Financially-motivated threat actors, particularly ransomware crews, have continued to dominate the cyber threat landscape worldwide, accounting for 55% of active threat groups in 2024. This represents an increase of two percentage points from 2023 and 7% from 2022, highlighting the profitability of cyber crime in today’s digital age.
According to Google Cloud’s Mandiant, which recently released its annual M-Trends report, cyber criminals are evolving into more complex, diverse, and well-equipped entities. Stuart McKenzie, Mandiant Consulting EMEA managing director, emphasized the increasing sophistication of cyber threats, with financially motivated attacks remaining prevalent. Apart from traditional ransomware and data theft schemes, the adoption of infostealer malware and the exploitation of Web3 technologies, including cryptocurrencies, are on the rise.
The utilization of artificial intelligence to automate and enhance cyber attacks has also posed significant challenges for organizations seeking to defend against such threats. McKenzie emphasized the importance of proactive threat intelligence gathering and continuous analysis to stay ahead of evolving cyber crime trends.
In terms of tactics used by threat actors to access victim environments, exploiting disclosed vulnerabilities was the most common method globally, accounting for 33% of intrusions worldwide and 39% in EMEA. This was followed by the use of legitimate credentials obtained through deception or theft, email phishing, web compromises, and revisiting prior compromises. Notably, EMEA saw email phishing and brute force attacks as prevalent methods compared to the global average.
Once inside target environments, threat actors took an average of 11 days globally to establish their presence, conduct lateral movements, and execute their final attack. While this dwell time increased by approximately 24 hours from 2023, it was significantly lower than the 16-day average in 2022. The adoption of AI by cyber criminals may have contributed to the decrease in dwell time, with anecdotal evidence suggesting technological factors at play.
Interestingly, median dwell times in EMEA were notably longer than the global average, lasting 27 days and indicating a higher level of persistence among threat actors in the region. When victims discovered threat actors within their IT environments, external sources such as ethical hackers, penetration testing exercises, or ransomware gangs alerted them in 57% of cases, highlighting the importance of external threat intelligence in detecting intrusions.
In contrast to financially motivated threat actors, nation-state threats – often associated with advanced persistent threat (APT) groups – accounted for just 8% of threat activity in 2024. Mandiant identified four active APT groups and 297 unclassified (UNC) groups, which could potentially be APTs with insufficient information to categorize them accurately. The overlap between APT and UNC groups underscores the challenges in differentiating between various threat actors in the cyber domain.
Although nation-state threats generate significant attention due to geopolitical implications and spy craft associations, their impact remains relatively low compared to cyber criminal activities. The evolution and classification of APT groups, such as the reclassification of Sandworm as APT44 by Mandiant, highlight the dynamic nature of threat actor classification and attribution.
Overall, the cyber threat landscape continues to evolve, with financially motivated actors leading the charge in sophisticated and lucrative cyber crime activities. Organizations must remain vigilant, gather actionable threat intelligence, and implement robust security measures to mitigate the risks posed by evolving cyber threats.