Ransomware criminal groups adapting strategies to bypass organization security measures
In a significant shift in ransomware tactics, threat actors are increasingly exploiting misconfigurations and weaknesses in enterprise environments to evade traditional Enterprise Defense (EDR) solutions, according to Huntress' 2025 Cyber Threat Report and related expert insights.
Key points on ransomware tactics and evasion methods include:
- Ransomware groups are frequently gaining initial access through exploitation of internet-exposed services such as Remote Desktop Protocol (RDP) and vulnerable VPN gateways. A notable example is the SafePay ransomware group, which has been highly active in 2025, gaining access through misconfigured firewalls and bypassing multifactor authentication protections.
- Attackers are employing persistence tools like ScreenConnect to maintain control within compromised networks, allowing them to operate under the radar of EDR systems that typically monitor for known malware signatures or suspicious behaviours.
- Ransomware actors are also leveraging credential compromise and lateral movement within the network to avoid detection. By targeting VPNs and other remote access credentials commonly trusted by enterprises, they can circumvent EDR monitoring focused on endpoint anomaly detection.
- The trend suggests that ransomware groups are not solely relying on the ability to evade signature-based EDR detection. Instead, they are leveraging operational security failures in enterprise environments, including weaknesses in network segmentation, insufficient logging, and poor access controls, to bypass defenses without necessarily triggering EDR alarms.
Data loss prevention (DLP) services have made minimal advances and are often only installed in mature corporate environments. Greg Linares, principal threat intelligence analyst at Huntress, stated that the increased use of sophisticated evasion techniques largely stems from the competitive nature of the ransomware ecosystem. Linares noted that DLP protections are least present in corporate environments that have work-from-home and BYOD policies, which have increased in recent years.
Huntress observed a shift in ransomware tactics, with many gangs exfiltrating sensitive data from victim organizations instead of encrypting it. Threat actors are shifting to data theft and extortion attacks instead of deploying ransomware to evade EDR protections. The average time-to-ransom (TTR) in 2024 was nearly 17 hours, but several ransomware gangs, including Play, Akira, and Dharma/Crysis, were even faster with an average TTR of approximately 6 hours.
The shift is a response to stronger defenses and increased law enforcement actions that took down notorious gangs such as Lockbit. As a result, ransomware gangs have adapted to these challenges by using more sophisticated tactics. The report states that enterprises, even those with EDR and ransomware protection services, are facing problems due to the lack of advancements in data loss prevention services.
In summary, ransomware threat actors in 2025 are increasingly focusing on exploiting configuration flaws, weak authentication, and remote access methods to evade detection and maintain persistence, effectively bypassing traditional EDR protections designed primarily for endpoint monitoring. This necessitates a broader security approach, including strong network hardening, multi-factor authentication enforcement, and active monitoring of access patterns to complement EDR defenses.
1.The 2025 Cyber Threat Report suggests that ransomware actors are not solely relying on evading signature-based EDR detection, but are also exploiting operational security failures in enterprise environments.
- By employing persistence tools and leveraging credential compromise to move laterally within networks, these threat actors can circumvent EDR monitoring focused on endpoint anomaly detection.
- Ransomware groups are using sophisticated evasion techniques, a trend largely stemming from the competitive nature of the ransomware ecosystem, especially in corporate environments with work-from-home and BYOD policies.
- In response to stronger defenses and increased law enforcement actions, ransomware gangs have shifted from ransomware deployment to data theft and extortion attacks, highlighting the need for advancements in data loss prevention services for effective cybersecurity in data-and-cloud-computing environments.
