Microsoft: Ransomware Attacks Growing More Dangerous, Complex


The number of attempted ransomware attacks on Microsoft customers globally have grown dramatically in the last year, according to Microsoft’s Digital Defense report, released on Oct. 15. However, advancements in automatic attack disruption technologies have led to fewer of these attacks reaching the encryption stage.

Microsoft reported 600 million cybercriminal and nation-state attacks occurring daily. While ransomware attempts increased by 2.75 times, successful attacks involving data encryption and ransom demands dropped by three-fold.

The inverse proportion of launched ransomware attacks to successful ransomware attacks suggests defenses are working, said Microsoft. Source: Microsoft Defender for Endpoint

Significant attack types include deepfakes, e-commerce theft

Microsoft says it “tracks more than 1,500 unique threat groups — including more than 600 nation-state threat actor groups, 300 cybercrime groups, 200 influence operations groups, and hundreds of others.” The top five ransomware families — Akira, Lockbit, Play, Blackcat, and Basta — accounted for 51% of documented attacks.

According to the report, attackers most often exploit social engineering, identity compromises, and vulnerabilities in public-facing applications or unpatched operating systems. Once inside, they often install remote monitoring tools or tamper with security products. Notably, 70% of successful attacks involved remote encryption, and 92% targeted unmanaged devices.

Other major types of attacks included:

  • Infrastructure attacks.
  • Cyber-enabled financial fraud.
  • Attacks on e-commerce spaces, where credit card transactions don’t require the card to be physically present.
  • Impersonation.
  • Deepfakes.
  • Account takeover.
  • Identity and social engineering attacks — most (99%) of which were password theft attacks.
  • SIM swapping.
  • Help desk social engineering, where attackers impersonate customers to reset passwords or connect new devices.
  • Credential phishing, particularly through phishing-as-a-service projects. Often these are triggered by HTML or PDF attachments containing malicious URLs.
  • DDoS attacks, which caused a global outage earlier this year.

Antivirus tampering was also a major player in the previous year: Over 176,000 incidents Microsoft Defender XDR detected in 2024 involved tampering with security settings.

SEE: Ransomware actors can target backup data to try to force a payment.

Nation-state, financially motivated actors share tactics

Both financially-motivated threat actors and nation-state actors increasingly use the same information stealers and command-and-control frameworks, Microsoft found. Interestingly, financially-motivated actors now launch cloud identity compromise attacks — a tactic previously associated with nation-state attackers.

“This year, state-affiliated threat actors increasingly used criminal tools and tactics — and even criminals themselves — to advance their interests, blurring the lines between nation-state backed malign activity and cybercriminal activity,” the report stated.

Microsoft tracks major threat actor groups from Russia, China, Iran, and North Korea. These nation-states may either leverage financial threat actors for profit or turn a blind eye to their activities within their borders.

According to Tom Burt, Microsoft’s corporate vice president of customer security and trust, the ransomware issue highlights the connection between nation-state activities and financially motivated cybercrime. This problem is exacerbated by countries that either exploit these operations for profit or fail to take action against cybercrime within their borders.

Expert Evan Dornbush, former NSA cybersecurity expert, offers perspectives on the matter:

“This report signals one trend currently getting little attention and likely to define the future of cyber: the amount of money criminals can earn,” he said in an email to TechRepublic.  “Per the Microsoft report, government, as a sector, only makes up 12% of the aggressors’ targeting sets. The vast majority of victims are in the private sector.”

The sectors most targeted by nation-state threat actors this year were:

  1. IT.
  2. Education .
  3. Government.
  4. Think tanks and NGOs.
  5. Transportation.

Both attackers and defenders use generative AI

Generative AI introduces a new set of questions. Microsoft recommends limiting generative AI’s access to sensitive data and ensuring that data governance policies are applied to its use. The report outlines AI’s significant impacts on cybersecurity:

  • Both attackers and defenders increasingly use AI tools.
  • Nation-state actors can generate deceptive audio and video with AI.
  • AI spear phishing, résumé swarming, and deepfakes are now common.
  • Conventional methods of limiting foreign influence operations may no longer work.
  • AI policies and principles can mitigate some risk associated with the use of AI tools.
  • Although many governments agree on a need for security as an important factor in the development of AI, different governments pursue it in different ways.

“The sheer volume of attacks must be reduced through effective deterrence,” Burt explained, “and while the industry must do more to deny the efforts of attackers via better cybersecurity, this needs to be paired with government action to impose consequences that further discourage the most harmful cyberattacks.”

How organizations can prevent common cyberattacks

The Microsoft report contains actions organizations can take to prevent specific types of attacks. TechRepublic distilled some actionable insights that apply across the board:

  • Disrupt attacks at the technique layer, which means implementing policies such as for multi-factor authentication and attack surface reduction.
  • Similarly, use “secure-by-default” settings, which make multi-factor authentication mandatory.
  • Use strong password protection.
  • Test pre-configured security settings, such as security defaults or managed Conditional Access policies, in report-only mode to understand their potential impact before going live.
  • Classify and label sensitive data, and have DLP, data lifecycle, and Conditional Access policies around high-risk data and high-risk users.

Microsoft put its Secure Future Initiative in place this year, after the Chinese intrusion into Microsoft government email accounts in July 2023.



Source link