No, it’s not new or particularly exotic, but after years of attacks, ransomware continues to rank among the most destructive threats facing global organizations today. 

Even with security teams pouring significant resources into prevention and detection efforts, attackers are still finding ways to bypass their defenses. Double extortion has become the default approach, with groups encrypting systems and stealing sensitive data for leverage.

Some actors are now skipping the encryption step entirely, focusing only on data theft and extortion to avoid detection and streamline their efforts.

Picus Security’s Blue Report 2025 pulls back the curtain to show just how easily cybersecurity defenses are slipping.

Drawing on more than 160 million Breach and Attack Simulation (BAS) results, this year’s Blue Report saw overall prevention effectiveness fall from 69% in 2024 to 62% in 2025. The most alarming finding, however, was data exfiltration: prevention collapsed to just 3%, down from an already unacceptably low 9% last year. This leaves organizations exposed at exactly the stage ransomware groups exploit most.

The takeaway is clear: assumptions don’t equal protection, and non-validated defenses will continue to fail when it matters most.

Parsing the results, it quickly becomes clear that ransomware readiness can’t be assumed. It has to be proven. That means continuously validating your organization’s defenses against both long-known ransomware families as well as the emerging strains now active in the wild.

Breach and Attack Simulation provides that proof, showing in real time whether protections stand or fail.

Why Known and Emerging Ransomware Both Matter

Unfortunately, with ransomware, familiarity all too often breeds false confidence. Security teams may believe they are protected against the big-name strains, but over time, if left alone, their defenses are steadily weakening as configurations drift and environments change.

Ransomware operators, meanwhile, keep moving. Code is repackaged, loaders are updated, and evasion techniques are refined to keep attacks from being detected. Unfortunately, what worked against yesterday’s campaign often won’t work against today’s updated attempt.

This year’s Blue Report shows this all too clearly. 

Among the top 10 most underprevented ransomware strains, five were new or emerging, yet they bypassed defenses just as effectively as long-established names.

• Known families still succeed. BlackByte (26%) remains the hardest ransomware to prevent for the second year in a row, exploiting public-facing apps and exfiltrating data before encryption. BabLock (34%) continues to pressure victims with double extortion, while Maori (41%) leverages fileless delivery and regional campaigns. Their persistence shows how easily defenses can erode in real-world environments.

• Emerging ransomware strains hit just as hard. FAUST (44%), Valak (44%), and Magniber (45%) bypass controls through registry modifications, modular payloads, and staged execution. Nearly half of all attacks succeed, proving that new names quickly become effective in the wild.

• Established names adapt. BlackKingdom (48%), Black Basta (49%), and Play (50%) evade defenses with stolen credentials, process hollowing, and remote service execution. Even after years of documentation, they remain difficult to stop.

• Advanced ransomware operators remain resilient. AvosLocker achieved only a 52% prevention rate, exploiting privilege escalation and advanced obfuscation to compromise critical sectors despite specifically targeted defenses.

These findings illustrate a critical point: the distinction between “known” and “emerging” ransomware is becoming less and less meaningful. When organizations fail to continuously test their defenses, both known and emerging strains can, and will eventually, evade their defenses.

The Biggest Gaps in Defense

Ransomware groups rarely depend on a single trick. Instead, they link multiple techniques across the kill chain and take advantage of whichever set of defenses is the weakest. 

The Blue Report 2025 shows that persistent gaps in prevention and detection continue to give attackers exactly the opening they’ve been looking for.

• Malware delivery: Prevention dropped to 60% (down from 71% in 2024). Despite being one of the oldest attack vectors, loaders and droppers are still bypassing static defenses.

• Detection pipeline: Only 14% of attacks generated an alert, even though 54% were logged. This log-to-alert gap can easily leave defenders blind to both established families like BlackByte and newer variants such as FAUST and Magniber.

• Data exfiltration: Effectiveness at preventing data exfiltration fell to just 3% in 2025 (down from 9% in 2024), the worst score of any attack vector. This weakness fuels the surge in double extortion attacks, where stolen data is leaked to increase pressure on victims.

• Endpoint protection: Endpoints blocked 76% of attacks, but lateral movement and privilege escalation still worked in a quarter of cases. Families such as Black Basta and Play exploited these weaknesses to spread within compromised networks.

Overall, ransomware thrives not because of cutting-edge techniques but because defenses continue to fail at critical points. 

Five of the ten ransomware families highlighted in the report are long-established strains, yet they’re evading defenses as effectively as new or emerging threats. Attackers don’t need novel breakthroughs, only the ability to exploit what’s already broken.

How BAS Strengthens Ransomware Readiness

Picus Breach and Attack Simulation (BAS) helps close the gap between what organizations think their defenses can do and how they actually perform against ransomware. 

Unlike traditional penetration testing, which is periodic and manual, BAS provides continuous, automated checks that show you where your defenses hold up against real attack behaviors, and where they don’t, in your unique and dynamic environment.

Key BAS benefits include:

• Continuous Ransomware Simulations. BAS safely simulates and emulates ransomware TTPs seen in the wild, from initial compromise through encryption and data theft, to show exactly where your defenses break down, across perimeter controls and endpoint security.

• Validation Against Known and Emerging Families. Picus updates BAS threat libraries daily with intelligence on both established ransomware and new variants, letting organizations test against the same families seen in advisories and those first appearing in the wild.

• Actionable Fixes. When attacks succeed in simulation, BAS provides practical remediation guidance, both vendor-specific and vendor-agnostic, so defenders know exactly what to adjust.

• Evidence of Readiness. BAS generates measurable data on ransomware resilience, including prevention rates, detection coverage, and mitigation status, giving security teams tangible data they can show to leadership and auditors.

Closing the Readiness Gap

One of the most dangerous beliefs in ransomware readiness is assuming your defenses are working because they’ve worked up until this point, or because you’ve deployed the “right” products.

The Blue Report 2025 shows how misleading both of these assumptions can be: nearly 50% of ransomware attempts bypassed defenses, and only 14% triggered alerts.

BAS turns assumptions into proof by answering the questions that matter most:

• Would your DLP system actually stop sensitive data from leaving your network?

• If ransomware slips past endpoint controls, would your SIEM raise the alarm in time?

• Are email gateways tuned well enough to block phishing payloads used by BabLock or Play?

• Would newer families like FAUST or Magniber pass through unnoticed?

With BAS, security teams don’t have to guess. They know.

Conclusion

In the end, the Blue Report 2025 makes one thing clear: ransomware thrives not because attackers reinvent the playbook, but because defenses are rarely tested in practice. The same security weaknesses resurface year after year, with prevention slipping, detection lagging, and data theft going almost entirely unchecked.

Breach and Attack Simulation is the missing piece. By safely emulating end-to-end ransomware attacks, including initial compromise, credential access, lateral movement, and data theft, BAS pinpoints exactly where your defenses are and aren’t working and confirms whether fixes are holding. It shifts readiness from trusting and assuming to proving, giving defenders something they can measure, improve, and demonstrate every day.

Ransomware readiness has moved way beyond asking “Are we protected?”. It’s about continuously demonstrating proof of resilience, and BAS is the only sustainable way to get there.

Download the Blue Report 2025 to get the full picture, from ransomware and data exfiltration to industry-by-industry performance, regional disparities, MITRE ATT&CK tactic and technique gaps, and the vulnerabilities attackers are exploiting right now. See where defenses are slipping, and why continuous validation is the way forward.

Sponsored and written by Picus Security.