Industry executives and experts share their predictions for 2025. Read them in this 17th annual VMblog.com series exclusive. By Michael DeBolt, Chief Intelligence Officer, Intel 471
The number of
ransomware attacks have continued to trend upward and particularly surged in
2024 with the average extortion demand per attack over USD
5.2 million. Ransomware actors
have demonstrated continuing ability to
severely
hamper critical medical systems in the U.S. by
affecting
100 million people in one incident. In addition to ransomware,
nation-state actors continued to pose challenges, ranging from gaining
persistent footholds in critical infrastructure to
building
significant botnets to executing complex
cyber
espionage operations. All the while, law enforcement have conducted more
than
30
actions aimed at disrupting ransomware and malicious actors, yet the lure
of profitability of ransomware hints that the threat of data extortion and
encrypting malware attacks will persist in 2025.
Although this is
a gloomy picture, there are reasons to be positive heading into 2025.
Legitimate organizations are becoming more resilient against extortion and
ransomware and show signs that
fewer
organizations decide to pay; thus, diminishing the financial motivation
from threat actors behind the keyboard. The majority of financially motivated
cybercrime can be best understood and proactively defended against by using
cyber threat intelligence (CTI) to shine a light on the adversary, reveal their
capabilities, know their tactics, and unearth the tools they use. CTI insights
of the external threat landscape create an intelligence advantage for defenders
and decision makers responsible for their organization's security and risk
posture.
Defense will
never be easy, but it can always be improved upon, and leveraging CTI provides
an opportunity for focus and continuous refinement. Equipped with the
intelligence they need, organizations can stay ahead of the fast-moving threat
landscape, enabling them to maintain accurate threat assessments and help their
stakeholders prioritize risk reduction efforts where it matters most.
Looking ahead to
2025, here is my perspective on the ransomware landscape based on Intel 471's
historical analyses of trends and intelligence collection.
Ransomware attacks will remain steady
Ransomware and
data extortion attacks are two significant operational and reputational risks
to organizations, and we do not foresee a significant shift in this activity in
2025. Despite several law enforcement actions in 2024 targeting specific
ransomware groups and components of the cybercrime-as-a-service economy, it
remains a low-risk, high-reward type of crime that can be remotely facilitated
across borders.
Precise attack
figures are elusive due to gaps in cyber incident reporting schemes. However,
Intel 471 counted more than 3,800 victims in 2023 and more than 3,600 victims
in 2024 in reporting periods extending from the start of the year through Nov.
27. It's unlikely this slightly lower figure so far for 2024 indicates a change
in the landscape, and the same volume of alleged attacks is likely through
2025. Extortion-only attacks, which involve the theft of but not encryption of
data, will continue to be appealing to threat actors with less technical
ability to conduct large-scale, network-wide encryption events.
There are
anecdotal signs that attacked organizations are catching intruders earlier and,
if the attack proceeds, have incident response and recovery plans that enable
them to recover without paying a ransom. The era of large
ransomware-as-a-service (RaaS) groups such as LockBit, which offer
end-to-end tools and infrastructure for affiliates to carry out attacks, will
likely decline. The LockBit group was targeted by
Operation
Cronos this year, a law enforcement operation that unveiled the group's
alleged
operator, infiltrated its systems and recovered decryption keys to help
victims. Similar to running large cybercriminal forums, running a large RaaS
group attracts attention from law enforcement, which has honed its skills at
disrupting them.
Countering this,
however, will likely be an increase in stealthier groups, which seek to profit
using less prominent ransomware malware and blend in with noise of other
financially motivated actors. In 2023, ransomware actors used at least 68
variants of encrypting malware, a figure that rose to 96 as of Nov. 17, 2024.
This means a more complicated scene for defenders in identifying diversifying
malware strains and groups and different arrays of tactics, techniques and
procedures (TTPs).
Regulatory pressures will rise
Organizations are
under more pressure than ever to report cyber incidents faster and more
completely than in the past. These new regulations have been propelled by
consumer frustrations with data breaches, national security concerns regarding
critical infrastructure and whether investors have adequate information about
organizations' readiness and resilience. This means organizations will continue
to have to improve their ability to accurately identify breach events, improve
incident response times and streamline reporting to regulators to avoid fines
or legal action.
In the U.S., the
Cybersecurity and Infrastructure Security Agency (CISA) is shaping rules around
the
Cyber
Incident Reporting for Critical Infrastructure Act (CIRCIA) signed into law
in 2022. The act intends to help the U.S. government collect more accurate and
timely information about attacks and would require reporting of a covered
incident within 72 hours and the payment of a ransom within 24 hours. The act
directs CISA to develop rules around how cyber incidents should be reported,
what should be reported and the time frames for reporting. Industry groups are
pushing
back against draft rules. With CISA Director Jen Easterly
departing
CISA upon President-elect Donald Trump's return to the White House Jan. 20,
2025, the rules related to CIRCIA could change, as one of Trump's campaign
issues was reducing government red tape.
The European
Union (EU) is also addressing the resilience of critical infrastructure with
its consequential cybersecurity legislation, the Network and Information
Security Directive (NIS2). NIS2 is a major shake-up of how organizations
manage cyber risks, requiring proactive security policies, business continuity,
vulnerability management and incident response. It requires considerable
investments in cybersecurity infrastructure across the public and private
sectors. NIS2 affects tens of thousands of mid-sized and large organizations in
energy, transport, banking, health, water, digital infrastructure, information
and communications technology (ICT) service management, public administration and
space. EU member states are required to pass their own implementation laws for
NIS2. Several EU states
did
not meet the Oct. 17, 2024, deadline but many are expected to have their
own laws in place by 2025.
##