Navigating the New Frontier: Key Cyber Threats, Exploits, and Tools of 2024

The cyber threat landscape in 2024 underwent a significant transformation, characterized by the increasing sophistication and adaptability of threat actors. Attacks previously reserved for large enterprises are now being standardized and applied to businesses of all sizes, effectively narrowing or eliminating the gap in attack sophistication between large corporations and smaller entities. This report provides a detailed analysis of the key adversarial behaviors, techniques, and trends observed, particularly highlighting the escalating risks for non-enterprise businesses and managed service providers (MSPs). Attackers have demonstrated remarkable adaptability, leveraging more sophisticated tools, tactics, and techniques across a wide range of industries, including healthcare, technology, education, government, and manufacturing.

The Evolving Face of Ransomware

2024 was a tumultuous year for ransomware operations, marked by significant disruptions due to global collaboration among cybersecurity groups, law enforcement, and private researchers. Notable takedowns and disruptions of major groups like LockBit, Dharma/Crysis, Hive, and Phobos reshaped the landscape.

This disruption led to the fragmentation of ransomware groups into smaller, more agile affiliate networks. Groups like RansomHub and INC/Lynx emerged as dominant forces, collectively accounting for a significant portion of incidents. These newer affiliates have attracted hackers by offering significantly higher payouts, often reaching 80-90% of the ransom paid. RansomHub, Inc/Lynx, and Akira alone represented 54% of observed ransomware incidents and are notable for targeting small to medium-sized businesses, prioritizing quantity over quality.

Perhaps the most significant shift in ransomware strategy observed in 2024 was the pivot from traditional data encryption to data theft and extortion. Groups like BianLian have opted to exfiltrate and extort targets for their data rather than deploying ransomware for encryption. This change is seen as a cost-saving tactic by criminals, a response to improved detection and remediation efforts for ransomware mechanisms, the availability of decryption tools, and more resistant backup strategies. As defenses against encryption have improved, attackers are becoming more aware of these circumstances and are increasingly choosing to steal data and hold it for ransom. This trend underscores the critical need for improved data loss prevention, network monitoring, and general security awareness.

Analyzing the Time-To-Ransom (TTR)—the average time from initial access to ransomware deployment—revealed varying methodologies among groups. The overall average TTR was nearly 17 hours. Some groups, like Play, Dharma/Crysis, and Akira, favored rapid "smash-and-grab" techniques, deploying ransomware in around six hours. Others, like Cl0p and Medusa, adopted slower, more deliberate approaches. The number of malicious actions performed before ransomware deployment also varied, with extortion-focused groups typically conducting more reconnaissance, privilege escalation, and data exfiltration compared to groups focused on rapid encryption. Attackers focusing on extortion and data theft tended to perform more actions, with pivoting, data harvesting, and exfiltrating being primary extra activities. Exfiltration often continued right up to the point of ransoming, with attackers using methods like RAR/ZIP bundling or encrypted P2P services for data transfer.

Global Cybercrime Crackdown: Major Law Enforcement Operations of 2024-2025

As digital crime continues to evolve in sophistication and scale, international law enforcement agencies have responded with increasingly coordinated global operations. These efforts have resulted in significant arrests, infrastructure takedowns, and the disruption of major cybercriminal networks. The period of 2024-2025 has seen some of the most impactful cybercrime operations

Breached CompanyBreached Company

Impactful Vulnerabilities Driving Exploitation

Traditional exploitation of vulnerabilities remained a critical initial access vector in 2024, particularly in non-enterprise environments which may not have the same level of hardening as larger corporations. Several specific vulnerabilities were heavily exploited:

