In 2025, Chief Information Security Officers (CISOs) and Chief Information Officers (CIOs) across Asia are grappling with an increasingly sophisticated ransomware threat landscape.
The 2025 Veeam Ransomware Trends report reveals a concerning shift towards smaller, opportunistic groups that exploit vulnerabilities in larger enterprises, making rapid detection and response essential.
The evolving ransomware threat in Asia
AI: Double-edged sword
AI is reshaping both attack and defence. Threat actors are leveraging AI to automate phishing, evade detection, and lower the technical barrier for launching sophisticated attacks.
As Ben Young, APAC CTO for Veeam, notes, "Attackers are getting more creative; they're even using AI to attack us. They've got probably a higher adoption rate of AI than probably enterprises do, which is worrying,"
This reality means CISOs must invest in AI-driven defence while recognising that adversaries are innovating just as quickly.
Fragmentation and the rise of lone wolves
Law enforcement crackdowns have disrupted major ransomware-as-a-service (RaaS) groups; however, the threat remains far from diminished.
"We're seeing some of these groups disband, and they're coming up through what we class in our report as a lone wolf, so basically a threat actor that's just kind of operating on their own. We're seeing a lot more fragmentation through the ransomware market themselves," observes Young.
This fragmentation increases unpredictability and widens the attack surface, especially for small and medium-sized enterprises (SMEs) prevalent in Asia.
Shift to data exfiltration and rapid attacks
Ransomware tactics are shifting from slow, encryption-based attacks to "slash and grab" exfiltration. Young states, "The ransomware side of things is changing from kind of longer dwell times and encryption-based attacks to kind of slash and grab, kind of exfiltration-based attacks too, which have a very short dwell time. Which means we need to kind of be a bit more proactive in our kind of incident response planning than, I guess, reactive."
The window for detection is now measured in hours, not days, demanding rapid response capabilities.
Regional trends and regulatory responses
Government action and mandatory reporting
Governments across Asia are responding with stricter regulations. Japan's Active Cyber Defence Bill and Hong Kong's Critical Infrastructure Protection Law both mandate rapid incident reporting and cross-functional response planning.
Commenting on the former, Young opines, "That's a really good bill because it not only advocates for all the things that are good practice... but it also is like mandatory incident response reporting, which I think is critical."
Such measures are raising the bar for compliance and transparency, with a growing expectation for organisations to report incidents within hours.
Industry collaboration and public-private partnerships
The region is witnessing increased collaboration between IT and security teams, as well as between the public and private sectors.
"The general gist of it that I took from it, I suppose, is more intergroup collaboration, so security teams collaborating with IT teams, which actually resonates really well," says Young. This is echoed by Sue Gordon, former principal deputy director of U.S. National Intelligence:
"We are in a shared purpose of security, and we have to do that together. So, I don't think there's any way that we get to a future that is cyber secure without both the public and private entities, and their value propositions, coming together to find some solutions."
Key challenges for CISOs in 2025/2026
Persistent phishing and security hygiene gaps
Despite awareness, phishing remains the top initial access vector. Young points out, "Phishing has pretty much been the number one attack vector... a third of organisations haven't rolled out any cyber resiliency training, which is staggering."
The basics—regular training, simulated drills, and robust email security—are still not universally adopted, leaving many organisations exposed.
Budget pressures and the prevention-recovery balance
Security budgets are rising, but not always at a fast enough pace or in a balanced manner between prevention and recovery.
"Traditionally, security budgets have been slightly higher than kind of the recovery budgets, which I'm not gonna say that's right or wrong. They're about right, by the way, it's about 31 versus 28% of IT spend. So making sure they're balanced is the important thing," opines Young.
CISOs must present data-driven cases to boards, utilising industry reports to justify investments in both proactive and reactive capabilities.
Incident response and recovery readiness
The ability to recover from an attack is as vital as prevention. The Veeam Data Resilience Maturity Model (DRMM) reveals that only 50% of organisations can meet their recovery time objectives during disruption. The most successful organisations employ:
- Verified, immutable backups
- Multiple backup copies across locations
- Pre-defined incident response playbooks
- Regular testing and drills
- Transparent chain of command for crisis response
Young underscores the importance of backup hygiene: "It's all well and good storing the data, but unless we've actually tested that that backup is known and good and clean, then how can we trust it? We still know, the report still shows a very high percentage of attacks going after backup repositories".
New attack tactics and defensive innovations
Evolving ransomware tactics
Reports from Palo Alto Networks and CYFIRMA indicate that attackers are adopting increasingly aggressive extortion methods, including the use of fake data, insider threats, and turning off security controls. Manufacturing, wholesale, and professional services continue to be top targets. Attackers are also exploiting zero-day vulnerabilities and targeting cloud and endpoint security systems.
AI-driven defence and YARA rules
To counter these threats, CISOs are turning to AI for threat detection and response. Young notes the power of YARA rules: "YARA rules are extremely powerful – we use them within Veeam backup environment to detect malware and ransomware variants, alongside Threat Hunter and other security-focused features it puts you in the box seat to detect threats early on and ensure a clean recovery."
AI-driven analytics and automated playbooks are becoming essential for scaling defences and reducing dwell time.
Actionable recommendations for security leaders
- Foster cross-team and cross-industry collaboration by Breaking down silos between IT, security, and business units. Engage in regional partnerships and information sharing.
- Invest in AI-driven security and recovery: Deploy AI-powered detection, response, and backup validation tools to enhance security and recovery.
- Prioritise security hygiene: Ensure 100% coverage for phishing training, regular cyber drills, and robust endpoint protection.
- Balance budgets with data-driven insights: Use regional threat reports to justify balanced investment in both prevention and recovery.
- Test and automate recovery plans: Regularly verify backups, simulate incidents, and automate recovery workflows to meet stringent Recovery Time Objectives (RTOs).
The end is nigh
For CISOs and security professionals in Asia, 2025–2026 will be characterised by the increasing speed of attacks, the growing sophistication of adversaries, and the imperative for enhanced resilience. As Ben Young aptly summarises, "We need to make cybersecurity the DNA of an organisation."
"Everyone needs to think about cybersecurity, right from if you're just a frontline worker through to the development team, the security team, the IT team implementing things. Everything needs to work together as a group." Ben Young
The future belongs to those who prepare, collaborate, and adapt—turning risk into resilience.
Click on the PodChats player to pick out the details of the discussion with Young on the topic of AI-powered ransomware and how it's time for CISOs to rethink data resilience.
- Please give us your summary of the 2025 Ransomware Trends & Proactive Strategies report.Â
- How are ransomware groups adapting to law enforcement pressure, and what implications does this have for mid-to-large enterprises in Asia?Â
- How is the shift toward data exfiltration (vs. encryption-only attacks) impacting our incident response plans?Â
- Are we prepared for the legal and compliance risks associated with paying a ransom, considering new regional and international regulations?Â
- Do our backup and recovery strategies meet the "3-2-1-1-0" rule? Is this strategy still relevant in the era of hybrid data, AI everywhere, and digital-native workforces?Â
- Are cloud-based backups and managed services a viable strategy for improving resilience?Â
- How can organisations reduce dwell time for attackers between infiltration and detection?Â
- Are current employee training programs robust enough to prevent phishing/social engineering breaches?Â
- Are IT and security teams aligned to ensure rapid response during an attack?Â
- Should CISOs consider third-party incident response partnerships to reduce ransom payments?Â
- How will rising cybersecurity budgets be allocated between prevention, detection, and recovery? Do you have any tips on how CISOs can get the budget they need for the organisation?