SOCshare March 2025 review: cyber security landscape

March 2025 is another month in cybersecurity, marked by active ransomware groups, new vulnerabilities, and high-impact breaches across sectors.

More about SOCshare

Ransomware still dominates

CYFIRMA reported 662 ransomware incidents in March – lower than February but still substantial. Manufacturing and IT companies were affected the most, and the U.S. companies accounted for nearly half of all victims.

New groups such as Arkana, CrazyHunter, and NightSpire arose, while established actors upgraded tools. Black Basta RaaS tooling BRUTED, an automated brute-force framework for targeting VPNs and firewalls, and new backdoors like Betruger – likely to be developed specifically for use in ransomware attacks – supported stealthier intrusions. Attackers increasingly exploit edge devices and IoT hardware, bypassing traditional security layers.

Critical Vulnerabilities Expose Core Infrastructure

In March, there were several major vulnerabilities disclosed across virtualization, cloud, and enterprise platforms. Issues affecting VMware ESXi (CVE-2025-22224, CVE-2025-22225, and CVE-2025-22226), Windows Fast FAT drivers (CVE-2025-49721), and various vulnerabilities in IoT devices highlighted the continuing challenge of patching widely used infrastructure in the timely manner.

Data Breaches Hit Healthcare, Finance & Public Services.

Organizations worldwide suffered significant breaches. Notable cases included:

Palau’s Ministry of Health

Qilin ransomware

Toronto Zoo

Akira ransomware

Carruth Compliance Cons.

Legacy breach data resurfacing

Angel One brokerage

Cloud storage misconfiguration

The trend shows attackers maturing beyond encryption toward data theft and multi-stage extortion.

Key Takeaways

Ransomware operations are evolving, focusing on persistence, credential theft, and data exfiltration not just encryption. Critical vulnerabilities remain a top entry point, especially in virtualization and exposed edge devices. Ransomware-as-a-Service (RaaS) continues to grow rapidly, with new groups entering the ecosystem and established groups evolving their tooling, making it easier for less-skilled attackers to launch high-impact campaigns.

Looking Ahead

Organizations should reinforce identity security, accelerate patch cycles, and bolster monitoring across cloud, IoT, and remote-access systems. March 2025 makes one thing clear: the threat landscape is broadening, and defenses must evolve with it.

This entry is published as part of the SOCshare project (No. 101145843), which we are running together with Vilnius City Municipality. It is partly funded by the European Union. The views and opinions expressed are those of the authors alone and do not necessarily reflect those of the European Union or the European Cyber Security Centre of Excellence. Neither the European Union nor the European Cyber Security Centre of Excellence can be held responsible for them.