Insight

CERT-W Report 2025: Analysis of a year of incident response and the evolving threats

Published October 7, 2025

  • Cybersecurity
Cybersecurity report 2025 – ransomware and phishing trends

In brief

  • Financial gain remains the primary motivation, with ransomware being the most common, but espionage is on the rise.
  • Phishing regains the top spot as the main entry point for cybercriminels.
  • Exploitation of vulnerable web services and remote access also remains a major entry vector.
  • AI, SaaS, and open-source packages expand the attack surface.

Cybersecurity report 2025: Insights, trends, and action levers

In 2025, Wavestone’s Incident Response team once again handled more than twenty major crises across a wide range of organizations and sectors. Our cybersecurity report 2025 distills frontline incident response data—highlighting phishing’s return to the top entry vector, evolving ransomware trends, and expanding SaaS/AI attack surfaces.

Today, organizations must secure increasingly complex ecosystems—spanning SaaS platforms, partners, and open-source components—against ever-faster adversaries. The fastest attack observed by our team took less than 36 hours from initial compromise to data exfiltration.

This report aims to deliver both a realistic snapshot of current attack patterns and an analysis of emerging cyber trends, offering concrete levers to strengthen information system resilience.

  • Cybersecurity

Discover the CERT-Wavestone 2025 Report

pdf · 1555KO

Download the report

Motivations: financial gain dominates, espionage on the rise

Analysis of the incidents we managed reveals a variety of motivations, but two dominant dynamics:

  • Financial gain (65%): through ransomware (half of these attacks), business email compromise fraud, and resale of stolen data. Profit remains the primary driver for cybercriminals.
  • Strategic data exploitation through espionage campaigns (17%, +7pts vs. 2024): several cases illustrate a growing interest in business-critical data itself (e.g. dark web publication following SQL injection, full JIRA database leak, or suspected intellectual property theft via a partner).

Other cases involve unclear or secondary motivations, but these two trends remain the most structurally significant.

Phishing: back as the leading entry point into information systems

The attacks analyzed highlight the main entry vectors used by cybercriminals:

  • Phishing: with 38% of incidents originated from phishing campaigns, phishing is the most common entry point. It enabled the compromise of both standard users and privileged accounts (administrators, VIPs, service providers). Its resurgence (20% in 2024) is also due to attackers’ creativity in reinventing this technique. Notably, we observed cases of vishing, where phishing is conducted via phone channels, making identity verification much more complex.
  • Exposed remote access: around five incidents were linked to vulnerable RDP or VPN services, compromised via brute force or opportunistic intrusions.
  • Technical vulnerabilities: present in one out of five incidents, vulnerability exploitation remains a major entry point. Two significant cases in 2025 – CVE exploitation and SQL injection – led to data exfiltration from the targeted systems.

These findings align with global trends: phishing is the top intrusion vector in 2025, ahead of vulnerability exploitation and remote access (VPN, RDP).

Key takeaways from our incident response engagements

Incident analysis also confirms four underlying trends already identified in 2024 and still relevant in 2025:

  • Backups are systematically targeted: in 90% of ransomware cases, backups were deleted or encrypted to prevent recovery and increase pressure to pay the ransom.
  • Business data compromise remains a central objective: observed in 71% of attacks, whether for espionage or extortion purposes.
  • Organizations’ vigilance and responsiveness are under pressure: the average time between intrusion and impact is just 1.5 days, reinforcing the need to reduce detection and response times through automation and AI.
  • Partners and subsidiaries remain prime targets: 56% of attacks on large enterprises occurred via their subsidiaries or partners.

Conclusion

The year 2025 confirms that cyberattacks are primarily opportunistic, fast-moving, and in some cases amplified by AI. Financial motivations dominate, backups and business data are systematically targeted, and SaaS environments or third-party providers are becoming critical entry points.

In response, organizations must not only strengthen traditional defenses – relying on automation and AI to accelerate detection and response – but also broaden their vigilance to include SaaS platforms and external partners. Learn more about organizational maturity with the Cyber Benchmark 2025.

  • Cybersecurity

Discover the CERT-Wavestone 2025 Report

pdf · 1555KO

Download the report

Facing a cyber-incident?

Get in touch with the CERT-Wavestone:

Authors

  • Gérôme Billois

    Partner – France, Paris

    Wavestone

    LinkedIn
  • Quentin Perceval

    Senior Manager – France, Paris

    Wavestone

    LinkedIn
  • Alexis Coupechoux

    Manager

    Wavestone

    LinkedIn
  • Hadrien Plassard

    Consultant

    Wavestone