In the second quarter of 2025, the cyber threat landscape has been defined by sophisticated phishing campaigns, fast-evolving ransomware tactics and the widespread exploitation of legacy and zero-day vulnerabilities.

1.Advancing Phishing and Social Engineering Techniques

Phishing remains threat actors' top initial access vector and has grown more sophisticated. Threat actors have been making use of:

QR codes disguising malicious links.
Open redirect abuse and CAPTCHA bypass.
Lookalike domains (e.g., fake Booking.com) targeting specific sectors.
AI-driven multi-channel attacks: smishing, vishing, email.
Proliferation of Phishing-as-a-Service (PhaaS) tools (e.g., Tycoon 2FA, EvilProxy).
Seasonal and geo-specific lures, including UK tax and immigration scams.

These techniques have led to an increased rate of success for threat actors as campaigns have grown more personalised and automated.

2. Ransomware and Extortion

Ransomware groups shift from encryption to exfiltration.

To evade EDR protections, financially motivated threat actors have shifted tactics from encryption to data theft and extortion (95% of cases in Q2).
This has further been characterised by threat actors engaging in double extortion (71% of cases), log wiping and anti-forensic techniques.

Prioritisation of speed by ransomware groups has led to:

The average time-to-ransom (TTR) is currently under 17 hours,
TTR lows of 4 hours have been observed in the execution of Quantum ransomware.

The UK is under increasing threat from ransomware groups. Notable ransomware groups observed attacking UK organisations include Medusa (HCRG Care Group, Gateshead), Black Basta (BT, Southern Water) and Qilin (Synnovis). These attacks have caused disruptions to public services and critical infrastructure and financial and data loss for the affected organisations.

3. Supply Chain Attacks

There has been a surge in supply chain attacks, a trend fuelled by:

Threat actors exploit vulnerabilities in third-party software, managed service providers, and open repositories.
Using new techniques such as Slopsquatting, where attackers register malicious packages using names that AI language models hallucinate or suggest.
The abuse of legitimate web tools such as Google AdSense to implant malicious code into websites.

This increase in third-party breaches has led to high-impact attacks seen against organisations such as Royal Mail and Santander, as threat actors exploit indirect access paths to exploit high-value targets.

4. Exploitation of known and zero-day vulnerabilities

Exploitation of both known and zero-day vulnerabilities is accelerating in volume and speed.

Threat actors are now exploiting newly disclosed zero-day vulnerabilities within hours of disclosure, reflecting a well-coordinated effort by threat actors who monitor vulnerability databases, vendor updates, and security forums to identify weaknesses before defenders can respond. The rapid time-to-exploit trend significantly narrows the window for organisations to apply patches or deploy mitigations, leaving systems exposed during a critical vulnerability gap.

Simultaneously, legacy vulnerabilities continue to be actively exploited due to delays in patching, unsupported systems or lack of asset visibility. Organisations with outdated systems, particularly within local government, healthcare and education, remain especially vulnerable. Critical systems such as firewalls, VPN gateways and edge devices are often overlooked or inconsistently updated, making them attractive targets for threat actors.

5. Identity-based cloud intrusions

Identity attacks have become the most common vector for cloud breaches (80% of cases). This trend has been driven by factors such as:

A surge in Non-Human Identities (NHI) used within hybrid/multi-cloud environments, expanding the attack surfaces.
Threat actors exploit poor credential hygiene by using credential stuffing and phishing attacks.

This has allowed for increased lateral movement and privilege escalation in cloud environments, with cloud-specific breakout times now down to 48 minutes.

6. Botnet-driven DDoS attacks

Botnet-driven Distributed Denial of Service (DDoS) attacks continue to grow in frequency, scale, and sophistication, posing a significant threat to UK organisations across sectors. On average, there has been a 56% YoY increase in DDoS attacks. Cloudflare has reported to have blocked 20.5 million potential attacks in the first quarter of 2025, representing a 198% quarter-over-quarter (QoQ) increase. Cloudflare, BT, and Qrator Labs reported incidents in 2025 that exceeded two terabits per second (Tbps). This represents a significant leap in destructive capacity, with some attacks growing from 67 Gbps to nearly 1 Tbps in just 20 minutes. The expansion of botnets primarily fuels these attacks. Primary drivers of botnet growth have included:

Vulnerabilities in Internet of Things (IoT) devices. Many IoT devices are deployed with weak or default credentials, unpatched firmware or poor security configurations, making them attractive to threat actors.
The rise of DDoS-for-hire services, also known as "booter" or "stressor" platforms. These platforms make DDoS attacks more accessible to a wider range of threat actors by reducing the need for technical expertise to successfully launch an attack.
Politically motivated cyber campaigns have also become a significant force behind the growth of DDoS botnets. Nation-state-aligned or ideologically driven threat actors have increasingly used DDoS attacks to target critical national infrastructure and financial services in the UK, particularly in response to geopolitical tensions.

