Key Insights from the OpenText Cybersecurity 2025 Threat Report
As cyber threats grow more complex and coordinated, the 2025 OpenText Cybersecurity Threat Report highlights how attackers are evolving and how defenders must respond. This year's analysis draws from our vast telemetry across business and consumer endpoints, email protection, DNS filtering, and web threat intelligence. From ransomware pivots to regional malware surges, here’s what you need to know. Stream the Webinar on-demand! Malware on the March: Business Infections Surge 28% Malware made a strong comeback in 2024, with email-borne threats continuing to dominate the attack vector landscape. While consumer malware infections remained relatively flat, business-targeted malware infections jumped 28% year-over-year. This growth isn’t just in volume, it’s in complexity. We observed a shift toward multi-stage payloads, advanced obfuscation techniques, and regionally tailored campaigns. The surge in business infections reinforces what we’ve seen in ransomware trends: cybercriminals are targeting organizations with more data, more systems, and higher stakes. Consumer Threat Vectors: Malware Loves the Download Folder When it comes to consumer endpoints, malware continues to exploit the most familiar and often-overlooked entry points. In 2024, over half of all consumer malware detections were first seen either in the Downloads folder or on the Desktop, a clear indication that users are still being lured into manually executing payloads, often disguised as legitimate files. Whether it’s through fake installers, cracked software, or trojanized attachments, threat actors are betting on user trust and habitual behavior. The combination of deceptive social engineering and well-timed bait (often delivered via phishing emails or shady websites) continues to pay dividends for cybercriminals targeting everyday users. Manufacturing Tops the Malware Charts This year’s industry infection rates reveal a dramatic reshuffling, with manufacturing organizations emerging as the most malware-infected sector. Compared to the average, manufacturers were 42.4% more likely to have infected workstations, up sharply from 32.9% last year. The rise reflects an increase in ransomware campaigns targeting operational technology (OT), production data, and supply chain disruption. Noteworthy trends include: Information services showed the largest year-over-year spike, jumping to 38.4% above the average (up from 23.5%) Management of companies and enterprises and public administration also saw sharp rises in infection likelihood Interestingly, educational services, which were the #2 most infected industry last year, dropped slightly and are now #5 Mining, quarrying, and oil & gas saw a notable improvement, falling off the top five list entirely Ransomware 2.0: Industrialized, Opportunistic, and Ruthless Ransomware threats in 2024 evolved from brute force extortion into precision attacks with startup-level efficiency. While groups like BlackSuit and Akira made headlines dominating automotive and healthcare industries respectively, it was the drama around LockBit that defined the year. After law enforcement took down LockBit’s infrastructure in “Operation Cronos”, the group attempted a hasty return, but internal fractures, arrested developers, stolen leaks, and copycat spin-offs splintered the brand’s credibility. Several LockBit affiliates moved on to new operations or joined other RaaS crews, highlighting the volatility behind even the most notorious ransomware groups. Despite a major law enforcement takedown, LockBit remains unusually persistent, continuing operations under the same brand - a rare move in a space where most ransomware crews quickly rebrand or pivot after drawing heat from global authorities. The graph below illustrates the rebrands we’ve seen over the past years. Key 2024 ransomware shifts: LockBit’s fall showed the fragility of centralized branding Rise of data-theft-only (exfil-only) ransomware campaigns Growth in SMB-targeted attacks, with faster dwell times and sharper negotiation tactics Europe in the Crosshairs: A Rising Cyber Hotbed Europe saw a noticeable uptick in cyber threat activity in 2024, driven by a mix of regional conflicts, increased digitalization, and opportunistic cybercrime. While Western Europe continues to battle high volumes of phishing and ransomware campaigns, Eastern and Central Europe emerged as new centers of malware distribution and command-and-control infrastructure. The region also saw a rise in politically motivated cyberattacks tied to the Russia-Ukraine conflict, affecting both government and private sector systems. Infection hotspots across the continent included Germany, France, the UK, and surprisingly, Poland and Romania, where aggressive malware campaigns surged. The heat map of endpoint infections shows clear concentration zones that align with both population density and digital infrastructure maturity. Phishing Tactics Grow More Surgical In 2024, phishing attacks took a sharply targeted turn. While the raw volume of email-based threats slightly declined, the quality of attacks surged. Threat actors leaned heavily on obfuscation, careful customization, and the abuse of legitimate services to trick users. We recorded 171.2 million instances of “Living Off the Land” phishing tactics, with services like Google APIs, Amazon AWS, Mailchimp’s List-manage, Canva, and Cloudflare IPFS appearing on the most abused list. AI: The Great Equalizer in Cybercrime While organizations explore generative AI for productivity and efficiency, cybercriminals are using it for precision attacks. From deepfake-powered social engineering to AI-optimized malware development, we’re now in an arms race where speed, scale, and believability are the currency of compromise. AI is no longer emerging in the threat landscape, it’s embedded. The Bottom Line: Resilience Must Be Intentional Cyber resilience isn’t just about having the right tools, it’s about integration, visibility, and speed. With the average attack lifecycle shortening and the techniques becoming more evasive, a fragmented security approach is a recipe for disaster. From secure email to endpoint detection, threat intelligence to data protection—every layer must work together. Download the full report HERE
