IBM (NYSE: IBM) has released the 2025 X-Force Threat Intelligence Index highlighting that ransomware remained the most common action on objective in Asia Pacific. IBM X-Force observed the extensive reliance on external remote services (45%) and the vulnerability exploitation (18%) as the most common initial access vectors, underscoring vulnerabilities in APAC’s digital infrastructure.
The 2025 report tracks new and existing trends and attack patterns – pulling from incident response engagements, dark web and other threat intelligence sources. Some key APAC findings in the 2025 report include:
The manufacturing sector remained the most targeted industry in APAC, representing 40% of incidents, followed by finance and insurance (16%) and transportation (11%).
Nearly 1 in 4 incidents resulted in stolen data or credentials.
“Cybercriminals often infiltrate systems undetected, exploiting identity gaps in complex hybrid cloud environments. To combat this, businesses must move beyond reactive security strategies and prioritize proactive actions—like modernizing authentication management, addressing gaps in multi-factor authentication, and hunting threats in real time before they compromise sensitive data,” said Christopher Hockings, APAC CTO, IBM Security.
“Unlike in other parts of the world, ransomware remains a persistent threat in Asia Pacific, underscoring its continued profitability for attackers. Advanced detection technologies are essential to help organizations close the speed gap and stop threats before they escalate.”
Patching Challenges Expose Critical Infrastructure Sectors to Sophisticated Threats
Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents that IBM X-Force responded to on this sector last year.
In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM X-Force found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion. Exploit codes for these CVEs were openly traded on numerous forums —fueling a growing market for attacks against power grids, health networks and industrial systems. This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.
Automated Credential Theft Sparks Chain Reaction
In 2024, IBM X-Force observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an even greater increase of 180% compared to 2023. This upward trend fueling follow-on account takeovers may be attributed to attackers leveraging AI to scale distribution.
Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind. In 2024, the top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials. Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent multi-factor authentication (MFA). The rampant availability of compromised credentials and MFA bypass methods indicates a high-demand economy for unauthorized access that shows no signs of slowing down.
Ransomware Operators Shift to Lower-Risk Models
While ransomware made up the largest share of malware cases globally in 2024 at 28%, IBM X-Force observed a reduction in ransomware incidents overall compared to the prior year, with identity attacks surging to fill the void.
International takedown efforts are pushing ransomware actors to restructure high-risk models towards more distributed, lower-risk operations. For example, IBM X-Force observed previously well-established malware families including ITG23 (aka Wizard Spider, Trickbot Group) and ITG26 (QakBot, Pikabot) to either completely shut down operations or turn to other malware, including the use of new and short-lived families, as cybercrime groups attempt to find replacements for the botnets that were taken down last year.
Additional global findings from the 2025 report include:
Evolving AI threats. While large-scale attacks on AI technologies didn’t materialize in 2024, security researchers are racing to identify and fix vulnerabilities before cybercriminals exploit them. Issues like the remote code execution vulnerability that IBM X-Force discovered in a framework for building AI agents will become more frequent. With adoption set to grow in 2025, so will the incentives for adversaries to develop specialized attack toolkits targeting AI, making it imperative that businesses secure the AI pipeline from the start.
Asia and North America most attacked regions. Collectively accounting for nearly 60% of all attacks that IBM X-Force responded to globally, Asia (34%) and North America (24%) experienced more cyberattacks than any other region in 2024.
Manufacturing felt the brunt of ransomware attacks. For the fourth consecutive year, manufacturing was the most attacked industry. Facing the highest number of ransomware cases last year, the return on investment for encryption holds strong for this sector due to its extremely low tolerance for downtime.
Linux threats. In collaboration with Red Hat Insights, IBM X-Force found that more than half of Red Hat Enterprise Linux customers’ environments had not deployed a patch for at least one critical CVE in their environment, and 18% had not patched five or more. At the same time, IBM X-Force found the most active ransomware families (e.g., Akira, Clop, Lockbit and RansomHub) are now supporting both Windows and Linux versions of their ransomware.