2025 IBM X-Force Threat Index: Large-Scale Credential Theft Escalates, Threat Actors Pivot to Stealthier Tactics
IBM has released its 2025 X-Force Threat Intelligence Index, revealing significant shifts in cybercrime tactics. The report highlights an 84% increase in infostealer-delivering emails in 2024, while ransomware attacks declined. Critical infrastructure organizations faced 70% of all attacks, with vulnerability exploitation causing over a quarter of these incidents.
Key findings show cybercriminals preferring data theft (18%) over encryption (11%), with nearly one-third of incidents resulting in credential theft. The report indicates a 180% increase in phishing emails delivering infostealers in early 2025 compared to 2023, potentially driven by AI-powered phishing campaigns.
Geographically, Asia (34%) and North America (24%) were the most targeted regions. Manufacturing remained the most attacked industry for the fourth consecutive year, particularly vulnerable to ransomware attacks due to low downtime tolerance.
IBM ha pubblicato il suo Indice di Intelligence sulle Minacce X-Force 2025, rivelando cambiamenti significativi nelle tattiche del cybercrimine. Il rapporto evidenzia un aumento dell'84% delle email contenenti infostealer nel 2024, mentre gli attacchi ransomware sono diminuiti. Le organizzazioni di infrastrutture critiche hanno subito il 70% di tutti gli attacchi, con lo sfruttamento di vulnerabilità responsabile di oltre un quarto di questi incidenti.
I dati principali mostrano che i cybercriminali preferiscono il furto di dati (18%) rispetto alla cifratura (11%), con quasi un terzo degli incidenti che comportano il furto di credenziali. Il rapporto indica un aumento del 180% delle email di phishing che veicolano infostealer all’inizio del 2025 rispetto al 2023, probabilmente alimentato da campagne di phishing basate su intelligenza artificiale.
Geograficamente, l’Asia (34%) e il Nord America (24%) sono state le regioni più colpite. Il settore manifatturiero è rimasto il più attaccato per il quarto anno consecutivo, particolarmente vulnerabile agli attacchi ransomware a causa della scarsa tolleranza ai tempi di inattività.
IBM ha publicado su Índice de Inteligencia sobre Amenazas X-Force 2025, revelando cambios significativos en las tácticas del cibercrimen. El informe destaca un aumento del 84% en correos electrónicos que contienen infostealers en 2024, mientras que los ataques de ransomware disminuyeron. Las organizaciones de infraestructura crítica enfrentaron el 70% de todos los ataques, con la explotación de vulnerabilidades causando más de una cuarta parte de estos incidentes.
Los hallazgos clave muestran que los ciberdelincuentes prefieren el robo de datos (18%) sobre el cifrado (11%), con casi un tercio de los incidentes resultando en robo de credenciales. El informe indica un aumento del 180% en correos de phishing que entregan infostealers a principios de 2025 en comparación con 2023, posiblemente impulsado por campañas de phishing con inteligencia artificial.
Geográficamente, Asia (34%) y Norteamérica (24%) fueron las regiones más atacadas. La manufactura siguió siendo la industria más atacada por cuarto año consecutivo, particularmente vulnerable a ataques de ransomware debido a la baja tolerancia al tiempo de inactividad.
IBM은 2025년 X-Force 위협 인텔리전스 지수를 발표하며 사이버 범죄 전술의 중요한 변화를 공개했습니다. 보고서에 따르면 2024년 인포스틸러를 전달하는 이메일이 84% 증가했으며, 랜섬웨어 공격은 감소했습니다. 중요 인프라 조직이 전체 공격의 70%를 차지했으며, 취약점 악용이 이 사건의 4분의 1 이상을 차지했습니다.
