2025 will be the “year of disruption” as organizations experience an increase in cyberattacks that halt business operations and impact end users. This disruption will be defined by a rise in mega breaches that take entire enterprise networks offline, driven by supply chain vulnerabilities and attackers reaching new levels of speed and sophistication. Additionally, the cost of cyber disruption will increase next year as businesses experience downtime due to cyberattacks and scramble to implement defenses fit for the AI-enabled attacker era.
As part of Palo Alto Networks 2025 predictions, read on to uncover Unit 42’s insights on what to expect in the coming year.
Generative AI Will Increase the Speed and Scale of Cyberattacks
Attack Speeds Could Increase up to 100X as Threat Actors Leverage GenAI
We predict that GenAI will continue to reduce the time needed for every stage of the MITRE ATT&CK® framework. It will also decrease the mean time to exfiltrate (MTTE) for threat actors by enabling them to move rapidly from vulnerability exploitation to impact. In 2023, the MTTE data from an organization was two days (and in some cases hours), down from nine days in 2021. We expect MTTE to continue to decrease in 2025, with the time to exfiltrate dropping as low as 25 minutes for some incidents. That's over 100x faster attacks in just three years.
Elsewhere in the MITRE ATT&CK framework, we'll encounter GenAI-powered operations capable of accelerating reconnaissance by automating open-source intelligence (OSINT), aiding initial access through hyperpersonalized phishing and smishing communications, and automating the identification of sensitive information and assets. GenAI will significantly reduce the time required for persistence and lateral movement by automating and streamlining various stages of the attack lifecycle. This will allow adversaries to pivot across networks and deliver customized payloads more quickly.
Adversaries Will Leverage GenAI-Enhanced Ransomware-as-a-Service (RaaS) for More Advanced Attacks
In 2025, we foresee GenAI capabilities (e.g., threat actor-trained LLMs) automating portions of ransomware development and distribution. It will also be used to facilitate the creation of customizable ransomware kits and builders, complete with automated encryption, victim targeting and reconnaissance. There’s even the possibility of chatbots being utilized by threat actors to more quickly and easily negotiate ransom demands.
The impact could be an increase in the frequency and sophistication of ransomware attacks. This could result in a greater challenge for cybersecurity professionals in defending against and mitigating the effects of such attacks.
Ransomware Dynamics Will Shift
Cybercriminals Will Pour Higher Ransom Payments into R&D to Increase Scale, Sophistication and Speed of Attacks
We project that cybercriminals will lean on business disruption to continue to demand ransom payments in the tens of millions. Many sophisticated groups, such as Muddled Libra, will reinvest these funds into the maturation of their cybercriminal capabilities to circumvent defenses. We’ll see more sophisticated tactics from these groups as their profits are used to improve capabilities along every step of the attack chain. In 2025, attackers will begin developing and testing generative AI technologies to use over the next 3-5 years. This could enable them to identify and exploit zero-day vulnerabilities and even create AI agents capable of executing autonomous attacks.
But… Ransomware Efficacy Hangs in the Balance as Organizations Enhance Resilience
We anticipate a shift in the effectiveness of ransomware demands as organizations increasingly focus on enhancing disaster recovery capabilities, leveraging cloud-based redundancies and investing in resilient architectures. With these advancements, businesses are gaining the ability to restore operations independently, reducing the need to consider ransom payments.
We’ll also see a decline in ransom payments as organizations realize the limited benefits it provides in controlling stolen data. Paying a threat actor fails to remove legal liability for data breaches, and there’s no assurance that data will be deleted as promised. As a result, many organizations will prioritize strategies that ensure swift and secure recovery, such as immutable backups, advanced recovery planning and redundant systems designed to minimize downtime.
This marks a significant change in how businesses approach ransomware. By investing in resilience and recovery rather than paying ransoms, organizations are not only undermining the ransomware business model but also improving their ability to withstand future attacks.
Threats Will Ramp up Against Vulnerable Targets
Critical Infrastructure Will Be a Prime Target for Nation-State Advanced Persistent Threats
As geopolitical tensions continue to rise worldwide, we expect to see an increase in cyberattacks targeting critical infrastructure. The heightened tensions between nation-states create an environment where offensive cyber campaigns are integrated into broader geopolitical strategies. These attacks will focus on preemptively positioning adversaries within essential services, like energy, water, transportation or healthcare, enabling strategic footholds that can be leveraged to disrupt operations when a strategic benefit is perceived. With ongoing conflicts, including Russia's war with Ukraine, escalating tensions in the Middle East, and rising cross-strait tensions between China and Taiwan, we expect increased cyberthreat activity in these regions and any new areas of global conflict.
Threats Against the Supply Chain Will Continue to Proliferate
Despite increased awareness of software supply chain vulnerabilities, organizations will continue to struggle with effectively managing them, largely due to the complex and nested nature of software dependencies. Many modern applications rely on deeply nested layers of open-source components, where dependencies often create vulnerabilities that propagate across multiple products and vendors. This interdependence makes it difficult to track and mitigate risks, allowing a single flaw to potentially affect an entire software ecosystem.
In 2025, these challenges will intensify for three key reasons. First, we anticipate a rise in attacks targeting third-party vendors, as their vulnerabilities make them attractive to threat actors. Second, we believe large-scale supply chain attacks, similar in scope to SolarWinds, are already underway, but have yet to be discovered. Finally, we expect APT groups to increasingly target major cloud service providers, seeking to gain broad access through a single breach, maximizing their impact while reducing the risk of detection.
To discover more, see our 7 game-changing predictions for 2025 from Palo Alto Networks.
Contributors: Mike Sikorski, CTO and VP of Engineering at Unit 42, Palo Alto Networks, Andy Piazza, Senior Director of Threat Intelligence at Unit 42, Palo Alto Networks, Jamie Williams, Principal Threat Intelligence Researcher at Unit 42, Palo Alto Networks, Mike Spisak, Managing Director of Proactive Security at Unit 42, Palo Alto Networks, LeeAnne Pelzer, Senior Consulting Director at Unit 42, Palo Alto Networks, Kyle Wilhoit, Director of Threat Research at Unit 42, Palo Alto Networks