The surge in botnet-driven DDoS attacks poses growing risks for UK organisations. These attacks cause service outages, financial loss, and reputational damage, particularly in critical sectors like finance, healthcare, and government. Smaller organisations are especially vulnerable due to limited defences.

Regulatory and Governance Challenges in the UK

Cybercrime costs the UK economy an estimated £22B/year and affects the public and private sectors. A recent surge in cyberattacks on major UK retailers. Including M&S, Co-op and Harrods), prompted government officials to issue a warning that these incidents must serve as a "wake-up call" for businesses nationwide. At the same time, concerns around corporate accountability have grown, with studies showing that only 27% of UK boards currently take active responsibility for cybersecurity oversight.

In response, the UK government and regulatory bodies are stepping up efforts to improve national cyber resilience. The National Cyber Security Centre (NCSC) has highlighted a widening "digital divide" between organisations that can adapt to fast-evolving, AI-enabled threats and those that cannot. At the NCSC's CyberUK conference, officials warned that by 2027, AI-enabled tools are set to enhance threat actors' ability to exploit known vulnerabilities. This will further reduce the already narrow window between vulnerability disclosure and exploitation, and increase pressure on defenders to respond faster and more effectively.

From a regulatory perspective, Q2 has brought a sharper focus on enforcement and compliance. The proposed Cyber Security and Resilience Bill aims to establish clearer obligations for organisations to maintain baseline security standards. In parallel, the Information Commissioner's Office (ICO) has issued warnings that failures to implement basic protections, such as multi-factor authentication (MFA), could lead to substantial financial penalties. Together, these developments signal a tightening regulatory environment in which UK businesses are expected to demonstrate stronger governance, faster response capabilities, and proactive cyber risk management to avoid legal, financial, and reputational consequences.

As we move deeper into 2025, the cyber threat landscape has become faster-moving, more decentralised, and increasingly difficult to contain. The UK remains a prime target for financially motivated actors and nation-state groups. With critical infrastructure under persistent threat and public sector accountability under scrutiny, the imperative to act decisively has never been clearer. To build meaningful resilience in the face of these evolving threats, organisations should prioritise:

Strengthening Identity and Access Management (IAM):
- Implement and enforce strong Multi-Factor Authentication (MFA).
- Regularly rotate and monitor credentials, particularly in cloud environments.
- Adopt Zero Trust principles to limit lateral movement.
Enhancing Email and Endpoint Security:
- Deploy advanced phishing detection and response tools.
- Train employees to identify social engineering tactics, especially across email, SMS, and voice.
- Use endpoint detection and response (EDR) to identify and isolate threats quickly.
Accelerating Vulnerability Management:
- Prioritise patching of both zero-day and legacy vulnerabilities.
- Conduct regular vulnerability assessments, red teaming, and threat modelling.
- Protect edge devices (VPNS, routers, firewalls) with layered defences and network segmentation.
Securing the Supply Chain:
- Conduct third-party risk assessments and demand security transparency from suppliers.
- Monitor open-source components and repositories for compromised code.
- Include supplier compromise scenarios in incident response plans.
Protecting Critical Infrastructure and OT:
- Isolate OT environments and monitor for suspicious activity.
- Deploy industrial control system (ICS) security tools with anomaly detection.
- Collaborate with national cyber authorities for threat intelligence and support.
Preparing for Disruption:
- Develop and test robust incident response and disaster recovery plans.
- Invest in DDoS protection and resilient architectures to withstand surges.
- Ensure backups are secure, immutable, and regularly tested for recovery readiness.
Driving Cyber Governance and Accountability:
- Elevate cyber risk discussions to the board level.
- Align with regulatory requirements (e.g., the UK's Cyber Security and Resilience Bill).
- Regularly audit internal practices to close governance and compliance gaps.