Financially motivated threat actors, including ransomware groups, pose the biggest cyber threat globally, making up 55% of active threat groups tracked in 2024. This is a rise from 2023 and 2022, highlighting that cybercrime continues to be lucrative.
Google Cloud’s Mandiant just released its latest M-Trends report, providing insights into the cyber security landscape. It’s no surprise that cybercrime dominates; Mandiant notes that these criminals are becoming more complex and equipped.
“Cyber threats are growing in complexity and impacting a wide range of industries,” said Stuart McKenzie, managing director of Mandiant Consulting EMEA. “Financially motivated attacks still lead the pack. While ransomware, data theft, and extortion are significant concerns, we’re also noticing a rise in infostealer malware and exploitation of Web3 technologies, including cryptocurrencies.”
McKenzie added that AI is making these threats more sophisticated and widespread, allowing attacks to be more targeted and evasive. Organizations must gather intelligence proactively to keep up with these trends.
Last year, the most common way threat actors accessed victim environments was through exploited vulnerabilities, accounting for 33% of intrusions globally and 39% in EMEA. Following that, 16% of intrusions involved stolen credentials, 14% came from email phishing, and 9% were due to web compromises. In EMEA, email phishing led to 15% of attacks, and brute force attacks accounted for 10%.
Once inside a target environment, threat actors took an average of 11 days for reconnaissance and lateral movement before executing their plans. This “dwell time” increased by about a day from 2023 but was shorter than in 2022, possibly due to technological advances like AI. In EMEA, the median dwell time reached 27 days, five days longer than the previous year.
Most victims discovered breaches through external sources like ethical hackers or threat intelligence firms, in 57% of cases. In the remaining cases, security teams unearthed them internally.
When it comes to nation-state threats, these actors often grab headlines but contribute only 8% to overall threat activity, a decline from two years ago. Mandiant tracked four active advanced persistent threat (APT) groups in 2024 and 297 unclassified groups, indicating uncertainty about their motives.
One active APT is APT44, known for its attacks on Ukrainian infrastructure amid Russia’s ongoing conflict. Another newly recognized group is APT45, linked to North Korea and active since roughly 2009.