H1 2025 Threat Horizons Report

Cloud environments are facing an evolving threat from threat actors prioritizing data exfiltration, exploiting identity as the new perimeter, and adapting tactics to evade detection and attribution. This iteration of the Google Cloud Threat Horizons Report provides cloud security professionals with a deeper understanding of the threat with intelligence and actionable risk mitigations from Google’s security experts.

Ransomware and data threats in the cloud are not new. In Feb. 2024, Google Cloud security and intelligence experts exposed trends in the Threat Horizons Report, including threat actors prioritizing data exfiltration over encryption and exploiting server-side vulnerabilities. Further, our experts cited ransomware and data theft incidents or associated risks in cloud environments in our ten previous Threat Horizons Reports.

Despite the ongoing presence of ransomware and data theft risks, the trends we observed in the last half of 2024 reveal a concerning shift. Threat actors are not only refining their tactics, techniques, and procedures (TTPs) within cloud environments, but they are also becoming more adept at obscuring their identities. This evolution makes it harder for defenders to counter their attacks and increases the likelihood of ransom payments.