• ConnectWise ScreenConnect (CVE-2024-1709 & CVE-2024-1708): This was the most actively observed traditional exploitation campaign in 2024, accounting for two-thirds of such incidents. CVE-2024-1709 was a critical authentication bypass (CVSS score 10.0) allowing remote attackers to bypass authentication, followed by CVE-2024-1708, a path traversal vulnerability used to execute arbitrary code and compromise on-premise servers. This led to a massive spike in incidents, particularly in February 2024, where nearly 41% of monthly detections occurred in a single day. LockBit notably spearheaded a major campaign during this time, attempting to push their ransomware onto vulnerable systems, accounting for nearly 88% of the observed payloads.
• CrushFTP (CVE-2024-4040): This zero-day authentication bypass vulnerability was exploited to steal credentials and gain system access. After its patch in April 2024, widespread exploitation occurred, with attackers using it to jailbreak from the virtual file system and overwrite system files, often targeting AutoRun entries for persistence. Patching difficulties with CrushFTP's update system left thousands of servers exposed.
• ProxyShell Exchange (CVE-2021-31207): Despite being over three years old, this Microsoft Exchange vulnerability continued to be targeted in several campaigns throughout 2024. Attackers exploited it to gain elevated privileges and launch webshells from mailbox servers, enabling remote command execution, typically to upload malware. Huntress identified two major synchronized campaigns exploiting this CVE in early 2024.
• Bring Your Own Vulnerable Driver (BYOVD): This technique saw a significant emergence and resurgence in 2024, used extensively by ransomware and RAT variants. While over 90% of BYOVD usage in non-enterprise environments was for privilege elevation to gain complete system control and persistence, it was also used to disable third-party defenses and protected processes by exploiting vulnerable drivers like Truesight, Process Explorer (AUKill), and HRSword. This method is expected to become a standard feature in malware going into 2025.

Navigating the Accelerating Threat Landscape: Proactive Defense in the Era of Adversary Acceleration

The global cybersecurity landscape is undergoing a dramatic transformation. According to the sources, there is a clear acceleration of the adversary advantage, marked by a significant escalation in both the scale and sophistication of cyberattacks. Adversaries are no longer operating at human speed; they are leveraging automation, commoditized tools, and

Breached CompanyBreached Company

Pervasive Attacker Tools and Techniques

Attackers in 2024 relied heavily on a mix of specialized tools and the abuse of legitimate software to achieve their objectives:

• Remote Access Trojans (RATs): RATs maintained their position as the top usage spot for remote access delivery, involved in 75% of incidents where remote access was achieved. AsyncRAT, Jupyter RAT, and NetSupport RAT were the most common families, accounting for one-third of all RAT types seen. Jupyter RAT, in particular, demonstrated evolution, transforming from a banking-focused infostealer in 2020 to a sophisticated multi-stage backdoor with advanced remote access capabilities by 2024.
• Remote Monitoring and Management (RMM) Tool Abuse: The abuse of commercial RMM tools surged, becoming the second-most used method for attackers to control compromised devices, originating from 17.3% of all remote access methods. Attackers abused trusted applications like ConnectWise ScreenConnect, TeamViewer, and LogMeIn for stealthy persistence and lateral movement. This was often achieved by hijacking existing RMM software or deploying their own modified versions. ConnectWise (ScreenConnect) abuse was particularly prevalent, seen in three out of four RMM incidents.
• Malicious Scripts: Malicious scripts were observed in 22% of incidents, making them a close second to infostealers in overall frequency. They were heavily exploited for malicious code execution, persistence, and lateral movement. PowerShell was the preferred scripting language, used 45% of the time across all scenarios. Batch scripting and malicious Javascript were also major languages abused.
• "Living Off the Land" Binaries (LOLBins) and Administrative Tools: Adversaries increasingly relied on legitimate administrative tools and LOLBins for evasion and persistence, often relying less on malicious executables. This technique was widespread and used for lateral movement, credential access (19.3% of incidents involving credential access), and defense evasion. Common examples abused include rdrleakdiag, netsh, ntdsutil, diskshadow, PSExec, WMI, Net.exe, ProcDump, Cmdkey, Reg SAM dumps, and ComSvcs. While comprehensive hacking suites like Cobalt Strike saw a decline in overall usage, specialized tools like Mimikatz (for password dumping) and the Sysinternals Suite (especially PSExec, AD Explorer, SDelete) remained popular for various malicious activities.
• Infostealers: Representing nearly a quarter (24%) of all observed incidents, infostealers highlighted attackers' persistent focus on harvesting credentials, financial information, and sensitive data. Specific infostealers like Meduza, Strela (targeting technology companies), and Chromeloader (prevalent in education) were noted. Infostealers often served as the initial access point leading to subsequent human-driven attacks.
• Phishing Techniques: Phishing remained a primary means of initial access and reconnaissance, with attackers increasing the sophistication of their tactics. Notable phishing themes included e-signature impersonation (the most prevalent at 28.8%), the use of image-based content (23.9%) to bypass text filters, embedding QR codes (8.1%) to avoid link scrutiny (a trend expected to escalate), voicemail luring (4.9%), fake reply chains (2.1%), and Living Off Trusted Sites (LoTS) (7%) by leveraging legitimate platforms like Dropbox to host malicious links in shared documents. Microsoft 365 users were heavily targeted, with Microsoft-branded emails making up nearly 40% of brand impersonation incidents, followed closely by DocuSign (nearly 25%).

