Ransomware remains top threat to large and midsized businesses, most active groups are increasingly leveraging AI for low-effort, high-reward campaigns

 Acronis, a global leader in cybersecurity and data protection, today released the findings of the Acronis Cyberthreats Report H1 2025, detailing the most popular threat vectors, active threat groups, and targeted industries in the first half of 2025. Ransomware remains the major threat for large and medium-sized businesses, with new groups increasingly leveraging AI to automate their activities – phishing accounted for 25% of all attacks and 52% of attacks targeting MSPs, a 22% increase compared to H1 2024. India emerged as the most targeted country worldwide, with 12.4% of monitored endpoints affected — highlighting the nation’s growing vulnerability to sophisticated threats such as AI-powered phishing and impersonation attacks.

The biannual report covers the global threat landscape as encountered by the Acronis Threat Research Unit (TRU) and Acronis sensors on Windows endpoints from January through June 2025. Based on signals from over 1,000,000 unique endpoints distributed around the world, the report also incorporates statistics focused on threats targeting Windows operating systems, given their prevalence as compared to macOS and Linux.

“While the endgame for cybercriminals is still ransomware, how they get there is changing,” said Gerald Beuchelt, CISO at Acronis. “Even the least sophisticated attackers today have access to advanced AI capabilities, generating social engineering attacks and automating their activities with minimal effort. The result is that MSPs, manufacturers, ISPs, and others are constantly exposed to sophisticated attacks, including increasingly advanced deepfakes, and all it takes is one mistake to put the organizations’ entire future at risk. To survive in this threat landscape and avoid damaging ransomware payloads, a holistic cyber protection strategy that incorporates advanced detection, response and recovery capabilities is essential.”

Implications for Indian Industries

Collaboration applications, widely used across Indian enterprises, have become a growing attack vector. Phishing incidents on platforms such as Microsoft Teams and Slack surged from 9% to 30.5% in the first half of 2025. Meanwhile, advanced email threats — including payload-less and spoofed attacks — rose sharply from 9% to 24.5%, underscoring the urgent need for adaptive, AI-informed security systems.

“India’s digital economy is expanding rapidly, but with that growth comes an expanded attack surface. As threat actors evolve, Indian enterprises — especially in manufacturing and infrastructure — must implement AI-aware cybersecurity frameworks to stay ahead,” said Rajesh Chhabra, General Manager, India & South Asia at Acronis. “Given the sector’s strategic importance under the Make in India initiative, ransomware attacks targeting manufacturing pose a significant risk to the country’s economic growth and industrial resilience. These figures paint a sobering picture. AI is empowering cybercriminals to operate at scale and with higher precision. Enterprises must transition from reactive to behavior-based security models.”

Attackers are also increasingly compromising Managed Service Providers (MSPs) by exploiting Remote Monitoring and Management (RMM) tools. TeamViewer emerged as the most targeted, with 4.56% of global Acronis customers still using unpatched versions. India’s expanding IT services sector must prioritize regular patching and vigilant monitoring of such platforms to reduce risk.

Cybercriminal Tactics and the Misuse of AI

The most observed attack technique was MITRE ATT&CK T1055.001 (Process Injection), typically via DLL injection to evade detection. PowerShell was widely used to execute obfuscated scripts and deploy stealth malware. To counter these threats, organizations should enforce strict script control policies, deploy behavior-based Endpoint Detection and Response (EDR) solutions, and conduct regular endpoint activity audits.

Following the takedown of several black-market AI services, attackers are increasingly turning to legitimate AI tools to automate phishing, impersonation, and reconnaissance. While these tools are not yet integrated across the full attack lifecycle, this marks a shift toward more scalable and precise threat generation.

Recommendations for Enterprises

Acronis advises businesses and MSPs to adopt a proactive, multi-layered defense strategy. This includes:

• Deploy behavior-based threat detection and EDR solutions.
• Regularly audit and update third-party applications, particularly RMM platforms.
• Implement comprehensive cloud and email security strategies.
• Conduct ongoing employee education on social engineering and phishing techniques.

For more information, download a copy of the full Acronis H1 2025 Cyberthreats Report here: https://www.acronis.com/en-sg/resource-center/resource/acronis-cyberthreats-report-h1-2025

To learn more about the report and its findings, visit the Acronis blog here: https://www.acronis.com/en-sg/blog/posts/acronis-cyberthreats-report-h1-2025-some-good-news-and-a-lot-of-bad-news