the sharp decline in ransomware payouts. Ontinue’s report revealed that ransom payments dropped from $1.25 billion in 2023 to $813.5 million in 2024. Yet, paradoxically, the number of reported ransomware breaches surged. This spike suggests that attackers ramped up their operations to offset reduced success rates.
“Fewer victims are paying, but attackers aren’t giving up,” Ontinue noted. “Instead, they’re multiplying attacks, hoping volume compensates for lower returns.”
Bugcrowd founder Casey Ellis echoed this sentiment. “The decline in payments may push criminals toward higher stakes targets—think supply chains or critical infrastructure—where disruption could force payouts,” he explained.
For organizations tied to essential services, the decision not to pay could be devastating. “Critical infrastructure cannot always afford the damage caused by refusal,” warned Ngoc Bui, cybersecurity expert at Menlo Security. “The potential operational collapse makes these sectors prime ransomware targets.”
Meanwhile, ransomware gangs are fine-tuning their approach. Threat actors now interact with IT teams to extract insider knowledge, exploit SaaS platforms, and leverage file-transfer tools for double extortion attacks. Nathaniel Jones, VP of Threat Research at Darktrace, warned these tactics create more direct pathways into sensitive systems, increasing pressure on victims.
Although payouts decreased, the overall ransomware threat continues to grow and evolve—becoming more dangerous with each iteration.
Browser-based malware delivery is another alarming trend. Menlo Security and Ontinue report rising attacks using malicious browser extensions. This method proves highly effective, allowing malware to survive even after system reimaging. Users often unwittingly reintroduce the infection by syncing compromised browser profiles.
“It’s a stealthy threat,” researchers cautioned. “Once installed, these extensions evade typical removal steps, enabling persistent data theft.”
Phishing and vishing attacks have also grown more sophisticated, fueled by generative AI. Cybercriminals now leverage legitimate websites as launchpads, only to redirect users to malicious domains. Ontinue’s data uncovered a worrying pattern—attackers masking their identities using ‘no-reply’ sender addresses or slightly altered domains resembling major brands like Google or Apple. These domains redirect victims to sophisticated Adversary-in-the-Middle (AiTM) phishing sites designed to steal credentials.
Vishing—the voice equivalent of phishing—is exploding. Ontinue reported a staggering 1,633% increase. AI-driven voice cloning has supercharged this threat, making it alarmingly convincing. Criminals now generate lifelike audio deepfakes to impersonate trusted figures and trick victims into sharing sensitive information or transferring funds.
“AI-powered vishing bypasses email security filters, making it tougher to detect,” the report noted.
Combatting vishing requires vigilance at the user level. SlashNext CTO J Stephen Kowski stressed, “Never share personal details during unexpected calls, even if the voice sounds familiar. Always hang up and verify the caller through official channels.”
Beyond phishing, attacks targeting Internet of Things (IoT) and Operational Technology (OT) devices are rising fast. These devices, often lightly secured, provide entry points into larger systems, including critical infrastructure. Researchers warned that IoT devices are frequently designed with cost, not security, in mind.
“When manufacturers cut corners, they leave devices vulnerable to command injection, remote code execution, and privilege escalation,” Ontinue explained. These risks intensify when remote work environments bring consumer-grade IoT devices into corporate networks.
Operational Technology systems face similar risks but often lack basic security and timely patching. Recent cases involving U.S. water facilities illustrate these dangers. Pro-Russian hackers manipulated industrial control systems, disabling alarms and locking out operators.
A November 2024 government audit found 97 U.S. water systems—serving 27 million people—riddled with critical vulnerabilities. By December, agencies like CISA and the EPA issued urgent warnings. “Hackers easily exploited internet-exposed Human-Machine Interfaces (HMIs), causing pumps and equipment to exceed safe operating levels,” the agencies reported.
These events underscore how attackers continually refine methods to maximize damage and profits. Today’s cybercrime is about evolution—not extinction. The threats remain familiar, but the tactics keep shifting to maintain a lucrative return on investment.
With ransomware groups targeting critical infrastructure, browser-based malware rising, and AI supercharging phishing and vishing, organizations must rethink defenses. The cost of ignoring these evolving threats could be catastrophic.
