Elodie Collins
SpyCloud has found that while the majority of security leaders say they are confident their networks can fend off identity-based attacks, 85 percent of organizations reported a ransomware incident at least once in 2024.
The data, revealed in the 2025 SpyCloud Identity Threat Report, illustrate the gap between an organization’s perception of safety and actual exposure, SpyCloud said Wednesday.
The 2025 SpyCloud Identity Threat Report is based on a survey of over 500 security leaders across North America and the United Kingdom.
Growing Ransomware Threat
According to the report, of all the organizations that were affected by ransomware, nearly one-third or 31 percent reported six to 10 ransomware events in the last year, meaning repeat attacks are the norm, not the exception. SpyCloud also found that phishing is the primary entry point of malicious actors into a network, reflecting the growing sophistication of phishing-as-a-service, or PhaaS, techniques to bypass multifactor authentication, also known as MFA.
“Phishing can no longer be seen as just a nuisance; it’s a primary launching point for ransomware and other identity-based attacks. Attackers are using phishing kits to steal session cookies, bypass MFA, and impersonate users with alarming accuracy,” stated Trevor Hilligoss, head of security research at SpyCloud. “The growth of commoditized tactics like PhaaS has made these capabilities available to even low-skill threat actors, which is why we’re seeing such a sharp spike in ransomware incidents tied directly to phishing.”
Cybercrime aided by artificial intelligence is also outpacing AI-powered defense tools, with 92 percent of survey respondents acknowledging increased risk. However, only 47 percent use AI to support cybersecurity operations.
Compromise Caused by Identity Exposures
The report also covered insider threats, whether accidental or malicious, that can lead to cyberattacks.
SpyCloud said over two-thirds of organizations polled are concerned about identity-based cyberattacks, but only 38 percent can detect historical identity exposures that increase risks. The company has 63.8 billion distinct identity records from the dark web.
Nation-state actors, including from North Korea, assemble synthetic identities using phished cookies and reused credentials to bypass security. At the same time, legitimate employees and contractors may unknowingly expose their identities from phishing attacks and infostealer malware.
SpyCloud said organizations need a holistic approach to identity protection that tracks exposures across a user’s full digital footprint and automates remediation to strengthen protection against threats.
