Sophisticated attack strategies target smaller businesses
Hackers are taking the methods and strategies tested on larger companies and applying them to organizations of every size.
Advanced evasion techniques -- once exclusive to advanced persistent threats -- have become the new normal, according to the latest threat report from Huntress. Techniques include endpoint detection and response (EDR) tampering, bring your own vulnerable driver (BYOVD) privilege escalations, and User Account Control (UAC) bypasses.
The takedown of major ransomware groups like LockBit and Dharma hasn't slowed down attacks either, indeed it's opened the door for smaller, more agile groups and rebranded operations which have ramped up activity since 2023.
Over the past year, Huntress has tracked ransomware incidents from Lynx, which increased by 7.9 percent, Akira by 11.6 percent, and RansomHub by 15.3 percent. These groups use an As-a-Service model and byy giving affiliates higher percentage payouts, often reaching 80–90 percent of the ransom, and pursuing a quantity-over-quality approach, the three groups collectively accounted for 54 percent of all ransomware incidents observed by Huntress in 2024. These groups use 'smash-and-grab' tactics, quickly deploying ransomware, demanding payment, and hitting their goals with swift and efficient network infiltration to minimize dwell time and evade detection.
"Ransomware-as-a-Service (RaaS) groups like Lynx, RansomHub, and Akira have industrialized cybercrime, adopting a 'quantity over quality' approach to maximize profits. By providing affiliates with streamlined playbooks and toolkits, they've made launching attacks deceptively simple and incredibly lucrative," says Greg Linares, principal threat intelligence analyst at Huntress. "The rise of RaaS groups such as these has led to increased attacks on businesses of all sizes with sophisticated techniques, once reserved for attacks on large enterprises, now becoming commonplace."
Education was the most targeted industry by hackers in 2024, making up 21 percent of all attacks, followed by healthcare (17 percent) and technology (12 percent).
Infostealers accounted for 24 percent of all observed incidents, highlighting their role in harvesting credentials, financial data, and sensitive information. Threat actors like Initial Access Brokers (IABs) regularly use infostealers to sell access to businesses, grouping them based on what gets stolen and increasing prices based on the freshness of the data, type of data (like session tokens), and target.
Attackers are turning to automation too, 87 percent of attacks in 2024 were automated or helped by automated tools, with hackers using malware, scripts, and other automated methods to conduct widespread, low-effort campaigns efficiently. Once attackers gained access, they moved to more focused hands-on-keyboard (HOK) activity, representing 13 percent of activity, where manual actions like lateral movement or domain enumeration were executed.
You can get the full report from the Huntress site.
Image credit: Solarseven/Dreamstime.com