Cybercrime no longer needs to make a splash to cause damage. Increasingly, attacks aim to go unnoticed, linger within systems for as long as possible, and from there, maximize economic, strategic, and reputational impact. This is one of the central conclusions of the NTT DATA Threat Intelligence Report for the second half of 2025, which describes a profound shift in attack models: low-profile intrusions, prolonged over time and aimed at influencing decisions and processes.
The report outlines a scenario where cybersecurity ceases to be merely a technical or compliance issue and becomes a strategic front. Instead of quick, visible hits, there is an evolution toward more sophisticated and adaptive operations, where the priority is persistence, stealth, and the ability to exert sustained influence in compromised environments. In this new landscape, the line between organized crime, hybrid campaigns, and geopolitical tensions becomes increasingly blurred and difficult to define clearly.
An cyberspace shaped by politics and economics
NTT DATA emphasizes a growing factor: geopolitical influence. International tensions, technological fragmentation, and shifting alliances directly impact digital infrastructure, supply chains, and critical sectors. According to the report, this results in a dual effect: on the one hand, attributing attacks becomes more complex; on the other, international cooperation becomes more challenging, increasing risks for governments, key industries, and private companies.
In this context, cyberspace has become a common arena for indirect confrontation. It allows for exerting pressure, generating disruptions, and disturbing balances without resorting to open military conflict. What is most concerning is not just individual incidents but the trench warfare—exposed credentials, persistent access, precisely targeted data exfiltration, and finely calibrated public pressure campaigns.
Artificial Intelligence as an offensive multiplier
Another key aspect of the report is the increasing integration of Artificial Intelligence as a strategic force multiplier. Its use in cyber espionage, disinformation, and offensive automation lowers entry barriers, accelerates attack cycles, and amplifies the reach of hybrid campaigns, both by states and advanced criminal actors.
The practical implication is that attackers require less time and fewer resources to iterate. Where manual exploration and trial/error once prevailed, now there is automation, adaptation, and a greater capacity to customize offensive tactics, adjust techniques, and maintain pressure at relatively low costs. Simultaneously, defenders face increasing demands to detect subtle patterns and correlate weak signals, especially as the digital environment becomes noisier.
Fewer “public squares” for crime, more opacity
The report also highlights the fragmentation of the criminal ecosystem. The fall of large underground forums and centralized marketplaces, far from reducing illicit activity, redistributes it: specialized markets, initial access brokers, and more opaque private channels emerge. This shift complicates monitoring and hampers early intelligence collection because crime is organized in less visible spaces, with tighter relationships and more specialized illegal supply chains.
Operationally, this “fragmented market” fosters a more modular attack economy: those who gain initial access do not always carry out extortion; those developing tools do not always operate deployment; those laundering or monetizing data do not always participate in intrusions. The result is a more professional industry that is harder to dismantle with a single strike on a major central actor.
Mature ransomware and data-based extortion
Meanwhile, ransomware and data-based extortion models demonstrate a level of operational maturity that the report finds particularly alarming. Campaigns combine automation, selective theft of sensitive information, staged public pressure, and reputational exploitation. There is an increased use of “quiet” techniques and the abuse of legitimate services—especially cloud and SaaS—to maintain persistence and move laterally with minimal traces.
The core strategy is not just encryption but controlling the negotiation pace and raising reputational costs. Extortion now involves not only “pay or lose access” but also staged data leaks, threats of exposure, and pressure on clients, regulators, or partners. In this setting, time benefits the attacker: the longer they stay inside, the better they understand the target’s business, the more valuable the data they choose, and the more precise the pressure point becomes.
Most targeted sectors and colossal economic impact
The report provides sector-specific figures highlighting where risks are most concentrated. During the analyzed semester, the sectors with the highest number of incidents were:
- Public administration and governments: 3,343 attacks
- Educational institutions: 1,140
- Financial services: 957
- Information technology: 802
- Telecommunications: 614
Collectively, the document estimates the economic impact of cybercrime at around $10.5 trillion annually, illustrating why cyberspace has become a critical infrastructure for the global economy and a priority target for actors with vastly different motivations.
The gap: compliance doesn’t always mean resilience
While the report acknowledges progress—legal and regulatory strengthening, high-impact international police operations, and gradual improvements in defensive capabilities—the final diagnosis is uncomfortable: malicious actors continue to outpace these advancements. A gap remains between regulatory compliance and actual operational resilience.
At this point, the report emphasizes a mindset shift. “We face a paradigm change: attacks no longer aim just to disrupt but to condition decisions, processes, and long-term strategies. Effective risk management requires a comprehensive approach centered on contextual detection, resilience, and strategic anticipation against persistent, highly adaptive threats,” said Maria Pilar Torres Bruna, Head of Cybersecurity at NTT DATA Iberia, International Organizations, LATAM, and Consulting in Benelux and France.
The core idea is clear: in the face of more persistent and sophisticated threats, cybersecurity must be operated as a strategic function, capable of anticipating, understanding the environment, and maintaining genuine, sustainable digital resilience. Less checklists, more operational vision: detect early, respond better, and learn faster than the adversary.
Frequently Asked Questions
What does it mean for attacks to be “quieter” and more persistent?
They prioritize going unnoticed, remaining within the environment longer, and maximizing impact (economic and reputational) from a position of control.
Why does current ransomware increasingly rely on data extortion?
Because it aims not only to encrypt systems but also to steal sensitive information and pressure targets with leaks and reputational damage to increase the likelihood of payment.
Which sectors suffered the most incidents in the second half of 2025 according to the report?
Public administration and governments (3,343), education (1,140), financial services (957), information technology (802), and telecommunications (614).
How does Artificial Intelligence influence the evolution of cybercrime?
The report points out that it acts as a multiplier: reducing entry barriers, accelerating attack cycles, and amplifying the reach of offensive automation, cyber espionage, and disinformation campaigns.
via: nttdata