Kroll pros say speed defined cyberattacks in 2025

Sponsored by

Your machine data knows things: Unlock it with Splunk and get game-changing insights—plus a critical resource to power AI. Tapping into machine data can boost your security and reliability. See more.

What do thousands of cyberattacks have in common, besides an executive swearing in the conference room?

When Dave Burg, global head of cyber and data resilience at financial and risk advisory firm Kroll, reflects on the 2,000 or so cyber incidents he helped organizations manage in 2025, one thing stands out as a common factor among cyberattackers: speed.

“What happened in ’25 is this acceleration,” Burg told us. “The speed, impact, [and] damage all accelerated.”

During an IT Brew visit to Kroll’s New York office, Burg and Brent Tomlinson, president of Kroll's risk advisory business, spoke about what’s driving the higher speeds—and if defenders have to change their tactics in response.

Entry level. For the last 15 years or so, Burg has seen adversaries running a familiar play: An attack compromises a valuable target like a system administrator. Once attackers have gained that access, they infiltrate important systems and find sensitive data, which they’ll either steal or hold for ransom.

Before, this might have been a three-week process; now it’s taking place over days, Burg added.

Fast times. Some recent personal bests from attackers:

• CrowdStrike, in its 2025 threat hunting report, noted that ransomware group Scattered Spider went from account takeover to ransomware deployment in “under 24 hours”—32% faster than the group’s 2024 efforts.
• 2025 featured 7,419 recorded global ransomware attacks—a 32% increase YoY, according to findings from research group Comparitech.

Fast drivers. That YoY ransomware spike, according to Rebecca Moody, Comparitech’s head of data research, is thanks to attackers utilizing both AI tools and ransomware-as-a-service. In an email to IT Brew, Moody noted that a cybercrime group called Qilin has carried out 1,034 attacks last year—as well as 48 already in January 2026.

Adversaries are “very good at adopting new technology,” Burg said, noting that AI tools can help today’s attackers quickly craft error-free phishing messages, search for vulnerabilities, create convincing audio deepfakes, and guess the answers required to reset someone’s password.

“AI is used to anticipate what those questions are going to be and then be able to answer them, and answer them fast,” he said.

The average ransom demand was around $1 million in 2025, according to Comparitech, a decrease from 2024’s $1.4 million. (Cybersecurity company Sophos, in a new report, sees a decline in average ransom demands because attackers are “targeting enterprises with more mid-range demands, aiming for amounts that are still damaging but more realistically able to be paid.”)

“If you can go target exponentially more, faster, because you’re using better tools and learning ways around the new gates faster, you’re just going to take more swings at the gate,” Tomlinson said.

Fundamental health. A higher attack speed doesn’t really change the required defenses; both Moody and Burg emphasized the importance of fundamental cybersecurity practices. Burg recommends asset inventories, while Moody advises basics like patching vulnerabilities, updating software, conducting employee training, and implementing regular backups.

For Moody, that means becoming knowledgeable about the security fundamentals of third-party IT providers, too—since efficiency-minded attackers will target external partners in an effort to get many victims with one quick hit.

“Hackers have homed in on third parties in recent years because of their exposure to multiple organizations through one central source, meaning a company’s systems are only as secure as the third parties they’re using to carry out various services,” Moody wrote to us.