주요 발견은 사이버 범죄자들이 암호화(11%)보다 데이터 탈취(18%)를 선호하며, 사건의 거의 3분의 1이 자격 증명 탈취로 이어졌음을 보여줍니다. 보고서는 2023년과 비교해 2025년 초 인포스틸러를 전달하는 피싱 이메일이 180% 증가했으며, 이는 AI 기반 피싱 캠페인에 의해 촉진된 것으로 보입니다.
지역별로는 아시아(34%)와 북미(24%)가 가장 많이 공격받은 지역이었습니다. 제조업은 4년 연속 가장 많이 공격받는 산업으로 남았으며, 다운타임 허용치가 낮아 랜섬웨어 공격에 특히 취약했습니다.
IBM a publié son Indice de Renseignement sur les Menaces X-Force 2025, révélant des changements importants dans les tactiques de la cybercriminalité. Le rapport met en lumière une augmentation de 84% des emails contenant des infostealers en 2024, tandis que les attaques par ransomware ont diminué. Les organisations d’infrastructures critiques ont subi 70% de toutes les attaques, l’exploitation de vulnérabilités étant à l’origine de plus d’un quart de ces incidents.
Les principales conclusions montrent que les cybercriminels préfèrent le vol de données (18%) au chiffrement (11%), près d’un tiers des incidents aboutissant à un vol d’identifiants. Le rapport indique une augmentation de 180% des emails de phishing livrant des infostealers début 2025 par rapport à 2023, probablement alimentée par des campagnes de phishing assistées par intelligence artificielle.
Géographiquement, l’Asie (34%) et l’Amérique du Nord (24%) ont été les régions les plus ciblées. Le secteur manufacturier est resté l’industrie la plus attaquée pour la quatrième année consécutive, particulièrement vulnérable aux attaques par ransomware en raison de sa faible tolérance aux temps d’arrêt.
IBM hat seinen X-Force Threat Intelligence Index 2025 veröffentlicht, der bedeutende Veränderungen in den Taktiken der Cyberkriminalität aufzeigt. Der Bericht verzeichnet einen 84%igen Anstieg von E-Mails mit Infostealern im Jahr 2024, während Ransomware-Angriffe zurückgingen. Organisationen der kritischen Infrastruktur waren Ziel von 70% aller Angriffe, wobei die Ausnutzung von Schwachstellen mehr als ein Viertel dieser Vorfälle verursachte.
Wesentliche Erkenntnisse zeigen, dass Cyberkriminelle Datendiebstahl (18%) gegenüber Verschlüsselung (11%) bevorzugen, wobei fast ein Drittel der Vorfälle zum Diebstahl von Zugangsdaten führt. Der Bericht weist auf einen 180%igen Anstieg von Phishing-E-Mails mit Infostealern Anfang 2025 im Vergleich zu 2023 hin, möglicherweise angetrieben durch KI-gestützte Phishing-Kampagnen.
Geografisch waren Asien (34%) und Nordamerika (24%) die am stärksten betroffenen Regionen. Die Fertigungsindustrie blieb zum vierten Mal in Folge die am meisten angegriffene Branche und ist aufgrund der geringen Ausfallzeit-Toleranz besonders anfällig für Ransomware-Angriffe.
- IBM's threat intelligence capabilities demonstrate strong market positioning in cybersecurity
- Company's research provides valuable insights for enterprise security solutions
- Increasing sophistication of cyber threats could require additional R&D investment
- Growing complexity of attack methods may increase costs for IBM's security services
- Nearly half of all cyberattacks resulted in stolen data or credentials
- Identity abuse was the preferred entry point
Asia Pacific represented more than one-third of attacks in 2024
The 2025 report tracks new and existing trends and attack patterns – pulling from incident response engagements, dark web and other threat intelligence sources.
Some key findings in the 2025 report include:
- Critical infrastructure organizations accounted for
70% of all attacks that IBM X-Force responded to last year, with more than one quarter of these attacks caused by vulnerability exploitation. - More cybercriminals opted to steal data (
18% ) than encrypt it (11% ) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths. - Nearly one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access, exfiltrate and monetize login information.
"Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points," said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. "Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data."
Patching Challenges Expose Critical Infrastructure Sectors to Sophisticated Threats
Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to in this sector last year.
In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion. Exploit codes for these CVEs were openly traded on numerous forums —fueling a growing market for attacks against power grids, health networks and industrial systems. This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.
Automated Credential Theft Sparks Chain Reaction
In 2024, IBM X-Force observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an even greater increase of
Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind. In 2024, the top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent multi-factor authentication (MFA). The rampant availability of compromised credentials and MFA bypass methods indicates a high-demand economy for unauthorized access that shows no signs of slowing down.
Ransomware Operators Shift to Lower-Risk Models
While ransomware made up the largest share of malware cases in 2024 at
International takedown efforts are pushing ransomware actors to restructure high-risk models towards more distributed, lower-risk operations. For example, IBM X-Force observed previously well-established malware families including ITG23 (aka Wizard Spider, Trickbot Group) and ITG26 (QakBot, Pikabot) to either completely shut down operations or turn to other malware, including the use of new and short-lived families, as cybercrime groups attempt to find replacements for the botnets that were taken down last year.
Additional findings from the 2025 report include:
- Evolving AI threats. While large-scale attacks on AI technologies didn't materialize in 2024, security researchers are racing to identify and fix vulnerabilities before cybercriminals exploit them. Issues like the remote code execution vulnerability that IBM X-Force discovered in a framework for building AI agents will become more frequent. With adoption set to grow in 2025, so will the incentives for adversaries to develop specialized attack toolkits targeting AI, making it imperative that businesses secure the AI pipeline from the start, including the data, the model, the usage, and the infrastructure surrounding the models.
Asia andNorth America most attacked regions. Collectively accounting for nearly60% of all attacks that IBM X-Force responded to globally,Asia (34% ) andNorth America (24% ) experienced more cyberattacks than any other region in 2024.- Manufacturing felt the brunt of ransomware attacks. For the fourth consecutive year, manufacturing was the most attacked industry. Facing the highest number of ransomware cases last year, the return on investment for encryption holds strong for this sector due to its extremely low tolerance for downtime.
- Linux threats. In collaboration with Red Hat Insights, IBM X-Force found that more than half of Red Hat Enterprise Linux customers' environments had at least one critical CVE unaddressed, and
18% faced five or more vulnerabilities. At the same time, IBM X-Force found the most active ransomware families (e.g., Akira, Clop, Lockbit, and RansomHub) are now supporting both Windows and Linux versions of their ransomware.
Additional Resources
- Download a copy of the 2025 IBM X-Force Threat Intelligence Index.
- Sign up for the 2025 IBM X-Force Threat Intelligence webinar on Tuesday, April 22nd at 11:00 am ET.
- Connect with the IBM X-Force team for a personalized review of the findings.
- Read more about the report's top findings in this IBM blog.
About IBM
IBM is a leading provider of global hybrid cloud and AI, and consulting expertise. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs, and gain a competitive edge in their industries. Thousands of governments and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM's hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM's breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and consulting deliver open and flexible options to our clients. All of this is backed by IBM's long-standing commitment to trust, transparency, responsibility, inclusivity, and service. Visit www.ibm.com for more information.
Media Contact
Michele Brancati
IBM
mbrancati@ibm.com
View original content to download multimedia:https://www.prnewswire.com/news-releases/2025-ibm-x-force-threat-index-large-scale-credential-theft-escalates-threat-actors-pivot-to-stealthier-tactics-302430850.html
SOURCE IBM
FAQ
What are the key findings of IBM's 2025 X-Force Threat Intelligence Index?
How has ransomware activity changed according to IBM's 2025 security report?
What security challenges did IBM identify for critical infrastructure in 2025?
How has credential theft evolved according to IBM's 2025 threat report?
Which industries and regions were most targeted by cyberattacks in IBM's 2025 report?
