The State of Cybercrime

As cyber defenses improve and more organizations are taking a proactive approach to prevention, attackers are adapting their techniques.

Download the report Download the executive summary

13 percent of human-operated ransomware attacks now involve some form of data exfiltration

What we know about cybercrime today

Human-operated ransomware attacks nearly doubled

Microsoft’s telemetry indicates that organizations faced an increased rate of ransomware attacks compared to last year, with the number of human-operated ransomware attacks up 195 percent since September 2022.

Identity attacks have skyrocketed

Our Microsoft Entra data show that attempted password attacks increased to 4,000 per second on average.

Distributed denial of service attacks (DDoS) available for hire

The number of DDoS-for-hire platforms continues to rise, with 20 percent having emerged in the past year. In today’s world, we rely heavily on online services and DDoS attacks can render platforms inaccessible.

Remote encryption is on the rise

In a notable change from last year, we observed a sharp increase in the use of remote encryption during human-operated ransomware attacks.

What we can learn from attack notifications

Managed extended detection and response (XDR) services are invaluable resources for security operations centers to effectively detect and respond to critical incidents. When Microsoft Defender Experts observe novel tactics or attack progression, notifications are sent to our customers to provide specific information about the scope, method of entry, and instructions for remediation.

Top threats identified this year, based on notifications shared with customers:

Successful identity attacks

Attacks on identity include traditional brute-force attempts, sophisticated password spray attempts across multiple countries and IP addresses, and adversary-in-the-middle attacks.

Ransomware encounters

These include any instance of ransomware activity or attempted attacks that we have detected and prevented or alerted on, throughout the various stages of a ransomware attack.

Targeted phishing leading to compromise

Both malware phishing with intent to access devices, and adversary-in-the-middle phishing to steal identities, are on the rise.

Business email compromise

Attackers are using email conversation hijacking and mass spamming with malicious applications to commit financial fraud.

How the top attack progressions stack up

Learn more in the full report

Telemetry sources: Microsoft Defender for Endpoint, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Azure AD Identity Protection, Microsoft Defender Threat Intelligence

Insights on ransomware and extortion

Organizations are facing an increased rate of ransomware attacks, with the number of human-operated ransomware attacks up more than 200 percent since September 2022.

Remote encryption on the rise

Organizations are facing an increased rate of ransomware attacks, with the number of human-operated ransomware attacks up more than 200 percent since September 2022.

Unmanaged devices are a major target

There has been a sharp increase in the use of remote encryption. On average, 60 percent of human-operated ransomware attacks used remote encryption – a sign of attackers evolving tactics to evade detection.

Small and medium size organizations are falling victim

Between July and September 2022, around 70 percent of organizations encountering human-operated ransomware had fewer than 500 employees.

Education and manufacturing sectors are key targets

Critical infrastructure sectors experienced the most encounters, with pre-ransom notifications indicating education and manufacturing sectors as top targets.

The good news is, for organizations with a strong security posture, the likelihood of a ransomware attack succeeding is very low.

An optimal ransomware resiliency state

Microsoft’s mission to keep ourselves and our customers safe from ransomware continually evolves and grows. A resilient defense is crucial as ransomware operators increasingly shift toward hands-on-keyboard attacks that enable sophisticated cybercriminals to seek out and exploit vulnerabilities. This year, our efforts resulted in three key outcomes.

Spotlight: The five foundations of the ransomware elimination journey

We have identified five foundational principles which we believe every enterprise should implement to defend against ransomware. When fully implemented, the Foundational Five provide proven defenses across identity, data, and endpoints.

The Foundational Five

Modern authentication with phish-resistant credentials
Least Privileged Access applied to the entire technology stack
Threat- and risk-free environments
Posture management for compliance and the health of devices, services and assets
Automatic cloud backup and file-syncing for user and business-critical data

A threat- and risk-free environment is defined as an environment protected by proactive measures – through tools and technologies – to prevent ransomware. These include malware detection, endpoint detection and response (EDR), vulnerability management, SOC enablement, the enforced blocking of unhealthy devices, and brute-force protection for operating systems.

The dramatic surge in identity attacks

The number of attempted password-based attacks against cloud identities increased more than tenfold, to 4,000 attacks per second on average.

More about this diagram

Diagram displays about the dramatic surge in identity attacks

Other trends in cybercrime

Phishing trending towards high-volume adversary-in-the-middle phishing campaigns, in some instances involving millions of phishing emails being sent within 24 hours.

Distributed denial of service (DDoS) attacks are a growing battleground with services for hire and the healthcare sector a target.

Threat actors are adapting their social engineering techniques and use of technology to carry out more sophisticated and costly BEC attacks.

Read about this and more in the full report

Return on mitigation can be a useful metric to effectively target investments

During Microsoft Incident Response engagements, we found customer environments to lack mitigations that range from the simple to the more complex. In general, the lower the resources and effort involved, the higher the return on mitigation.

We calculated return on mitigation (ROM) values for different mitigations. The higher the ROM, the lower the resources and effort involved in implementing the solution for the impact and value provided.

Explore other Microsoft Digital Defense Report chapters

Introduction

The power of partnerships is key to overcoming adversity by strengthening defenses and holding cybercriminals accountable.

Learn more

The State of Cybercrime

While cybercriminals remain hard at work, the public and private sectors are coming together to disrupt their technologies and support the victims of cybercrime.

Learn more

Nation State Threats

Nation state cyber operations are bringing governments and tech industry players together to build resilience against threats to online security.

Learn more

Critical Cybersecurity Challenges

As we navigate the ever-changing cybersecurity landscape, holistic defense is a must for resilient organizations, supply chains, and infrastructure.

Learn more

Innovating for Security and Resilience

As modern AI takes a massive leap forward, it will play a vital role in defending and ensuring the resilience of businesses and society.

Learn more

Collective Defense

As cyberthreats evolve, collaboration is strengthening knowledge and mitigation across the global security ecosystem.

Learn more