A significant surge in attempted ransomware assaults on Microsoft clients globally has been observed in the past year, as per the latest findings in Microsoft’s Digital Defense report published on October 15. Nonetheless, advancements in automated technologies for disrupting attacks have resulted in a decrease in the number of attacks that progress to the encryption phase.
Microsoft disclosed that there are approximately 600 million cybercriminal and nation-state attacks occurring daily. While there was a 2.75-fold increase in ransomware attempts, successful attacks involving data encryption and ransom demands diminished by three times.
Observed Patterns in Significant Attack Methods: deepfakes, e-commerce theft
Microsoft’s monitoring encompasses more than 1,500 distinct threat groups, including over 600 nation-state threat actor groups, 300 cybercrime groups, 200 influence operations groups, and various others. The foremost five ransomware families—Akira, Lockbit, Play, Blackcat, and Basta—contributed to 51% of documented attacks.
As documented in the report, attackers primarily leverage social engineering, identity compromises, and vulnerabilities in publicly accessible applications or unpatched operating systems. Once infiltrated, the attackers commonly deploy remote monitoring tools or manipulate security products. Remarkably, 70% of successful attacks involved remote encryption, with 92% targeting unmanaged devices.
Additional prevalent attack types included:
- Targeted infrastructure assaults.
- Instances of cyber-enabled financial fraud.
- Incidents in e-commerce sectors, where transactions can be conducted without the physical presence of the credit card.
- Instances of impersonation.
- Manipulation through deepfakes.
- Account takeover scenarios.
- Occurrences of identity and social engineering threats—mostly constituted by password theft attempts (99%).
- Instances of SIM swapping.
- Engagement in help desk social engineering, where perpetrators pose as customers to reset passwords or integrate new devices.
- Credential deception, especially through projects that provide phishing services. Often initiated through HTML or PDF attachments containing deceptive URLs.
- DDoS attacks that resulted in a global outage earlier this year.
A notable highlight of the preceding year was the prevalence of antivirus tampering, with Microsoft Defender XDR detecting over 176,000 incidents involving security settings tampering in 2024.
SEE: Ransom demands from malicious actors may be aimed at coercing payment by targeting backup data.
Tactics Shared by Nation-State and Financially-Motivated Actors
Microsoft’s analysis revealed that both financially-motivated threat actors and nation-state actors are increasingly utilizing identical information collection tools and command-and-control frameworks. Interestingly, financially-driven actors have now incorporated cloud identity compromise attacks—an approach previously associated with nation-state adversaries.
“This year witnesses a rising trend where state-affiliated threat actors are adopting criminal methodologies and tools—and sometimes even engaging with criminal entities—to further their objectives, blurring the distinction between malicious activities supported by nation-states and conventional cybercrime,” as stated in the report.
Microsoft closely monitors prominent threat actor groups originating from Russia, China, Iran, and North Korea. These countries might either collaborate with financial threat actors for mutual gain or choose to overlook their activities within their territorial boundaries.
Tom Burt, Microsoft’s corporate vice president of customer security and trust, highlighted that the ransomware crisis underscores the intricate link between nation-state actions and financially-driven cyber malfeasance. This issue is further complicated by nations that exploit such operations for financial gain or fail to address cybercrime occurrences within their borders.
An expert opinion from Evan Dornbush, a former NSA cybersecurity specialist, sheds light on the situation:
“The findings in this report spotlight a discreet trend that is currently receiving scant attention but is highly likely to shape the future of cyber activities: the substantial financial gains that criminal elements stand to reap,” stated in an email to TechRepublic. “According to the Microsoft report, governmental entities account for a mere 12% of aggressors’ primary targets. The vast majority of victims exist within the private sector.”
The sectors that faced the highest concentration of attacks by nation-state threat actors in the current year were:
- Information Technology (IT).
- Educational Institutions.
- Governmental Entities.
- Think Tanks and Non-Governmental Organizations (NGOs).
- Transportation Services.
Adoption of Generative AI by Both Offenders and Defenders
Generative AI introduces a fresh array of concerns. Microsoft suggests restricting generative AI’s access to confidential information and enforcing strict data governance protocols. The report underscores poignant revelations regarding the significant role of AI in cybersecurity:
- Increasing utilization of AI tools by both perpetrators and defenders.
- Capability of nation-state actors to produce misleading audio and video content utilizing AI.
- Common incidence of AI-oriented spear phishing attacks, résumé flooding tactics, and deepfake technology.
- Challenges in restricting foreign influence campaigns through traditional methods.
- Potential use of AI guidelines and principles to mitigate associated risks with AI tool implementation.
- Despite a consensus among various governments on the importance of security in AI deployment, diverse approaches are adopted to achieve this objective.
“It is imperative to curtail the sheer volume of attacks through robust deterrence measures,” articulated Burt. “While the tech industry must intensify efforts to thwart malicious activities by enhancing cybersecurity frameworks, this must be complemented by governmental initiatives to impose penalties that discourage the most detrimental cyber activities.”
Mitigating Common Cyber Attacks: Organizational Strategies
The Microsoft report delineates specific actions that organizations can undertake to avert common forms of cyber onslaughts. TechRepublic distilled actionable insights that hold universal applicability:
- Disrupt malicious endeavors at the tactic level by implementing strategies like multi-factor authentication and reducing the attack surface.
- Implement “secure-by-default” configurations, making multi-factor authentication mandatory.
- Emphasize robust password protection mechanisms.
- Verify the efficiency of preconfigured security protocols, such as security defaults or managed Conditional Access policies, by testing them in report-only mode before full implementation.
- Classify and label sensitive data to define DLP, data lifecycle, and Conditional Access policies governing high-risk data and users.
Microsoft initiated its Secure Future Initiative this year, following the intrusion by Chinese entities into Microsoft’s government email platforms in July 2023.
About Author