10 Latest Global Cybersecurity Breaches, Hacks, Ransomware Attacks and Privacy Fines (2025)

Major Data Breaches 1. Yale New Haven Health System Data Breach (April 2025) Yale New Haven Health experienced a significant data breach affecting 5.5 million patients. Detected on March 8, 2025, and disclosed on April 11, 2025, threat actors stole personal data of patients in a cyber attack that

Breached CompanyBreached Company

Defense Evasion and Identity Threats

Attackers are increasingly incorporating defense evasion and security bypass techniques as standard features in their toolkits. While simple file/command obfuscation and registry manipulation were common, more advanced methods like BYOVD and UAC bypasses have become the norm, even in non-enterprise attacks. EDR tampering was observed, with attackers using various methods like registry modifications, file tampering, elevated process exclusion, or malicious scripts to disable or hinder defenses. BYOVD usage, while capable of EDR tampering, was more frequently used for privilege elevation in non-enterprise settings due to potentially less sophisticated defenses.

Attacks targeting Microsoft 365 environments became more prevalent and sophisticated. Identity threats were significant, with nearly half of detected incidents stemming from access rule violations (e.g., restricted VPNs, unauthorized geolocations). Specific identity threats included:

• Inbox Rule Modifications: Attackers often modified rules to persist, communicate with C2, or siphon emails, frequently moving content to folders like RSS Feeds (over 50% of malicious activity) or Conversation History.
• Token Theft: Attempts to hijack or steal user tokens for session mimicry accounted for nearly 6% of identity incidents. Attackers often failed to match the victim's OS (over a third of attempts) but were more successful at identifying location.
• Credential Theft: Attackers stealing credentials often accessed resources directly or with MFA bypasses, frequently using mismatching OS (nearly half the time) and less insight into location compared to token theft attempts.
• VPN and Proxy Abuse: Cybercriminals abused VPNs and proxies to conceal their IP addresses and bypass geolocation rules. NordVPN was the most abused service, accounting for 20% of detected incidents, followed by SurfEasy and ExpressVPN.

Conclusion

The 2024 cyber threat landscape highlights a dynamic and challenging environment where attackers are highly adaptable. The fragmentation of ransomware groups, the shift towards data theft and extortion, the widespread exploitation of critical vulnerabilities like ScreenConnect and CrushFTP, and the pervasive abuse of legitimate tools like RATs, RMMs, and LOLBins underscore the urgent need for robust defenses. The increasing sophistication of phishing techniques and the rise in attacks targeting cloud services like Microsoft 365 further complicate the defensive posture.

To mitigate these escalating risks, organizations of all sizes must implement comprehensive defenses, including endpoint monitoring, proactive and timely patching, enhanced access controls, vigilant monitoring of RMM tools, robust data loss prevention, network monitoring, and mandatory security awareness training tailored to evolving phishing techniques. Stay vigilant and resilient.