‘An Alarming Rate’
“Ransomware continues to evolve at an alarming rate,” the researchers wrote in their report, adding that the number of attacks on critical infrastructure organizations – which they said represented a “dramatic rise” last year – will likely expand even more in 2025.“As long as there is a high likelihood of the bad actors making money and a low likelihood of them getting caught, the attacks will certainly continue,” they wrote.The number of ransomware incidents in 2024 rose by about 500 year-over-year, with the researchers adding that the increase was the result of not only a growing aggressiveness by ransomware groups but also better tools used by the organization to track them.
AI Use on the Rise
In addition, the growth is not only in the number of attacks but also the sophistication of the tools and techniques being used. Along those lines, the use of AI by ransomware will expand as they look to create more sophisticated attacks and streamline their operations. IT-ISAC researchers pointed to the FunkSec group as an example.The attackers emerged last year and, in December, claimed more than 85 victims on its leak site. They are using AI to avoid detection and launch highly sophisticated attacks with ransomware, analyze the security posture of a target, and self-modify its behavioral patterns. They then change tactics in real-time to bypass traditional security protections. The use of AI also allows less-skilled bad actors to run complex attacks.“As AI evolves, ransomware attackers can employ its capabilities to unleash further advanced and targeted attacks that could lead to an increased number of victims and the severity and impact of such attacks as we move on into 2025,” the report found. “As a result, the sophistication of ransomware campaigns may improve to the point where traditional security measures may not be enough.”
MSSPs and TIPs
The researchers also pointed out that, as threat actors adopt AI to launch attacks, the cybersecurity industry also is integrating the emerging technology into its products. That includes MSSPs. Jawahar Sivasankaran, president of cybersecurity firm Cyware, told MSSP Alert that MSSPs are using threat intelligence platforms (TIPs), which can detect and assess risk, spot anomalous behaviors, and automate threat hunts, all at machine speed.A TIP also can aggregate AI-enhanced threat intelligence from multiple sources and distribute it in near-real time through a standard protocol, such as TAXII.“Leveraging AI as a tool to turn the tables on adversaries is the right approach with cyberthreat intelligence management,” Sivasankaran said. “Both the added revenue stream and the deeper value that MSSPs provide customers are improving their operational ROI and bringing MSSPs more fully armed to the AI battle, with deeper value to customers.”
Names to Remember
RansomHub, which rose in prominence after law enforcement operations against the likes of LockBit and BlackCat/ALPHV, was the most active group, responsible for 391 attacks, followed by LockBit 3.0’s 276 attacks, Akira (268), Play (213), and Hunters (148). In addition, 57% of the attacks in 2024 were in the United States, by far the number-one target (the UK came next, with 4.6% of the attacks).It’s a reflection of the United States’ standing as an economic and technological powerhouse, though IT-ISAC researchers expect other regions to feel more impact in 2025.“Countries with expanding digital infrastructures could face an increase in threats as they adopt new technologies,” they wrote. “Moreover, emerging markets with rapidly growing internet access and digital services could become new hotspots for ransomware actors in the coming year.”
Information is Power
It’s part of a larger ransomware landscape that they expect will be even more active this year as threat groups increase their exploitation of zero-day vulnerabilities to gain access into targeted systems and refine their data exfiltration techniques, noting that groups like Akira and Hunters already are using such tools as RClone and FileZilla to encrypt and steal data.The researchers outlined steps organizations can take to reduce their risk and recovery if they’re attacked, including backing up data, system images, and similar information, updating and patching promptly, segmenting networks, and pushing for third parties to improve their security.Companies also can work with competitors and threat intelligence groups via collective defense efforts like sector-specific ISACs, Cyware’s Sivasankaran said, adding that doing this “grants organizations greater visibility into exploitable vulns and threats the business faces, allowing for more efficient and effective threat intelligence management and proactive response.”Governments also play a role, according to the Foundation for Defense of Democracies (FDD), including pushing “export controls on enabling technologies to restrict the computing power and sophistication of AI platforms built by authoritarian countries.” The United States also needs to hold adversaries like Russia accountable for its state-supported attacks “by creating a formal designation similar to state sponsors of terrorism but for ‘state sponsors of cybercrime,’” Annie Fixler, FDD research fellow and director of its Center on Cyber and Technology Innovation, wrote in a blog post.