The Yarix 2025 Cybersecurity Report, prepared confirms that ransomware and information leaks continue to be the main threats to organizations in Spain, concentrating most of the incidents monitored during the last year. This prominence of ransomware highlights the evolution of this type of attacks, which are increasingly more sophisticated and targeted. This is stated in the National Report on the Panorama of Cybersecurity Threats 2025, prepared by Yarix, the Var Group’s specialized cybersecurity brand, based on the analysis of approximately 1,000 real incidents detected in the country.
Initial access agents arrive as a gateway
The study shows that the threat landscape continues to expand beyond traditional malware, although ransomware continues to be a central axis of the most critical attacks. Added to this are DDoS attacks, unauthorized access and the activity of so-called initial access agents, which in many cases act as a gateway for more complex, structured and persistent ransomware campaigns.
According to the report, strategic sectors such as finance, energy, transportation and public administrations are among those most affected by cybersecurity incidents during 2025, with ransomware being one of the most recurrent threats in these environments. The exposure of personal, corporate and operational data – frequently associated with ransomware attacks with double extortion – continues to be one of the most common consequences, with a direct impact on the business continuity and reputation of organizations.
In the words of Juanjo Pérez Mostajo, Cybersecurity Area Head of Var Group Iberia: “The Yarix 2025 report puts in black and white a reality that we see every day in organizations: attacks, especially those related to ransomware, are not only more frequent, but also more structured and persistent. Facing this scenario requires moving from reactive models to cybersecurity strategies based on early detection, automation and continuous response to threats such as ransomware.”
Incidents with repeating patterns
Yarix analysis also reveals that incidents do not occur in isolation, but rather respond to repeated patterns, long campaigns, and well-defined chronologies. Many of these campaigns have the final objective of carrying out ransomware attacks, which shows the planning and professionalization of cybercriminals. This context highlights the limitations of manual detection approaches and reinforces the need for more advanced models to anticipate ransomware attacks and other threats.
In this sense, the report highlights the importance of automated Security Operations Centers (SOC), capable of correlating events, detecting attacks in early phases and reducing response times to ransomware campaigns. The sustained growth of incidents related to ransomware, DDoS and initial access confirms that automation and applied intelligence are already key elements in the defense of organizations in Spain against this type of risks.
Attacks, especially those related to ransomware, are not only more frequent, but also more structured and persistent
With this report, Yarix offers a precise x-ray of the real state of cybersecurity in Spain in 2025, highlighting the predominant role of ransomware in the current panorama. The document provides information based on real incidents and aimed at helping organizations better understand the threat environment, reinforce their protection strategies and improve their ability to respond to ransomware attacks in an increasingly complex and dynamic context.
