The number of attempted ransomware attacks on Microsoft customers around the world has increased dramatically over the past year, according to Microsoft's Digital Defense report, released October 15. However, advances in automatic attack kill technologies have led to fewer of these attacks reaching the encryption stage. .
Microsoft reported that 600 million attacks by cybercriminals and nation-states occur daily. While ransomware attempts increased by 2.75 times, successful attacks involving data encryption and ransom demands decreased by three times.
Important attack types include deepfakes and e-commerce theft.
Microsoft says it “tracks more than 1,500 unique threat groups, including more than 600 nation-state threat actor groups, 300 cybercrime groups, 200 influence operations groups, and hundreds of others.” The top five ransomware families (Akira, Lockbit, Play, Blackcat and Basta) accounted for 51% of documented attacks.
According to the report, attackers often exploit social engineering, identity compromises, and vulnerabilities in public applications or unpatched operating systems. Once inside, they often install remote monitoring tools or manipulate security products. Notably, 70% of successful attacks involved remote encryption and 92% targeted unmanaged devices.
Other major types of attacks included:
- Attacks on infrastructure.
- Cyber financial fraud.
- Attacks on e-commerce spaces, where credit card transactions do not require the card to be physically present.
- Interpretation.
- Deepfakes.
- Acquisition of accounts.
- Identity and social engineering attacks: the majority (99%) of which were password theft attacks.
- SIM exchange.
- Help desk social engineering, where attackers pose as customers to reset passwords or connect new devices.
- Credential phishing, particularly through phishing-as-a-service projects. These are often triggered by HTML or PDF attachments containing malicious URLs.
- DDoS attacks, which caused a global outage earlier this year.
Antivirus tampering was also a major factor last year: more than 176,000 incidents detected by Microsoft Defender XDR in 2024 involved tampering with security settings.
SEE: Ransomware actors can target backup data to try to force a payment.
Nation-state and financially motivated actors share tactics
Microsoft found that both financially motivated threat actors and nation-state actors are increasingly using the same information stealers and command and control frameworks. Interestingly, financially motivated actors are now launching identity-compromising attacks in the cloud, a tactic previously associated with nation-state attackers.
“This year, state-affiliated threat actors increasingly used criminal tools and tactics, and even criminals themselves, to advance their interests, blurring the lines between nation-state-backed malign activity and cybercriminal activity,” the report states.
Microsoft tracks major threat actor groups from Russia, China, Iran, and North Korea. These nation-states can leverage financial threat actors for profit or turn a blind eye to their activities within their borders.
According to Tom Burt, corporate vice president of security and customer trust at Microsoft, the ransomware issue highlights the connection between the activities of nation-states and financially motivated cybercrime. This problem is exacerbated by countries that exploit these operations for profit or fail to take action against cybercrime within their borders.
Expert Evan Dornbush, former NSA cybersecurity expert, offers insights on the matter:
“This report points out a trend that currently receives little attention and that will likely define the future of cyber: the amount of money criminals can make,” he said in an email to TechRepublic. “According to the Microsoft report, the government, as a sector, only represents 12% of attackers' targets. The vast majority of victims belong to the private sector.”
The sectors most targeted by nation-state threat actors this year were:
- HE.
- Education .
- Government.
- Think tanks and NGOs.
- Transport.
Both attackers and defenders use generative AI
Generative AI introduces a new set of questions. Microsoft recommends limiting generative AI access to sensitive data and ensuring that data governance policies are applied to its use. The report outlines the significant impacts of AI on cybersecurity:
- Both attackers and defenders are increasingly using artificial intelligence tools.
- Nation-state actors can generate deceptive audio and video with AI.
- AI-targeted phishing, resume swarming, and deepfakes are now common.
- Conventional methods of limiting foreign influence operations may no longer work.
- AI policies and principles can mitigate some risks associated with the use of AI tools.
- Although many governments agree on the need for security to be an important factor in the development of AI, different governments pursue it in different ways.
“The sheer volume of attacks must be reduced through effective deterrence,” Burt explained, “and while the industry must do more to negate the efforts of attackers through improved cybersecurity, this must be accompanied by government action to impose consequences. that further discourage the attack.” most damaging cyberattacks.”
How organizations can prevent common cyberattacks
Microsoft's report contains actions organizations can take to prevent specific types of attacks. TechRepublic summarized some practical insights that apply across the board:
- Disrupt attacks at the technical layer, which means implementing policies such as multi-factor authentication and attack surface reduction.
- Similarly, use the “secure by default” setting, which makes multi-factor authentication mandatory.
- Use strong password protection.
- Test preconfigured security configurations, such as security defaults or managed conditional access policies, in report-only mode to understand their potential impact before deployment.
- Classify and label sensitive data and have DLP, data lifecycle, and conditional access policies around high-risk data and users.
Microsoft launched its Secure Future Initiative this year, following the Chinese intrusion into Microsoft's government email accounts in July 2023.