SOCshare March 2025: cybersecurity landscape review

Icon

SOCshare March 2025: cybersecurity landscape review

In 2025 March was a month marked by active ransomware groups, new vulnerabilities, and high-impact breaches across sectors. 

Ransomware Still Dominates 

CYFIRMA reported 662 ransomware incidents in March – lower than February but still substantial. Manufacturing and IT companies were affected the most, and the U.S. companies accounted for nearly half of all victims. 

New groups such as ArkanaCrazyHunter, and NightSpire arose, while established actors upgraded tools. Black Basta RaaS tooling BRUTED, an automated brute-force framework for targeting VPNs and firewalls, and new backdoors like Betruger – likely to be developed specifically for use in ransomware attacks – supported stealthier intrusions. Attackers increasingly exploit edge devices and IoT hardware, bypassing traditional security layers.

Data Breaches hit healthcare, finance and public services, notable cases:

Palau’s Ministry of Health
Palau’s Ministry of Health
Qilin ransomware
Toronto Zoo
Toronto Zoo
Akira ransomware
Angel One
Angel One
Brokerage (cloud storage misconfiguration)
Carruth compliance consulting
Carruth compliance consulting
Legacy breach data resurfacing

Key Takeaways 

  • Ransomware operations are evolving, focusing on persistence, credential theft, and data exfiltration – not just encryption. 
  • Critical vulnerabilities remain a top entry point, especially in virtualization and exposed edge devices. 
  • Ransomware-as-a-Service (RaaS) continues to grow rapidly, with new groups entering the ecosystem and established groups evolving their tooling, making it easier for less-skilled attackers to launch high-impact campaigns. 

Looking Ahead 

Organizations should reinforce identity security, accelerate patch cycles, and bolster monitoring across cloud, IoT, and remote-access systems. March 2025 makes one thing clear: the threat landscape is broadening, and defenses must evolve with it. 

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.

Other news and stories

SOCshare January 2026: cybersecurity landscape review
SOCshare January 2026: cybersecurity landscape review
CTI-AI project: end of year update
CTI-AI project: end of year update
The most common myths related to the implementation of the DORA Regulation
The most common myths related to the implementation of the DORA Regulation
SOCcare December 2025: RondoDox Campaign: Routers Beware
SOCcare December 2025: RondoDox Campaign: Routers Beware
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Engaging management and operational teams to do trainings, TTXs, practice sessions, etc.
Designing an engaging and realistic TTX for an organisation
Designing an engaging and realistic TTX for an organisation
Weekly cyber drills? How to make them a mission possible
Weekly cyber drills? How to make them a mission possible
How to design and lead multi-organisational and multi-national TTXs?
How to design and lead multi-organisational and multi-national TTXs?