An analysis of cyberattacks shared this week by Watchguard Technologies finds there was a 171% increase in total unique network malware detections and a 712% increase in endpoint detections in the first quarter of 2025 compared with the previous quarter.

At the same time, the number of ransomware attacks declined 85% from the previous quarter, even though the second most detected malware threat was a ransomware payload known as Termite. As data backup and recovery capabilities have improved, cybercriminals appear to be shifting away from encryption-based extortion toward simply stealing data, according to the report.

It’s also worth noting the unique number of network signatures triggered, or known attacks detected on networks, decreased by 16% from last quarter as attackers focused on a narrower set of exploits.

The number of script-based cyberattacks is also down by about half this quarter, the lowest ever recorded by Watchguard Technologies. Historically, script-based attacks are the number one attack vector, however, other so-called Living off The Land (LoTL) techniques increased 18% quarter over quarter.

The top malware detected over encrypted connections was Trojan.Agent.FZPI, a new malicious HTML file that merges legitimate-looking files with encrypted communication. This threat combines several techniques that threat actors have employed over the last few years into one super phishing attachment. Organizations must implement robust TLS inspection, behavioral analysis, and endpoint protection to detect and neutralize this threat.

The most widespread malware was Application.Cashback.B.0835E4A4, a newly identified threat and among the most prevalent malware families ever recorded, with the highest impact in Chile at 76% followed by Ireland at 65%, according to the report.

Watchguard researchers also observed a 712% increase in new malware threats on endpoints. The top malware threat on the endpoint was LSASS dumper, a credential stealer used for tasks such as logging onto systems, managing passwords, and creating access tokens. Cyberattackers exploit LSASS to access system components by bypassing user mode and performing direct kernel-mode instructions.

Corey Nachreiner, chief security officer for WatchGuard Technologies, said overall the increase in malware being discovered is troubling because it comes after several quarters of steady decline in these types of cyberattacks. That suggests cybercriminals are now becoming more adept at using artificial intelligence (AI) tools to create variations of malware that can’t be identified using traditional signature-based approaches to thwarting malware attacks, he added.

The rise of Application.Cashback variants also suggest that more sophisticated attacks are being crafted to specific geographic regions, he noted.

As cyberattacks continue to increase in both volume and sophistication, the need to rely more on managed security services is becoming increasingly obvious, especially for smaller organizations that are not easily going to find and retain their own cybersecurity teams, said Nachreiner. Too many of those organizations still rely on IT operations teams that are usually overwhelmed by other responsibilities to proactively address cybersecurity threats, he added.

The one thing that is certain is that cybersecurity adversaries are more organized than ever, which means to odds any one organization will be able to on their own thwart every possible threat is now slim to none.