Cyber Threats in 2024: Key Insights for Risk Leaders and Boardrooms
Ransomware continues to be a major challenge, but data theft and extortion are equally problematic.
Ransomware has evolved into one of the most damaging and costly threats to organisations globally, accounting for around 20-30% of incidents involving malware in 2023. According to Verizon’s 2024 DBIR Report, the median ransom payment increased to $46,000, up from $26,000 the previous year, as attackers refined their extortion techniques. NTT’s 2024 Global Threat Intelligence Report noted “In 2023, there was a rise in both victims and payments, with more than 5,000 victims being posted across multiple channels, up from approximately 3,000 in 2022”. Notably, the LockBit ransomware group alone accounted for around 25% of global ransomware incidents in 2023, with their attacks affecting hospitals, government agencies, and major corporations. Manufacturing is often cited as the most targeted sector, almost certainly due to its size and value to global GDP. However, the Trellix CyberThreat Report notes that transportation and shipping accounted for 45% of detections in Q1 2024.
Newer ransomware strains like Akira and Play have also emerged as prominent threats, demonstrating that the ransomware landscape is constantly evolving and that attackers are quick to adopt new tools and techniques. These variants often employ double extortion tactics, where data encryption is coupled with the threat of releasing sensitive data unless the ransom is paid.
Ransomware remains a prominent threat in 2024. Kroll’s H1 2024 review noted a 2% increase in ransomware and, despite global law enforcement efforts, LockBit and affiliates continue to be active making up 19% of ransomware activity. ESET concludes from its telemetry that it is mainly non-LockBit groups using the groups downloader. Regardless, the report also confirms that ransomware groups and campaigns remain a significant threat. WithSecure also reports that the volume of reported ransomware incidents remains high but with a growing focus on Small to Medium Sized organisations which make up 61% of incidents. 77% of all victims posted to leak sites are from the US or Europe.
Whilst ransomware continues to gain the headlines, Mandiant noted that data theft and leaking remains a significant focus of threat actors. CrowdStrike’s threat research reported a 76% increase in the number of victims reported on websites, and IBM X-Force calculated that data theft accounted for 32% of incidents in 2023. Governments and enterprises need to guard against ransomware, data loss and extortion.
Recommendations:
- Implement attack surface management to minimise internet facing exposure by identifying and mitigating vulnerabilities, using MFA to access external-facing assets such as web applications, and deploy advanced endpoint detection and response (EDR) systems to prevent ransomware from spreading across networks. Mandiant reported that dwell times fell in 2023 indicating better detection tools and response planning.
- Ensure robust backup, recovery processes, and incident response plans, to minimise disruption.
- Train employees on phishing awareness, as phishing continues to be a key entry point for most ransomware attacks.
Geopolitical Cyber Threats Target Critical Sectors.
Geopolitical tensions are driving the escalation of cyber-attacks by nation-state actors, with espionage, influence campaigns, and critical infrastructure disruption at the core of these operations. Reports from Microsoft, CrowdStrike and IBM highlight the growing sophistication of Chinese and Russian cyber campaigns. These actors target both military and civilian infrastructure, aiming to destabilise adversaries and collect valuable intelligence.
The Chinese group Volt Typhoon has been particularly active, targeting U.S. critical infrastructure, including communications, utilities, and transportation sectors. Microsoft has tracked this group since 2021, noting their campaign “to infiltrate networks within US critical infrastructure organisations including in the communications, utility, transportation, government, and information technology sectors ". Volt Typhoon uses stealthy "living-off-the-land" techniques, making it difficult to detect their activities. Since mid-January 2024, Trellix telemetry detected over 7,100 malicious activities associated with Volt Typhoon, with periodic spikes throughout the period from January through March 2024.
Russia, meanwhile, has continued its aggressive cyber operations related to the Ukraine conflict. Cadet Blizzard and other Russian state actors have been involved in espionage and wiper attacks against NATO countries, with a focus on critical sectors such as energy, defence, and transportation. These attacks often coincide with hacktivist campaigns designed to amplify their effects through misinformation and influence operations.
Recommendations:
- Understand the attack surface, identify high value assets and data, and invest in intelligence-driven detection and response capabilities that can identify state-sponsored attacks early.
- Adopt a Zero Trust approach to identities, devices, networks, applications and data, using MFA for all accounts and implementing privilege management.
- Collaborate with government agencies and international cybersecurity groups to share intelligence and coordinate defences.
- Increase resilience by developing and regularly updating incident response plans to prepare for espionage and destructive attacks, ensuring they account for state-sponsored tactics like misinformation and social engineering.
Supply Chain Attacks are Expanding.
Supply chain attacks are becoming increasingly prevalent, as cybercriminals target vendors and service providers to gain indirect access to larger, more secure organisations. These attacks exploit the interconnectedness of businesses, often bypassing the direct defences of major companies by infiltrating smaller partners.
NTT’s threat intelligence notes that "shared vendors, hosting providers, and applications are increasingly being targeted in the hope that they can be used as conduits to target their customers." This trend poses a critical risk to industries reliant on third-party services.
A significant example of the consequences of supply chain vulnerabilities is the widespread compromise caused by the MOVEit vulnerability in mid-2023. The ransomware group Cl0p exploited a vulnerability in MOVEit’s file transfer software, affecting over 100 organisations globally. The ripple effect of this attack highlights the dangers posed by supply chain breaches, where a single vulnerability can lead to a multitude of organisations being compromised simultaneously.
