Financially motivated cyber crime remains biggest threat source

Mandiant’s latest annual threat report reveals data on how financially motivated cyber criminals, such as ransomware gangs, dominate the cyber security landscape

Alex Scroxton

Alex Scroxton,
Security Editor

Published: 23 Apr 2025 21:34

Financially motivated threat actors – including ransomware crews – remain the single biggest source of cyber threat in the world, accounting for 55% of active threat groups tracked during 2024, up two percentage points on 2023 and 7% on 2022, demonstrating that cyber crime really does, to a certain extent, pay.

At least, this is according to Google Cloud’s Mandiant, which has this week released its latest M-Trends report, an annual, in-depth deep dive into the cyber security world.

The dominance of cyber crime is not in and of itself a surprise, and according to Mandiant, cyber criminals are becoming a more complex, diverse and tooled up threat in the process.

“Cyber threats continue to trend towards greater complexity and, as ever, are impacting a diverse set of targeted industries,” said Mandiant Consulting EMEA managing director Stuart McKenzie.

“Financially motivated attacks are still the leading category. While ransomware, data theft and multifaceted extortion are and will continue to be significant global cyber crime concerns, we are also tracking the rise in the adoption of infostealer malware and the developing exploitation of Web3 technologies, including cryptocurrencies.

“The increasing sophistication and automation offered by artificial intelligence are further exacerbating these threats by enabling more targeted, evasive and widespread attacks. Organisations need to proactively gather insights to stay ahead of these trends and implement processes and tools to continuously collect and analyse threat intelligence from diverse sources.”

The most common means for threat actors to access their victim environments last year was by exploiting disclosed vulnerabilities – 33% of intrusions began in this way worldwide, and 39% in EMEA. In second place, using legitimate credentials obtained by deception or theft, seen in 16% of instances, followed by email phishing in 14% of incidents, web compromises in 9%, and revisiting prior compromises in 8%.

The landscape in EMEA differed slightly to this, with email phishing opening the doors to 15% of cyber attacks, and brute force attacks representing 10%.

Once ensconced within their target environments and able to get to work, threat actors took a global average of 11 days to establish the lay of the land, conduct lateral movement, and line up their final coup de grace.

This period, known in the security world as dwell time, was up approximately 24 hours on 2023, but down significantly on 2022, when cyber criminals hung out for an average of 16 days. Anecdotal evidence suggests that technological factors including, possibly, the adoption of AI by cyber ne’er-do-wells, may have something to do with this drop.

Interestingly, median dwell times in EMEA were significantly higher than the worldwide figure, clocking in at 27 days, five days longer than in 2022.

When threat actors were discovered inside someone’s IT estate, the victims tended to learn about it from an external source – such as an ethical hacker, a penetration testing or red teaming exercise, a threat intelligence organisation such as Mandiant, or in many instances an actual ransomware gang – in 57% of cases. The remaining 43% were discovered internally by security teams and so on. The EMEA figures differed little from this.

Nation-state threats: Noisy but less impactful

Nation-state threat actors, or advanced persistent threat (APT) groups create a lot of noise and generate a lot of attention in the cyber security world by dint of the lingering romance associated with spycraft, and in more practical terms, the fractious global geopolitical environment.

However, compared to their cyber criminal counterparts, they represent just 8% of threat activity, which is actually a couple of percentage points lower than it was two years ago.

Mandiant tracked four active advanced persistent threat (APT) groups in 2024, and 297 unclassified (UNC) groups – meaning not enough information is really available to make a firm bet on what they are up to, so this could include potential APTs.

There is significant overlap in this regard and, Mandiant has on occasion upgraded some groups to full-fledged APTs – such as Sandworm, which now goes by APT44 in its threat actor classification scheme.

APT44 is one of the four active APTs observed in 2024. Infamous for its attacks on Ukrainian infrastructure in support of Russia’s invasion, APT44 has long supported the Kremlin’s geopolitical goals and was involved in some of the largest and most devastating cyber attacks to date, including the NotPetya incident.

Also newly designated in 2024 was APT45, operating on behalf of the North Korean regime and described by Mandiant as a “moderately sophisticated” operator active since about 2009.