The human cost of cybercrime has been made all too clear in the last year. Critical operations at hospitals have been delayed, workers have been left wondering if they’ll get paid, and millions of personal data records have been hacked. In parallel, hostile state actors have continued their operations unabated.
At the same time, some of the cybercriminals that inflicted this damage have also had a bumpy year. Sustained law enforcement activity against ransomware groups, such as LockBit or ALPHV/BlackCat, and against other threat actors who provide supporting services to the criminal ecosystem, has left in its wake a splintered landscape, one where traditional trust and loyalties have been eroded. Nevertheless, cybercriminals are resilient and agile, with a strong will to continue their criminal moneymaking.
This makes it essential that businesses understand what has changed and remain vigilant. Here are the key takeaways from our State of the Threat Report and what they mean for organizations:
Out with the Old, In with the New
The number of ransomware groups actively conducting attacks has increased 30% year-on-year, which, in the aftermath of law enforcement activity, represents fragmentation of an established criminal ecosystem. 31 new ransomware groups have entered the ecosystem, with varying levels of sophistication and success. There’s not yet a "market leader" in the same way that LockBit or ALPHV/BlackCat dominated. Affiliates were already fickle, but we expect that to only increase. Cybercriminals need business resilience and will look to ensure they have options in the face of law enforcement takedown operations.
Ransomware Dwell Times Stay Steady – But Not All Is As It Seems
Newer, more immature affiliate relationships are reflected in this year’s median dwell times, which hover around 28 hours. A single statistic doesn’t tell the whole story, as it straddles two distinct clusters of dwell times, one sitting well below the median, and the other well above. The good news is that comprehensive multi-site ransomware events are increasingly rare. The accompanying bad news is ransomware dwell times have been seen as short as 7 hours.
Opportunity Knocks with IAVs
Cybercriminals remain opportunists looking for the fastest and easiest way to compromise networks. Scan and exploit remains the largest initial access vector, followed by stolen or guessed credentials. Together, they were the attacker entry point in 72% of observed ransomware attacks. Security fundamentals are still the best defense.
Abuse of AI
Cybercriminal organizations are run like businesses. Like any organization, adversaries are keen to leverage AI for scale, speed, and efficiency wherever they can. Anything that helps the adversary scale beyond current limits is concerning. A secondary concern is the use of AI in more convincing social engineering and more automation in fraud - such as CEO fraud. Experimentation in the use of deepfakes in fraud is already upon us.
State-sponsored Threats
Unsurprisingly, national security concerns and the evolution of the geopolitical landscape continues to be the principal drivers for hostile state actors. Certainly, this is the case for the four that are generally of most concern: China, Russia, Iran and North Korea. These countries continue the campaigns against their usual targets.
For example, Russia conducting destructive and espionage-driven attacks on Ukrainian resources and allies. China has evolved their tradecraft with huge investment in obfuscated networks whilst living off the land, in the edge and in the cloud. China's intent continues to focus on espionage as well as information theft for political, economic, or military gain. This year, the report also includes threat group activity related to the Israel-Hamas war, including some targeted attacks and hacktivist group activity.
We research and write the State of the Threat Report every year to help organizations both understand the true nature and scale of the threat but also to suggest controls, tactics and strategies that will help defend networks.
Threat actors continually adapt and change to both survive and thrive in their surroundings. Tradecraft and tactics may change, but it remains clear that focusing on cybersecurity fundamentals is as critically important as ever. Know what you are protecting, ensure it's patched, manage your identities and access control, implement MFA and conditional access, monitor your estate to detect and respond effectively to the visibility and security events your controls provide.
To read the State of the Threat Report in full please click here: 2024 State of the Threat Report.
