Interactive Report Summary
Q1 2025 Threat Landscape Report
Ransomware surges. VPN exploits spike. Dark web activity rebounds.
PDI’s latest threat intelligence reveals Akira ransomware’s rise, firewall vulnerabilities under fire, and a sharp uptick in infostealer market listings. Get strategic insights to protect what matters most.
Top Findings at a Glance
Industry Spotlight: Retail Under Siege
Ransomware attacks against the retail sector surged by nearly 75% in Q1 2025, catapulting it into the top four most targeted industries. With rich customer data, real-time operations, and complex vendor networks, retail is becoming a prime target for double-extortion tactics.
Methodology
Hover over tiles to learn more
JANUARY THROUGH MARCH
Q1 2025 in Review
Q1 2025 saw a sharp rise in VPN and firewall exploits, a ransomware surge in retail, and a rebound in dark web market activity.
January
1.8
CISA Warns of Actively Exploited Vulnerabilities in Mitel MiColab and Oracle WebLogic Server
1.9
Ivanti Patches Critically Rated Zero-Day Vulnerability Affecting Connect Secure
1.14
Fortinet Releases Patches for Two Critical Vulnerabilities, One Actively Exploited
1.15
Microsoft’s Patch Tuesday Addresses 8 Zero-Days, 159 Vulnerabilities
1.24
Ransomware Groups Pose as IT Support in Microsoft Teams
February
2.3
Google Fixes Android Kernel Zero-Day Exploited in Attacks
2.4
Netgear Warns Users to Patch Critical Wi-Fi Router Vulnerabilities
2.19
CISA Releases Advisory on Ghost (Cring) Ransomware
2.22
Cisco Confirms Salt Typhoon Exploited CVE-2018-0171 Against U.S. Telecom Networks
2.25
Chinese Botnet Bypasses MFA in Microsoft 365 Attacks
March
3.19
Ransomware Group Develops Automated VPN Brute Force Framework
3.26
Veeam RCE vulnerability Allows Domain Users to Attack Backup Servers
3.28
VMware Patches Authentication Bypass Vulnerability in Windows Tools Suite
Activity
Average
0
Ransomware extortion publications per day
0
Total publications Q1
-0%
Change from Q4
Ransomware
Ransomware Detection, Q1 2025While there was a slight -2.83% increase in ransomware publications from Q4, the level of activity seen in Q4 (which was itself a 46% increase from Q3) appears to have continued throughout Q1 with only a minimal drop.
How to combat: Defend against ransomware with regular backups, endpoint protection, zero-trust security, and employee training. Keep systems patched and use advanced threat detection to stay ahead.
Ransomware
Activity
Average
0M
Lumma-related listings in Q1
-0%
Drop in total dark web listings from Q4
-0%
Lumma listing drop before March rebound
Dark Web Activity
In Q1 2025, dark web marketplace listings dropped early in the quarter due to a slump in Lumma Stealer activity, then rebounded sharply in March. Lumma remained the dominant infostealer, driving most credential-theft listings.
How to combat: Use layered security, encrypt data, and enforce strong passwords with MFA. Monitor the dark web for exposed info, and train users to spot phishing and social engineering attacks.
Dark Web Activity
Activity
Average
0
Total Exploit Events in Q1
0
Unique Exploits Detected
-0%
Change from Q4
Exploits
Q1 2025 exploit activity experienced a marginal decrease, with over 29 million events and 601 unique exploits detected—highlighting continued targeting of VPNs, firewalls, and legacy vulnerabilities.
How to combat: Reduce exploit risk by patching high-priority vulnerabilities, especially in remote access tech. Pair with active monitoring and intrusion prevention to detect and block threats early.
Exploits
Stay Vigilant
Despite the varying levels of malware, botnet and exploit activity, bear in mind that just one successful breach can significantly impact your business. It's essential to maintain a clear view of your environment to defend against potential threats. As threat actors continually update their strategies, your security measures need to adapt accordingly. Always stay on guard!
Download the Report 
Justin Heard
Director of Security Operations
As PDI's Director of Security Operations, Justin Heard is at the helm of the company's key security initiatives, encompassing incident response, threat hunting and cyber intelligence. With over 16 years of experience in cybersecurity, including roles such as threat hunter, incident commander and intelligence analyst, Justin has a deep understanding of the cybersecurity domain. His leadership is instrumental in bolstering PDI’s defenses and adapting to the rapidly changing landscape of cyber threats.
Before his tenure at PDI, Justin enhanced his skill set in the defense sector, serving as a network administrator and security engineer. Justin has an associate degree in Computer Networking Systems from ITT Tech.
Josh Smith
Supervisor, Threat Intelligence
Josh is a supervisor of threat intelligence at PDI who works closely in organizational threat landscapes, curating threat intelligence, and authoring PDI’s Quarterly Threat Landscape Report. Josh is currently pursuing his master’s degree in Cybersecurity Technology. Previously he served with the U.S. Navy as an Operations Specialist with 14 years of service. Josh has been quoted in Forbes, CSO Online, Channel Futures, Dark Reading, and others.
