Financially motivated threat actors – including ransomware crews – remain the single biggest source of cyber threat in the world, accounting for 55% of active threat groups tracked during 2024, up two percentage points on 2023 and 7% on 2022, demonstrating that cyber crime really does, to a certain extent, pay.

At least, this is according to Google Cloud’s Mandiant, which has this week released its latest M-Trends report, an annual, in-depth deep dive into the cyber security world.

The dominance of cyber crime is not in and of itself a surprise, and according to Mandiant, cyber criminals are becoming a more complex, diverse and tooled up threat in the process.

“Cyber threats continue to trend towards greater complexity and, as ever, are impacting a diverse set of targeted industries,” said Mandiant Consulting EMEA managing director Stuart McKenzie.

“Financially motivated attacks are still the leading category. While ransomware, data theft and multifaceted extortion are and will continue to be significant global cyber crime concerns, we are also tracking the rise in the adoption of infostealer malware and the developing exploitation of Web3 technologies, including cryptocurrencies. 

“The increasing sophistication and automation offered by artificial intelligence are further exacerbating these threats by enabling more targeted, evasive and widespread attacks. Organisations need to proactively gather insights to stay ahead of these trends and implement processes and tools to continuously collect and analyse threat intelligence from diverse sources.”

The most common means for threat actors to access their victim environments last year was by exploiting disclosed vulnerabilities – 33% of intrusions began in this way worldwide, and 39% in EMEA. In second place, using legitimate credentials obtained by deception or theft, seen in 16% of instances, followed by email phishing in 14% of incidents, web compromises in 9%, and revisiting prior compromises in 8%.

The landscape in EMEA differed slightly to this, with email phishing opening the doors to 15% of cyber attacks, and brute force attacks representing 10%.

Once ensconced within their target environments and able to get to work, threat actors took a global average of 11 days to establish the lay of the land, conduct lateral movement, and line up their final coup de grace.

This period, known in the security world as dwell time, was up approximately 24 hours on 2023, but down significantly on 2022, when cyber criminals hung out for an average of 16 days. Anecdotal evidence suggests that technological factors including, possibly, the adoption of AI by cyber ne’er-do-wells, may have something to do with this drop.

Interestingly, median dwell times in EMEA were significantly higher than the worldwide figure, clocking in at 27 days, five days longer than in 2022.

When threat actors were discovered inside someone’s IT estate, the victims tended to learn about it from an external source – such as an ethical hacker, a penetration testing or red teaming exercise, a threat intelligence organisation such as Mandiant, or in many instances an actual ransomware gang – in 57% of cases. The remaining 43% were discovered internally by security teams and so on. The EMEA figures differed little from this.

Read more on Hackers and cybercrime prevention

• 
  

  Warning over privacy of encrypted messages as Russia targets Signal Messenger

  By: Bill Goodwin

• 
  

  Google: Cyber crime meshes with cyber warfare as states enlist gangs

  By: Brian McKenna

• 
  

  Top 10 cyber crime stories of 2024

  By: Alex Scroxton

• 
  

  Emerging Ymir ransomware heralds more coordinated threats in 2025

  By: Alex Scroxton