Ransomware is tightening its grip on global enterprises, with the Middle East emerging as one of the most vulnerable regions. Recent industry research shows that the average ransom demand has surged to $3.5 million, while nearly half of victims pay up under pressure despite negotiations. In the Gulf, recent campaigns against critical sectors – including energy, government, and finance – highlight the region’s rising exposure to these evolving attacks.
These shifts highlight a stark reality: ransomware operators are finding ways around traditional Endpoint Detection & Response (EDR) tools, fueling debate over whether EDR alone can still protect organizations in today’s threat landscape.
According to the Halcyon Ransomware Malicious Quartile Q2-2025, ransomware operators are evolving faster than defenders, with four tactical shifts defining the Q2 landscape:
1. BYOVD Security Bypass: Crippling Kernel Defenses
Attackers are turning old, vulnerable drivers into secret keys that unlock even the most secure doors. Using the “Bring Your Own Vulnerable Driver” (BYOVD) tactic, groups like DragonForce can bypass kernel-level defenses — the deepest layer of the operating system — and shut down endpoint security tools. Once those protections are disabled, ransomware can spread unchecked.
2. VMware ESXi Under Siege: Knocking Out Virtual Offices
Hackers are hitting the servers that run many companies’ virtual offices, causing outages that ripple across entire organizations. Groups such as Qilin and Medusa are deploying custom payloads built for VMware ESXi environments, effectively taking down whole data centers and cloud systems in one strike.
3. Remote “Living-off-the-Land” Abuse: Hiding in Plain Sight
Criminals are hiding in plain sight by weaponizing the same remote management tools IT teams use every day. Sarcoma and others abuse Remote Monitoring and Management (RMM) software to move around networks stealthily. Because this traffic looks legitimate, attackers can linger for weeks, quietly mapping systems until they’re ready to deploy ransomware.
4. Credential Harvesting at Scale: Passwords as Master Keys
Thieves are scooping up saved passwords by the thousands and using them like master keys across entire businesses. Groups including Akira, Qilin, and DevMan harvest browser-stored credentials in bulk, making it easier to move laterally inside networks, maintain persistence, and maximize the damage of their attacks.
“The findings make one thing clear: ransomware has evolved into a systemic risk,” said Ray Kafity, VP, India, Middle East, Turkey & Africa, Halcyon. “Adversaries are moving faster and smarter, and no organization can rely solely on traditional Cyber defense tools. From Europe to Asia to the Middle East, the pattern is the same — attackers are bypassing current endpoint protection platforms, and targeting infrastructure at scale. Resilience, not prevention alone, is now the defining factor for survival.”
