IBM (NYSE: IBM) has published its 2025 X-Force Threat Intelligence Index, revealing a notable pivot by cybercriminals toward stealthier strategies, with credential theft on the rise and traditional ransomware attacks on the decline. In 2024, X-Force documented an 84% spike in phishing emails delivering infostealer malware, underscoring a shift toward large-scale identity-based threats.

The report identifies emerging and persistent cyberattack trends by drawing insights from dark web monitoring, threat intelligence feeds, and incident response cases.

Key Highlights from the 2025 Report:

• Critical infrastructure targeted heavily: Organizations in this sector made up 70% of all incidents handled by IBM X-Force, with over 25% of breaches resulting from exploited vulnerabilities.

• Data theft over encryption: 18% of attackers opted to steal data, compared to 11% who encrypted it—reflecting the impact of stronger detection tools and global law enforcement pressure.

• Credential theft in nearly one-third of incidents: As attackers adopt faster methods for accessing and monetizing login credentials, identity-based attacks are becoming increasingly common.

“Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

Outdated Systems Pose Major Risks to Critical Infrastructure

Aging technology and delayed patching continue to expose vital sectors. IBM X-Force reports that in over 25% of incidents within critical infrastructure, attackers successfully exploited known vulnerabilities.

Four of the top 10 most discussed vulnerabilities on dark web forums are tied to advanced threat actor groups, including nation-state entities. These exploit codes are widely shared, supporting attacks on electric grids, health systems, and industrial operations. Blending financially driven hackers and geopolitical adversaries increases the need for enhanced dark web intelligence and proactive patch management.

Credential Theft Accelerates Through Automation

In 2024, phishing campaigns distributing infostealers intensified, and early 2025 data shows a staggering 180% increase from 2023. This growth appears driven by AI-powered phishing, allowing adversaries to scale their efforts.

Infostealers provide cybercriminals with rapid, low-footprint access to credentials, which are then sold in bulk on the dark web. In 2024, the top five infostealers accounted for over 8 million listings, each potentially containing hundreds of login records. Sophisticated adversaries also deploy Adversary-in-the-Middle (AITM) phishing kits that bypass MFA protections, further fueling a robust underground economy for unauthorized access.

Ransomware Groups Recalibrate to Reduce Risk

Despite ransomware remaining the most prevalent malware in 2024 (28% of cases), its overall use declined as identity-based attacks gained traction.

Global law enforcement crackdowns have led ransomware operators to adopt more fragmented and lower-risk tactics. Notably, groups such as ITG23 (Wizard Spider) and ITG26 (QakBot) either ceased operations or migrated to alternative malware families, seeking to replace dismantled botnets with new, ephemeral tools.

Additional Insights from the 2025 Threat Index:

• AI in the crosshairs: Although large-scale AI-related cyberattacks didn’t emerge in 2024, IBM X-Force anticipates a rise in attacks as vulnerabilities, like the RCE flaw it uncovered in an AI framework, become more frequent. The growing use of AI calls for end-to-end pipeline security.

• Asia and North America are the most targeted: Asia (34%) and North America (24%) accounted for nearly 60% of all attacks IBM X-Force responded to globally.

• Manufacturing remains ransomware’s top target: For the fourth year running, the manufacturing sector experienced the most ransomware attacks, largely due to its low tolerance for downtime and high return potential for attackers.

• Linux threats increase: Research with Red Hat Insights showed that over half of Red Hat Enterprise Linux environments were missing at least one critical patch, and 18% lacked five or more. Top ransomware groups now actively support both Windows and Linux, reflecting this platform’s growing risk exposure.

Additional Resources

• Download a copy of the 2025 IBM X-Force Threat Intelligence Index.
• Sign up for the 2025 IBM X-Force Threat Intelligence webinar on Tuesday, April 22^nd at 11:00 am ET.
• Connect with the IBM X-Force team for a personalized review of the findings.
• Read more about the report’s top findings in this IBM blog.

About IBM

IBM is a leading global hybrid cloud and AI and consulting expertise provider. We help clients in more than 175 countries capitalize on insights from their data, streamline business processes, reduce costs, and gain a competitive edge in their industries. Thousands of governments and corporate entities in critical infrastructure areas such as financial services, telecommunications and healthcare rely on IBM’s hybrid cloud platform and Red Hat OpenShift to affect their digital transformations quickly, efficiently, and securely. IBM’s breakthrough innovations in AI, quantum computing, industry-specific cloud solutions and consulting deliver open and flexible options to our clients. All of this is backed by IBM’s long-standing commitment to trust, transparency, responsibility, inclusivity, and service. Visit www.ibm.com for more information.