Virtualization Technology News and Information
Article
RSS
Intel 471 2025 Predictions: Predicting the 2025 Ransomware Landscape

vmblog-predictions-2025 

Industry executives and experts share their predictions for 2025.  Read them in this 17th annual VMblog.com series exclusive.

By Michael DeBolt, Chief Intelligence Officer, Intel 471

The number of ransomware attacks have continued to trend upward and particularly surged in 2024 with the average extortion demand per attack over USD 5.2 million. Ransomware actors have demonstrated continuing ability to severely hamper critical medical systems in the U.S. by affecting 100 million people in one incident. In addition to ransomware,  nation-state actors continued to pose challenges, ranging from gaining persistent footholds in critical infrastructure to building significant botnets to executing complex cyber espionage operations. All the while, law enforcement have conducted more than 30 actions aimed at disrupting ransomware and malicious actors, yet the lure of profitability of ransomware hints that the threat of data extortion and encrypting malware attacks will persist in 2025.

Although this is a gloomy picture, there are reasons to be positive heading into 2025. Legitimate organizations are becoming more resilient against extortion and ransomware and show signs that fewer organizations decide to pay; thus, diminishing the financial motivation from threat actors behind the keyboard. The majority of financially motivated cybercrime can be best understood and proactively defended against by using cyber threat intelligence (CTI) to shine a light on the adversary, reveal their capabilities, know their tactics, and unearth the tools they use. CTI insights of the external threat landscape create an intelligence advantage for defenders and decision makers responsible for their organization's security and risk posture.

Defense will never be easy, but it can always be improved upon, and leveraging CTI provides an opportunity for focus and continuous refinement. Equipped with the intelligence they need, organizations can stay ahead of the fast-moving threat landscape, enabling them to maintain accurate threat assessments and help their stakeholders prioritize risk reduction efforts where it matters most.

Looking ahead to 2025, here is my perspective on the ransomware landscape based on Intel 471's historical analyses of trends and intelligence collection.

Ransomware attacks will remain steady

Ransomware and data extortion attacks are two significant operational and reputational risks to organizations, and we do not foresee a significant shift in this activity in 2025. Despite several law enforcement actions in 2024 targeting specific ransomware groups and components of the cybercrime-as-a-service economy, it remains a low-risk, high-reward type of crime that can be remotely facilitated across borders.

Precise attack figures are elusive due to gaps in cyber incident reporting schemes. However, Intel 471 counted more than 3,800 victims in 2023 and more than 3,600 victims in 2024 in reporting periods extending from the start of the year through Nov. 27. It's unlikely this slightly lower figure so far for 2024 indicates a change in the landscape, and the same volume of alleged attacks is likely through 2025. Extortion-only attacks, which involve the theft of but not encryption of data, will continue to be appealing to threat actors with less technical ability to conduct large-scale, network-wide encryption events.

There are anecdotal signs that attacked organizations are catching intruders earlier and, if the attack proceeds, have incident response and recovery plans that enable them to recover without paying a ransom. The era of large ransomware-as-a-service (RaaS) groups such as LockBit, which offer end-to-end tools and infrastructure for affiliates to carry out attacks, will likely decline. The LockBit group was targeted by Operation Cronos this year, a law enforcement operation that unveiled the group's alleged operator, infiltrated its systems and recovered decryption keys to help victims. Similar to running large cybercriminal forums, running a large RaaS group attracts attention from law enforcement, which has honed its skills at disrupting them.

Countering this, however, will likely be an increase in stealthier groups, which seek to profit using less prominent ransomware malware and blend in with noise of other financially motivated actors. In 2023, ransomware actors used at least 68 variants of encrypting malware, a figure that rose to 96 as of Nov. 17, 2024. This means a more complicated scene for defenders in identifying diversifying malware strains and groups and different arrays of tactics, techniques and procedures (TTPs).

Regulatory pressures will rise

Organizations are under more pressure than ever to report cyber incidents faster and more completely than in the past. These new regulations have been propelled by consumer frustrations with data breaches, national security concerns regarding critical infrastructure and whether investors have adequate information about organizations' readiness and resilience. This means organizations will continue to have to improve their ability to accurately identify breach events, improve incident response times and streamline reporting to regulators to avoid fines or legal action.

In the U.S., the Cybersecurity and Infrastructure Security Agency (CISA) is shaping rules around the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) signed into law in 2022. The act intends to help the U.S. government collect more accurate and timely information about attacks and would require reporting of a covered incident within 72 hours and the payment of a ransom within 24 hours. The act directs CISA to develop rules around how cyber incidents should be reported, what should be reported and the time frames for reporting. Industry groups are pushing back against draft rules. With CISA Director Jen Easterly departing CISA upon President-elect Donald Trump's return to the White House Jan. 20, 2025, the rules related to CIRCIA could change, as one of Trump's campaign issues was reducing government red tape.

The European Union (EU) is also addressing the resilience of critical infrastructure with its consequential cybersecurity legislation, the Network and Information Security Directive (NIS2). NIS2 is a major shake-up of how organizations manage cyber risks, requiring proactive security policies, business continuity, vulnerability management and incident response. It requires considerable investments in cybersecurity infrastructure across the public and private sectors. NIS2 affects tens of thousands of mid-sized and large organizations in energy, transport, banking, health, water, digital infrastructure, information and communications technology (ICT) service management, public administration and space. EU member states are required to pass their own implementation laws for NIS2. Several EU states did not meet the Oct. 17, 2024, deadline but many are expected to have their own laws in place by 2025.

##

Published Wednesday, January 01, 2025 7:30 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<January 2025>
SuMoTuWeThFrSa
2930311234
567891011
12131415161718
19202122232425
2627282930311
2345678