2025 Cyber Incident Trends What Your Business Needs to Know

Malicious actors continue to exploit our connected digital ecosystem, disrupting organizations across all sectors. Some of the most significant evolutions in the cyber threat landscape stem from artificial intelligence (“AI”)-enhanced intrusions and a surge in nation-state activity tied to rising geopolitical tensions. When cyber incidents do occur, organizations must manage not only the immediate demands of incident response, but the prolonged aftermath—including ongoing engagement with law enforcement, regulatory bodies, and affected customers or stakeholders.

In this Legal Update, we highlight key trends shaping the cybersecurity landscape and offer practical recommendations to help mitigate the associated risks.

Key Developments in the Cyber Threat Landscape

1.  Artificial Intelligence-Enhanced Attacks

Over the past year, an estimated 16% of reported cyber incidents involved attackers leveraging AI tools, such as image and language generation models, to carry out sophisticated social engineering attacks.¹ Generative AI (“GenAI”) has increased the effectiveness of these attacks by making them more convincing and enabling automation of intrusion tools.

Threat actors are using GenAI in various ways to gain unauthorized access to a target organization’s systems, including the following examples:

• Deepfakes: Threat actors create realistic audio or video impersonations of executives or support personnel to induce fraudulent wire transfers, obtain user credentials, and authorize changes that compromise user accounts. In one notable incident, unidentified threat actors leveraged publicly available footage of a target organization’s Chief Financial Officer and other employees to create convincing deepfake videos that successfully deceived a victim into transferring $25.6 million to the threat actors.
• Vishing: Threat actors use AI-generated scripts and voice clones in targeted telephone campaigns to persuade victims to download malicious payloads, establish remote support sessions, or disclose their credentials in order to gain access to the victim’s environment.
• AI-Enhanced Phishing: Threat actors use GenAI tools to produce tailored emails and text messages that include contextual details and a natural tone. This tactic has increased the likelihood that victims will click on malicious links included in the communications, thereby allowing threat actors to capture the victims’ credentials.

2. Ransomware

Ransomware remains a major threat to organizations across all sectors. Recent industry reports show a 12% year-over-year increase in ransomware-related breaches, with attackers adopting more aggressive extortion techniques and using more sophisticated tools. Threat actors now combine data encryption with more disruptive tactics, such as harassing employees and threatening critical operations, resulting in prolonged downtime and higher recovery costs.² Notable ransomware groups include:

• Scattered Spider: As highlighted in our July Legal Update, the Scattered Spider threat group has resurfaced in recent headlines by using social engineering techniques to gain initial access to entities across a wide variety of industries.
• LockBit: The Lockbit ransomware group re-emerged in early 2025 with the release of its updated toolkit, Lockbit 4.0, and has continued to launch aggressive extortion campaigns, particularly across the private sector in the United States.

In response to the ongoing ransomware threat, companies appear to be shifting their approach. According to a recent industry report, approximately 63% of surveyed organizations declined to pay a ransom in the past year, an increase from 59% in 2024.³

3. Nation State Threats in the Geopolitical Landscape

Nation-state threat actors have intensified their operations, targeting telecommunications, critical infrastructure, and strategic third-party service providers. These campaigns commonly employ cyber espionage and sophisticated deception tactics to steal user credentials and gain unauthorized access.

For example, China-based threat actor groups have dramatically increased their activities over the past year, with certain targeted industries suffering a 200% to 300% surge in attacks compared to the previous year.⁴ Two high-profile intrusions captured attention across the globe: Salt Typhoon and Volt Typhoon. The Salt Typhoon campaign successfully infiltrated major telecommunications networks in a wide-reaching cyber espionage operation. Meanwhile, Volt Typhoon involved the prepositioning of malicious code within critical infrastructure systems, raising serious concerns about the potential for escalation into physical harms or disruption.

In addition to technical instructions, threat actors affiliated with nation-states have also exploited social engineering tactics such as pretexting and recruitment fraud to obtain privileged access. For example, North Korea-affiliated threat actors infiltrated US companies by fabricating documentation and creating highly convincing candidate profiles to secure employment in IT support roles—positions they leveraged to harvest user credentials or execute fraudulent financial transactions.

Additionally, Iran-linked actors have been notable for their use of GenAI tools over the past year. In July 2025, an Iran-associated threat actor group reportedly amplified leaked information through AI chatbots following a hack-and-leak campaign targeting sensitive data of journalists. This emerging use of AI tools to magnify the impact of cyberattacks adds a new layer of complexity to incident response efforts.

4. Third-Party Attacks

A third-party attack occurs when a threat actor compromises a supply-chain partner, vendor, or software provider, and leverages that access to gain a foothold in the target organization’s network. These attacks often cascade across interconnected systems, impacting multiple downstream entities and customers who rely on the compromised software or services.

Recent threat-intelligence reporting data highlights a rise in financially motivated cybercrime involving the use of computers or networks to target software providers as the initial entry point into broader corporate ecosystems.⁵ By breaching third-party vendors, threat actors can bypass traditional perimeter defenses and gain privileged access to sensitive business environments.

These threat actors frequently exploit hosted environments, such as cloud platforms and SaaS ecosystems, by moving laterally across customer instances, harvesting credentials, and exfiltrating proprietary data at scale. This tactic allows for a widespread impact, particularly when vendors serve multiple clients across industries.

