Irina Zinovkina, Head of Information Security Analytics Research at Positive Technologies

In 2024, we observed a surge in malware used against organizations. Although ransomware remains the most widespread malicious software worldwide, its dominance is slipping. Compared to 2023, its share declined by 15 percentage points and now stands at 42%. This downturn reflects a shift toward remote access tools, a pattern we first noted in early 2024. Attackers rarely bother to create their own malware from scratch and instead rely on familiar post-exploitation frameworks, tunneling utilities, and data-stealing programs.

Organizations are feeling the impact of cyberattacks more directly. In the past year, half of the incident investigations handled by our response teams uncovered significant disruption to key business operations, up from 32% in the period between 2021 and 2023. This rise in operational damage can be attributed to the increasing influence of hacktivists and profit-driven ransomware groups, who are adapting their methods and intensifying their efforts.

The trend this year shows that attackers are increasingly turning their attention to IT companies. These businesses now represent one in ten successful attacks, making them the second most frequently compromised group after government organizations. Last year, IT companies ranked fifth, so this move upward is a cause for serious concern. Our data from Russia reflect a similar pattern. IT firms there requested incident response services in 13 percent of cases this year, compared to only 8 percent previously. One reason for this shift is the rise of trusted-relationship attacks, where cybercriminals first compromise an IT company to gain entry into other industries.

2025 and the rise of exploit-as-a-service attacks

Looking ahead, organizations will have to face new threats powered by emerging technologies. Quantum computing and AI are likely to introduce challenges that go far beyond conventional phishing, and we expect new services to make cyberattacks accessible with a single click.

Another troubling possibility is the growth of Exploit-as-a-Service (EaaS) attacks. Zero-day vulnerabilities often cost millions, which keeps them out of reach for most attackers. Renting exploits, however, will bring these powerful tools into the hands of a broader range of cybercriminals. This expansion of availability will inevitably increase the number of incidents and magnify the overall threat facing organizations.

Nikolay Chursin, Head of Darkweb Threat Analysis Team at Positive Technologies

Data leaks are not the main goal of hacktivist

Hacktivist groups that used to actively publish stolen information are now less willing to do so. Now they are trying to monetize their activities by using ransomware in their attacks or selling the databases they obtain. Another major goal when attacking a company is to perform destructive actions within the organization's network to disrupt its operations and cause maximum damage. If geopolitical tensions persist, given the lessons learned and changing priorities of hacker groups, companies could see an increase in attacks in which attackers go beyond simply obtaining corporate databases and making them publicly available.

AI fuels faster, more sophisticated attacks

Dark web communities are buzzing with talk of how artificial intelligence can help criminals produce malware, exploits, and phishing emails at remarkable speed. Attackers are turning to AI-driven tools that can write code, generate videos, manipulate voices, and create convincing images. This rapid evolution means they can churn out ready-to-use attack assets with minimal effort, flooding the underground market and pushing vendors to develop more unique, potent offerings. As this wave of AI-driven threats gains momentum, even low-skilled attackers can operate on a new level, forcing companies to patch vulnerabilities faster and adapt to an environment where exploit development cycles are measured in hours rather than days.

Denis Goydenko, Head of Cybersecurity Threat Response, PT Expert Security Center, Positive Technologies

Denis Kuvshinov, Head of Threat Analysis, PT Expert Security Center, Positive Technologies

Newcomers to the cybercrime scene

In 2024, researchers at the Positive Technologies Expert Security Center uncovered five new APT groups. The catch? Many had already been operating for over a year, quietly focused on espionage and data theft. On a broader scale, global conflicts continue to fuel waves of hacktivism. During the Israeli-Palestinian conflict, 16 hacktivist groups publicly aligned with Israel, while an overwhelming 173 groups took a stand on the opposite side, amplifying the cyber battleground.

Since 2022, the PT ESC Cyberthreat Research Department has tracked 35 new hacktivist groups and 26 active APT groups, a dramatic shift from 2019 to 2021, when hacktivists barely registered as a concern. Back then, attention was squarely on 18 highly active APT groups that dominated the threat landscape.

The tactics attackers use today reveal a mix of volume and stealth. Groups like PhaseShifters, PseudoGamaredon, and Fluffy Wolf stand out for their relentless phishing campaigns aimed at data theft. On the flip side, groups such as Space Pirates, IAmTheKing, and ExCobalt have made a name for themselves by staying hidden deep within organizations' infrastructures, evading detection for extended periods and complicating mitigation efforts. It's a stark reminder that attackers aren't just evolving—they're excelling in the art of persistence and precision.

Tools adapt as cybercriminals respond to new defenses

Attackers are keeping a close eye on the headlines—and they're learning fast. Specialists at the PT Expert Security Center have noted that cybercriminals adapt their tools and methods almost immediately after researchers publish findings. Take the Hellhounds, for example. Once their activities were exposed, they scrambled to rewrite their malware code and tweak obfuscation methods to stay ahead of defenders. Then there's ExCobalt, which took things to the next level by building its own custom backdoor, GoRed, ensuring its arsenal could evolve as quickly as the threats it faces.

Positive Technologies' Incident Response experts are also seeing an uptick in attackers using tunneling utilities to burrow through compromised networks. These tools let them dodge basic security controls and stay undetected for longer, making containment a race against time.

The numbers from 2024 paint a stark picture. Out of 100 incident investigations, known APT groups had infiltrated 39% of companies. Worse still, 35% of those attacks led to encrypted or destroyed data and disrupted business processes, leaving organizations scrambling to recover.

Adding to the chaos is the rise of trusted-relationship attacks. Once rare, these breaches now account for 15% of incidents, with attackers using contractors as a backdoor into their real targets. Meanwhile, nearly half of breaches—44%—are traced back to vulnerable web applications on the network perimeter. It's a clear reminder that the weakest link often sets the stage for the biggest problems.