Cybersecurity is dynamic, ever changing and unpredictable. This past year contained significant surprises. Who would have thought the largest data breach incident of 2024 would involve no malware or vulnerability exploitation? Ransomware, which has trended upward in the number of attacks and reached more than US $1 billion in ransoms paid in 2023, showed its continuing ability to severely hamper critical medical systems in the U.S., affecting 100 million people in one incident. Nation-state actors posed challenges, ranging from gaining persistent footholds in critical infrastructure to building significant botnets to executing complex cyber espionage operations. Law enforcement conducted more than 30 actions aimed at disrupting ransomware and malicious actors, yet their resiliency means many may restart their activity.
Although this is a gloomy picture, there are reasons to be positive. Organizations are becoming more resilient against extortion and ransomware, with signs that fewer organizations decide to pay. The majority of financially motivated cybercrime can be proactively defended against by using cyber threat intelligence (CTI) to shine a light on the adversary, reveal their capabilities, understand their tactics, and unearth the tools they use. . Strong identity and access management (IAM) and multifactor authentication (MFA) controls informed by CTI insights can prevent account takeover (ATO) and network intrusions. Monitoring underground markets for signs of possible stolen credentials can allow administrators to safeguard accounts and prevent unauthorized access. Zero-day vulnerability exploitation rose in 2023 and continued through this year — a type of wild-card attack that can be difficult to defend against — but many organizations are compromised by n-day exploits, for which a patch or mitigation exists. Defense will never be easy, but it can always be improved upon, and leveraging CTI provides an intelligence advantage. Equipped with the intelligence they need, organizations can stay ahead of the fast-moving threat landscape, enabling them to maintain accurate threat assessments and help their stakeholders prioritize risk reduction efforts where it matters most.
Subject matter experts often make inaccurate predictions. Rather than try to predict the future, here are insights into what 2025 may hold based on Intel 471’s historical analyses of trends and intelligence collection.
Ransomware and data extortion attacks are two significant operational and reputational risks to organizations, and we do not foresee a significant shift in this activity in 2025. Despite several law enforcement actions in 2024 targeting specific ransomware groups and components of the cybercrime-as-a-service economy, it remains a low-risk, high-reward type of crime that can be remotely facilitated across borders. Precise attack figures are elusive due to gaps in cyber incident reporting schemes. However, Intel 471 counted more than 3,800 victims in 2023 and more than 3,600 victims in 2024 in reporting periods extending from the start of the year through Nov. 27. It’s unlikely this slightly lower figure so far for 2024 indicates a change in the landscape, and the same volume of alleged attacks is likely through 2025. Extortion-only attacks, which involve the theft of but not encryption of data, will continue to be appealing to threat actors with less technical ability to conduct large-scale, network-wide encryption events.
There are anecdotal signs that attacked organizations are catching intruders earlier and, if the attack proceeds, have incident response and recovery plans that enable them to recover without paying a ransom. The era of large ransomware-as-a-service (RaaS) groups such as LockBit, which offer end-to-end tools and infrastructure for affiliates to carry out attacks, will likely decline. The LockBit group was targeted by Operation Cronos this year, a law enforcement operation that unveiled the group’s alleged operator, infiltrated its systems and recovered decryption keys to help victims. Similar to running large cybercriminal forums, running a large RaaS group attracts attention from law enforcement, which has honed its skills at disrupting them. Countering this, however, will likely be an increase in stealthier groups, which seek to profit using less prominent ransomware malware and blend in with noise of other financially motivated actors. In 2023, ransomware actors used at least 68 variants of encrypting malware, a figure that rose to 96 as of Nov. 17, 2024. This means a more complicated scene for defenders in identifying diversifying malware strains and groups and different arrays of tactics, techniques and procedures (TTPs).
Organizations are under more pressure than ever to report cyber incidents faster and more completely than in the past. These new regulations have been propelled by consumer frustrations with data breaches, national security concerns regarding critical infrastructure and whether investors have adequate information about organizations’ readiness and resilience. This means organizations will continue to have to improve incident response times and reporting to regulators to avoid fines or legal action. In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) is shaping rules around the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed into law in 2022. The act intends to help the U.S. government collect more accurate and timely information about attacks and would require reporting of a covered incident within 72 hours and the payment of a ransom within 24 hours. The act directs CISA to develop rules around how cyber incidents should be reported, what should be reported and the time frames for reporting. Industry groups are pushing back against draft rules. With CISA Director Jen Easterly departing CISA upon President-elect Donald Trump’s return to the White House Jan. 20, 2025, the rules related to CIRCIA could change, as one of Trump’s campaign issues was reducing government red tape.
The European Union (EU) is also addressing the resilience of critical infrastructure with its consequential cybersecurity legislation, the Network and Information Security Directive (NIS2). NIS2 is a major shake-up of how organizations manage cyber risks, requiring proactive security policies, business continuity, vulnerability management and incident response. It requires considerable investments in cybersecurity infrastructure across the public and private sectors. NIS2 affects tens of thousands of mid-sized and large organizations in energy, transport, banking, health, water, digital infrastructure, information and communications technology (ICT) service management, public administration and space. EU member states are required to pass their own implementation laws for NIS2. Several EU states did not meet the Oct. 17, 2024, deadline but many are expected to have their own laws in place by 2025.
