Cybercriminals targeting small and midsized businesses (SMBs) have been using a variety of tools to carry out their attacks, according to data and telemetry provided in an appendix to the Annual Threat Report by Sophos. The report revealed that ransomware dominates the malware landscape, with the top 10 ransomware variants accounting for over 25% of all incidents tracked throughout 2024. However, it was noted that nearly 60% of incidents involved threats other than ransomware.
Among the most commonly seen categories of malware detection in 2024 were command-and-control tools, malware loaders, remote administration tools, and information-stealing malware. These tools, although not classified as malware in some cases, are often utilized in the delivery of ransomware and other cybercriminal attacks. XMRig, a cryptocurrency-mining malware, was the only tool among the top 10 that did not fall into this category.
Dual-use tools, commercial, freeware, and open-source software used by cybercriminals for malicious activities, were also highlighted in the report. These tools, referred to as “dual-use,” can have legitimate purposes but are frequently exploited by cybercriminals. Notable examples include Impacket and Mimikatz, which were built for security testing purposes but have been used maliciously.
The report also discussed the prevalence of attack tools such as Cobalt Strike, Sliver, and Metasploit, which are typically used for penetration testing but are also employed by cybercriminals to deliver malware and conduct command and control activities. Cobalt Strike was identified as the most heavily used of these attack tools, present in a significant number of incidents in 2024.
Information stealers were highlighted as a crucial component of cyberattacks, providing cybercriminals with valuable data for fraud and ransomware schemes. Lumma Stealer emerged as the most frequently encountered information stealer in incidents tracked by Sophos, with a notable increase in activity in late 2024. It was observed that Lumma Stealer primarily targets cryptocurrency wallets and browser data.
In terms of ransomware threats, LockBit, Akira, and RansomHub were identified as significant players in the cyber threat landscape. LockBit, initially disrupted by law enforcement in early 2024, saw a resurgence in activity through variants based on leaked code. Akira, a ransomware-as-a-service group, continued to be active throughout the year, often targeting VPN vulnerabilities for initial access. RansomHub emerged as an emerging leader in ransomware incidents, encrypting and exfiltrating data from numerous victims.
Overall, the Sophos Annual Threat Report appendix sheds light on the diverse and evolving tactics used by cybercriminals to target SMBs, emphasizing the importance of cybersecurity measures to protect against these threats. By staying vigilant and implementing robust security practices, businesses can mitigate the risk of falling victim to cyberattacks.