The State of Cybercrime
13 percent of human-operated ransomware attacks now involve some form of data exfiltration
What we know about cybercrime today
Human-operated ransomware attacks nearly doubled
Microsoft’s telemetry indicates that organizations faced an increased rate of ransomware attacks compared to last year, with the number of human-operated ransomware attacks up 195 percent since September 2022.
Identity attacks have skyrocketed
Our Microsoft Entra data show that attempted password attacks increased to 4,000 per second on average.
Distributed denial of service attacks (DDoS) available for hire
The number of DDoS-for-hire platforms continues to rise, with 20 percent having emerged in the past year. In today’s world, we rely heavily on online services and DDoS attacks can render platforms inaccessible.
Remote encryption is on the rise
In a notable change from last year, we observed a sharp increase in the use of remote encryption during human-operated ransomware attacks.
What we can learn from attack notifications
Managed extended detection and response (XDR) services are invaluable resources for security operations centers to effectively detect and respond to critical incidents. When Microsoft Defender Experts observe novel tactics or attack progression, notifications are sent to our customers to provide specific information about the scope, method of entry, and instructions for remediation.
Top threats identified this year, based on notifications shared with customers:
Successful identity attacks
Attacks on identity include traditional brute-force attempts, sophisticated password spray attempts across multiple countries and IP addresses, and adversary-in-the-middle attacks.
Ransomware encounters
These include any instance of ransomware activity or attempted attacks that we have detected and prevented or alerted on, throughout the various stages of a ransomware attack.
Targeted phishing leading to compromise
Both malware phishing with intent to access devices, and adversary-in-the-middle phishing to steal identities, are on the rise.
Business email compromise
Attackers are using email conversation hijacking and mass spamming with malicious applications to commit financial fraud.
Insights on ransomware and extortion
Organizations are facing an increased rate of ransomware attacks, with the number of human-operated ransomware attacks up more than 200 percent since September 2022.
Remote encryption on the rise
Organizations are facing an increased rate of ransomware attacks, with the number of human-operated ransomware attacks up more than 200 percent since September 2022.
Unmanaged devices are a major target
There has been a sharp increase in the use of remote encryption. On average, 60 percent of human-operated ransomware attacks used remote encryption – a sign of attackers evolving tactics to evade detection.
Small and medium size organizations are falling victim
Between July and September 2022, around 70 percent of organizations encountering human-operated ransomware had fewer than 500 employees.
Education and manufacturing sectors are key targets
Critical infrastructure sectors experienced the most encounters, with pre-ransom notifications indicating education and manufacturing sectors as top targets.
The good news is, for organizations with a strong security posture, the likelihood of a ransomware attack succeeding is very low.
An optimal ransomware resiliency state
Microsoft’s mission to keep ourselves and our customers safe from ransomware continually evolves and grows. A resilient defense is crucial as ransomware operators increasingly shift toward hands-on-keyboard attacks that enable sophisticated cybercriminals to seek out and exploit vulnerabilities. This year, our efforts resulted in three key outcomes.
The dramatic surge in identity attacks
The number of attempted password-based attacks against cloud identities increased more than tenfold, to 4,000 attacks per second on average.
Other trends in cybercrime
Phishing trending towards high-volume adversary-in-the-middle phishing campaigns, in some instances involving millions of phishing emails being sent within 24 hours.
Distributed denial of service (DDoS) attacks are a growing battleground with services for hire and the healthcare sector a target.
Threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks.
Return on mitigation can be a useful metric to effectively target investments
During Microsoft Incident Response engagements, we found customer environments to lack mitigations that range from the simple to the more complex. In general, the lower the resources and effort involved, the higher the return on mitigation.
We calculated return on mitigation (ROM) values for different mitigations. The higher the ROM, the lower the resources and effort involved in implementing the solution for the impact and value provided.
Explore other Microsoft Digital Defense Report chapters
Introduction
The power of partnerships is key to overcoming adversity by strengthening defenses and holding cybercriminals accountable.
The State of Cybercrime
While cybercriminals remain hard at work, the public and private sectors are coming together to disrupt their technologies and support the victims of cybercrime.
Nation State Threats
Nation state cyber operations are bringing governments and tech industry players together to build resilience against threats to online security.
Critical Cybersecurity Challenges
As we navigate the ever-changing cybersecurity landscape, holistic defense is a must for resilient organizations, supply chains, and infrastructure.
Innovating for Security and Resilience
As modern AI takes a massive leap forward, it will play a vital role in defending and ensuring the resilience of businesses and society.
Collective Defense
As cyberthreats evolve, collaboration is strengthening knowledge and mitigation across the global security ecosystem.
More on security
Our commitment to earn trust
Microsoft is committed to the responsible use of AI, protecting privacy, and advancing digital safety and cybersecurity.
Cyber Signals
A quarterly cyberthreat intelligence brief informed by the latest Microsoft threat data and research. Cyber Signals gives trends analysis and guidance to help strengthen the first line of defense.
Nation State Reports
Semi-annual reports on specific nation state actors that serve to warn our customers and the global community of threats posed by influence operations and cyber activity, identifying specific sectors and regions at heightened risk.
Microsoft Digital Defense Reports archive
Explore previous Microsoft Digital Defense Reports and see how the threat landscape and online safety has changed in a few short years.
Follow Microsoft Security