In 2024, the AI naysayers became almost as loud as its proponents, with questions regarding how much large language models (LLMs) can improve, questionable scraping of training material and why LLMs aren’t great at math. But AI shows strong capabilities with narrow-focused tasks, such as search, chatbots, image and text generation and simple coding tasks. Cybercriminals and nation-state actors have shown interest in applying LLMs to some of the mundane tasks they’re faced with when trying to breach organizations. Microsoft and OpenAI disabled accounts used by Russian, Iranian, Chinese and North Korean threat actors. Those actors were using OpenAI’s services for productivity-enhancing tasks, such as researching companies, finding cybersecurity tools, debugging code, writing basic scripts, creating content for phishing campaigns and translation. Predicting AI’s course over the next year would be a fool’s errand, as this is a field that has surprised machine learning (ML) and AI experts due to both middling progress for years and then sudden leaps. AI is becoming cheaper and more accessible via open source models, which allows more malicious actors to experiment. This has resulted in more customized AI tools being offered on forums. The risks are already here. While threat actors may not be writing exploits with AI (yet), productivity gains are worrisome in that it increases the scale and quality of attacks, whether it be through polished phishing, better selected targets or faster and more complete reconnaissance. Also, visibility into how nation-state adversaries are using LLMs will fall as countries develop their own LLMs. The status quo now — where natively developed LLMs aren’t as good as OpenAI — gives OpenAI and Microsoft an insightful window into threat actor activity. Actors have to enter prompts, and all of those prompts can be correlated and analyzed as to where they’re coming from, what they’re asking and their likely goals. It’s like looking over the shoulder of adversaries while they’re plotting. This position won’t last, however.
One of the most significant law enforcement operations of 2024, Operation Endgame, targeted several types of “dropper” or “loader” malware — initial stage infections that can download other malware. The operation focused on IcedID, SystemBC, Pikabot, SmokeLoader and Bumblebee, which threat actors used to distribute other malicious code that could eventually lead to ransomware. The operation led to four arrests and the takedown of more than 100 servers worldwide. This action appeared immediately successful, with the targeted malware families dropping in circulation. These law enforcement operations impose costs on threat actors, as it takes time, effort and money for them to reconstitute malware distribution infrastructure. Intel 471’s malware emulation and monitoring system showed a sharp drop between the second and third quarter in delivered payloads, or to put it another way, malware observed delivering other malware. This could be the result of the disruptions. Since the distribution of loader or dropper malware is critical for follow-on attacks, there is market demand for access to compromised machines. As such, Intel 471 has observed one targeted malware family, Bumblebee, rebound with a new version circulating in October 2024. The Bumblebee campaign yet again proves that dismantling a malware campaign’s infrastructure does not guarantee its permanent elimination. Despite exhibiting low activity and lacking significant sophistication or unique distribution methods, the observed changes in development indicate the actors are actively refining their malware. We would expect overall malware distribution to increase in 2025.
Geopolitical events and cybersecurity are becoming ever closer entwined. Offensive cyber actions are used by nations for espionage, intellectual property (IP) theft, pre-positioning in case of conflict and spreading misinformation. China poses one of the most formidable adversaries, as it has targeted government and civilian infrastructure at scale. U.S. FBI Director Christopher Wray has said China “has a bigger hacking program than every other major nation combined. In fact, if each one of the FBI’s cyber agents and intelligence analysts focused exclusively on the China threat, China’s hackers would still outnumber FBI cyber personnel by at least 50 to 1.” Russia, which continues a grinding war campaign in Ukraine, has long-running and highly effective advanced persistent threat (APT) groups that have continually demonstrated their expertise in infiltrating supply chains and compromising major software vendors. The election of Trump for a second, non-consecutive term could change how the U.S. Department of Justice conducts cyber-related investigations. For at least a decade, the department has been aggressive in identifying, naming, sanctioning and indicting Russian, Chinese, Iranian and North Korean threat actors, both in the nation-state and financially motivated cybercrime spheres. A perceived weakening in how the U.S. approaches holding threat actors publicly accountable for their actions could open the door to more aggressive activity. However, cybersecurity has generally been one of the few non-partisan issues in an increasingly hostile U.S. political environment, so the department may be left to continue its solid work in holding threat actors accountable.
mommy Access Broker is enabling access-as-a-service operations through detailed intrusion guides and compromised credentials, and Intel 471 has released reporting and Hunt Packages to support threat hunting and detection.
NATO's annual summit comes as member countries face a rapidly changing global security dynamic, with cyber playing a significant role.
DragonForce is a Ransomware-as-a-Service group targeting global industries with customizable payloads, enabling widespread attacks and persistent extortion through an affiliate-driven model.
Stay informed with our weekly executive update, sending you the latest news and timely data on the threats, risks, and regulations affecting your organization.