WatchGuard Blog

Go to 

Key Lessons from the Major Ransomware Attacks in Recent Months

Learn from the ransomware attacks in recent months and find out how to protect your company against advanced threats.

The biggest ransomware attacks of 2025 have shown that this threat remains critical for organizations across all sectors. Incidents such as the Change Healthcare attack, which compromised the data of nearly 190 million individuals, and the attack on Jaguar Land Rover, which forced production lines to halt and caused losses amounting to hundreds of millions of dollars, show that a single incident can impact both operational continuity and information confidentiality.

Beyond these specific cases, these attacks reflect worrying trends: initial access remains a critical point, prolonged persistence and lateral movement allow attackers to expand their reach, and ransomware is no longer limited to simply encrypting systems. Increasingly, it is part of campaigns that combine operational disruption, data theft, and pressure through the threat of public exposure. According to our 2026 cybersecurity predictions, traditional crypto-ransomware is increasingly becoming just one tool in an attacker’s arsenal rather than the ultimate objective. Modern attacks are more often focused on information exfiltration and extortion, using ransomware to amplify pressure. This shift compels organizations to rethink how they detect, contain, and respond to such incidents.

Vulnerable Initial Access and Persistence Make the Difference

One of the key lessons of 2025 is that most attacks begin with avoidable access failures. Compromised credentials and the lack of multi-factor authentication (MFA) are recurring vectors that allow attackers to enter the network and move undetected.

Implementing MFA, auditing permissions, and educating users on phishing and impersonation are critical steps to reduce the likelihood of successful initial access. In addition, endpoint monitoring and event correlation make it possible to detect patterns of lateral movement, flagging suspicious activity before it escalates into a serious incident. Attackers often remain silent for days or weeks, enabling them to plan more targeted attacks. Identifying and neutralizing these movements early is therefore crucial for containing advanced threats. Although crypto-ransomware may lose relative prominence in certain contexts, it remains a common tool among cybercriminals, and the future evolution of these threats continues to be difficult to predict with certainty.

Ransomware Evolves from Encryption to Exfiltration and Extortion

The second lesson focuses on the evolution of ransomware toward double extortion, combining operational disruption with data theft and the threat of public exposure. We believe that traditional crypto ransomware will fade as organizations have significantly improved their backup and recovery capabilities. Today, attackers’ real leverage lies in stealing information and threatening to make it public, sometimes even involving insurers to intensify the pressure.

To face this new landscape, a layered defense strategy is recommended, including:

  • Behavior-based endpoint protection: This enables the detection of unusual activity, the isolation of compromised systems, and the limitation of attackers’ lateral movement before it causes widespread damage.
  • Network perimeter security: This measure is necessary to stop malware at the point of entry, preventing it from spreading into internal systems and compromising sensitive information.
  • Identity and access control: Strengthening identity verification through MFA and applying zero-trust access principles (ZTNA) ensures that even if credentials are compromised, attackers cannot automatically access accounts, sensitive information, or critical services.

This integrated approach helps limit both the spread of the attack and the loss of sensitive data, thereby mitigating operational, legal, and reputational impacts. The key lies not only in restoring systems but in detecting and preventing data exfiltration before extortion can take place.

The evolution of ransomware towards data exfiltration and extortion through exposure compels us to rethink cybersecurity from a preventative and preparedness perspective. Anticipation involves reinforcing identity to reduce the risk of unauthorized initial access, using network security to gain visibility into traffic and detect suspicious movement before the attack spreads, and relying on endpoint protection to identify anomalous behavior and contain threats in their early stages.

Moreover, the trend towards data theft shows that organizations must prepare for potential leaks, not just encryption attacks. This includes securing the supply chain: choosing suppliers who also protect their data, as the information they handle is part of yours, and applying consistent security controls across all nodes through which information flows. Anticipating such scenarios and combining prevention with response plans for unwanted exposures help minimize operational, legal, and reputational impacts and ensure that operations can continue even in the face of increasingly sophisticated threats. 

Find out more about how to protect your organization against ransomware in our 2026 cybersecurity trends: https://www.watchguard.com/wgrd-solutions/security-trends/ransomware 

Filed under: Cybersecurity Trends, Cybersecurity Insights, Platform Consolidation, Ransomware