Third-party supply chain compromises have become one of the most costly and persistent cyber threat vectors. According to recent data, these breaches incur an average cost of $4.91 million and take longer to identify and contain than any other form of cyber intrusion.⁶ The complexity of vendor relationships and the extended dwell times can contribute to delayed response times and increased exposure for affected organizations.

Recommendations

Maintaining a comprehensive, risk-based cybersecurity program remains the most effective defense against today’s evolving cyber threats. As cyber threat activity grows more sophisticated and attacks become more frequent, organizations can take proactive steps to mitigate the risks outlined above. Although organizations vary in policy and technical maturity, organizations should strive for continuous improvement across all recommended areas.

Be Prepared for High-Stakes and Fast-moving Incidents: Organizations should consider:

• Conducting tabletop exercises involving key C-suite, board representatives, and departmental heads to validate roles, escalation paths, and decision matrices based on recent developments in threat landscapes (Cybersecurity Tabletop Exercise Tips).
• Incorporating new and evolving threats, such as the malicious use of GenAI, in both tabletop and phishing exercises.
• Understanding the range of GenAI tools available and adopting GenAI-enabled threat detection and vulnerability management solutions—following a documented risk assessment for any tools deployed.

Keep Policies and Procedures Up to Date and Top of Mind: Policies should reflect current threats and be accessible to key stakeholders. Organizations should consider:

• Reviewing policies and procedures, including incident response plans, business continuity, and communication approval processes, to ensure they are accurate and account for quick-turn notification requirements (e.g., the 24-hour initial notification requirement under the EU’s NIS2 Directive and the SEC 4-business-day disclosure rule for material incidents).
• Circulating the regularly updated policies to appropriate stakeholders.
• Establishing or enhancing internal policies addressing risk tolerance, and ensuring that the use of GenAI aligns with these the organizations risk parameters.

Take Steps to Mitigate Against Third-Party Risks: To reduce the risk of attacks through third-parties, organizations should review vendor due diligence and contractual safeguards to ensure the terms remain robust. The National Institute of Standards and Technology (“NIST”) emphasizes that supply chain risk should be treated as an enterprise-wide concern and integrated into existing governance, acquisition, and risk-management processes.⁷ NIST’s guidance outlines a comprehensive approach, including steps such as requiring vendor attestation of its secure software development practices and conducting criticality analyses to identify systems and components whose compromise would pose the greatest operational or mission impact.

The National Security Agency, separately and jointly with the Cybersecurity and Infrastructure Security Agency, published a series of best practices for cloud security and third-party risk. Key recommendations include:

• Operating within the cloud shared responsibility model, using secure cloud identity and access management practices, implementing network segmentation and encryption in cloud environments.
• Performing a criticality analysis to identify vendors and components whose compromise would cause the greatest operational impact.
• Requiring vendor attestations that they follow secure software development practices.
• Incorporating strong contractual protections, including prompt incident notification, audit rights, subcontractor disclosure, and the right to remediate or terminate for material failures.
• Conducting regular assessments of vendor security practices, and establishing clear incident reporting protocols.
• Testing response efforts by conducting tabletop exercises with hypothetical scenarios involving third-party suppliers.

Ensure that Infosec Has a Solid Process for Vulnerability Management: Given that vulnerability alerts and patches are issued frequently, businesses must promptly identify and remediate vulnerabilities before threat actors are able to exploit them. In addition, organizations should consider:

• Maintaining a documented process to identify, assess, prioritize, remediate, and track vulnerabilities. This process should be adaptable and scalable.
• Assigning clear owners and deadlines for remediation and document decisions to defer patches with compensating controls.
• Implementing continuous monitoring and proactive patch management tools that produce auditable logs.
• Monitoring vendor advisories and subscribing to coordinated disclosure feeds for critical software products.

Engage with Industry Groups and Stay Informed on Regulatory and Law Enforcement Updates: The Cybersecurity Information Sharing Act of 2015 expired at the end of its effective period in September, without reauthorization by Congress, introducing legal uncertainty around cybersecurity information sharing. Despite this, timely and coordinated information sharing remains vital to strengthening an organization’s security posture. Organizations should consider:

• Joining industry-specific cybersecurity groups to stay informed of sector-specific threats and best practice and contribute to collective defense.
• Monitoring updates from government agencies and subscribing to law enforcement threat intelligence bulletins to stay up to date on emerging threats and defensive measures.

* * * * *

These examples highlight key trends and challenges that organizations have faced this year. While it is impossible to eliminate cyber risk entirely, prioritizing incident response readiness and regulatory compliance helps build technical resilience and positions organizations in a much more secure position from a legal perspective when they become a target of cyberattacks.

Stay up to date with the latest cybersecurity and data privacy resources by visiting Mayer Brown’s global Cyber and Privacy Resource Center.

¹ IBM Cost of a Data Breach 2025 Report at pg. 3 and pg. 28. 

² 2025 Unit 42 Global Incident Response Report at pg. 6.

³ IBM Report at pg. 4.

⁴ CrowdStrike 2025 Global Threat Report at pg. 3.

⁵ CrowdStrike 2025 Global Threat Report at pg. 40.

⁶ IBM Report at pg. 4.

⁷ Id.