Supply chain attacks show no sign of slowing in 2024. In June Qilin executed a successful attack on Synnovis in the UK, a partnership between several London hospitals and SYNLAB. The group has now published 400GB of sensitive data, but the clinical impact was greater, leading to the postponement of over 1,000 elective procedures. It is still unclear whether the company was targeted due to its close association with the NHS and whether the cancelled operations were an unintended consequence. However, criminal gangs are becoming more sophisticated and plan to cause high disruption to maximise ransomware demands.
Recommendations:
- Identify all supply chain partners and evaluate risk to operations if business continuity is compromised.
- Plan for supply chain partner compromise in incident response planning.
- Implement strong access controls and multi-factor authentication (MFA) for third-party access.
Phishing and Business Email Compromise are sticking around.
Phishing remains one of the most effective and frequently used attack vectors for cybercriminals, largely because it exploits human error rather than relying solely on technological weaknesses. In 2023, phishing attacks evolved in sophistication, with threat actors deploying advanced tactics to bypass traditional defences, including the use of fake login pages, malicious attachments, and even QR code-based phishing. This trend reflects the continued success of phishing as an entry point for more complex attacks, such as ransomware and data exfiltration. Phishing attacks increasingly targeted industries that manage large volumes of sensitive data, such as healthcare, finance, and government sectors.
Business Email Compromise (BEC) attacks, which often begin with phishing, have grown in both frequency and complexity. BEC typically involves impersonating a trusted individual within an organisation, such as a senior executive or financial officer, to trick employees into transferring money or disclosing sensitive information. What makes BEC particularly dangerous is its ability to bypass many technical security controls, as it relies on psychological manipulation and social engineering. BEC scams have shifted towards more targeted approaches using social media and Generative AI. Attackers often conduct thorough research on their targets, monitoring their communication styles and business relationships before launching an attack. In some cases, cybercriminals have even infiltrated corporate networks, patiently waiting for the right moment to exploit a high-value transaction.
Recommendations:
- Implement robust email filtering technologies that can detect and block phishing attempts before they reach users’ inboxes and deploy multi-factor authentication (MFA) across all systems to reduce the effectiveness of credential harvesting.
- Train employees regularly on how to recognise phishing emails, BEC scams, and suspicious links or attachments. Conduct regular phishing simulations to evaluate employee awareness and improve resilience to these attacks.
- Monitor internal communications for anomalies, such as unusual requests for wire transfers or changes in payment details and establish clear protocols for verifying such requests.
Exploited Vulnerabilities are Key Attack Vectors.
Exploiting known vulnerabilities continues to be one of the most prevalent methods attackers use to gain initial access to networks and systems. In 2023 and 2024, vulnerabilities in widely used software and platforms such as Microsoft Exchange, Citrix, and managed file transfer applications like MOVEit were frequently targeted by both financially motivated and state-sponsored actors. Attackers prioritise unpatched systems, taking advantage of delays in patching to execute large-scale attacks.
One of the critical observations from the reports is that a substantial portion of these attacks stems from edge devices and software that lack robust security visibility and monitoring solutions. For example, the MOVEit zero-day vulnerability (CVE-2023-34362) was exploited in 2023, allowing attackers to steal sensitive data from a range of sectors including healthcare and finance.
Attackers are increasingly using zero-day vulnerabilities to gain unauthorised access to systems before patches are available. For instance, Mandiant observed a significant rise in zero-day exploits in 2023, with a 56% increase in unique vulnerabilities exploited in-the-wild compared to the previous year. Many of these attacks, particularly those orchestrated by state-sponsored groups like Chinese espionage actors, focus on stealth and long-term persistence.
Despite the focus on zero-day vulnerabilities, older vulnerabilities continue to be widely exploited. Legacy systems and outdated software, often found in critical sectors like healthcare and manufacturing, remain common targets due to their slow patching cycles. Attackers exploit these unpatched vulnerabilities to establish a foothold, move laterally, and steal data.
Reports also highlighted that rapid automation of vulnerability scanning and exploitation has allowed attackers to find and compromise unpatched systems almost immediately after vulnerabilities are disclosed.
Recommendations:
- Prioritise Patch Management: Implement a streamlined patch management process that ensures timely updates to critical systems. This includes maintaining visibility over both zero-day vulnerabilities and older but highly exploited vulnerabilities.
- Enhance Vulnerability Intelligence: Leverage tools like the Exploit Prediction Scoring System (EPSS), which predicts the likelihood of vulnerabilities being exploited, to prioritise patches based on risk factors.
- Segment Networks and Use Defence-in-Depth: Isolate critical systems from the broader network using segmentation techniques. Deploy layers of defence such as monitoring, encryption, and endpoint detection and response (EDR) to minimise the impact of potential breaches.
Key Takeaways for Executives and Boardrooms.
- Ransomware Defence is Critical: Prioritise ransomware-specific defences, implement backup solutions, and train staff to recognise phishing threats.
- Geopolitical Threats are Rising: Strengthen defences against state-sponsored APTs targeting critical sectors and collaborate with national cybersecurity agencies.
- Secure Your Supply Chain: Assess third-party risks and enforce strong access controls.
- Stay Vigilant on Phishing and Vulnerabilities: Train employees to recognise phishing, patch vulnerabilities promptly, and use advanced threat detection systems.
- Prepare for AI-Driven Attacks: Invest in AI-enhanced cybersecurity tools and plan for the rising threat of ransomware-as-a-service.