The ransomware threat will remain one of the most serious security risks in 2025. In the first half of the year, our CERT forensically investigated more than 50 incidents and evaluated several hundred more based on telemetry data. In this presentation, we summarize the key findings on LockBit 4.0 and Akira, as well as the emerging groups RansomHub, Ralord, Fog, and Lynx. Common characteristics include initial access via unpatched VPN and edge devices, lateral movement using legitimate admin tools, data exfiltration via DNS tunneling, and increasing "exfil-only" extortion without encryption. In addition, we examine new attack patterns such as MFA fatigue attacks and the misuse of backup appliances as pivot points. From these findings, we derive concrete defense measures – from consist ...