From Remote Ransomware To Adversarial AI: How Small Businesses Were Targeted By Cybercriminals In 2024
Data-focused threats to small businesses increased in 2024, with new tactics and practices observed by Sophos.
Ransomware, a severe existential cyber threat to small and mid-sized businesses in the past, continued to pose a serious threat in 2024, according to the recent Sophos Annual Threat Report.
In 2024, ransomware cases made up 70% of Sophos incident response cases for small businesses and more than 90% for mid-sized businesses.
Nearly 30% of all events recorded by Sophos for small and mid-sized enterprises involved ransomware and data theft attempts. Despite a minor decrease in occurrences over the past year, the overall cost of ransomware attacks increased.
Data-focused threats to small businesses increased in 2024, with new tactics and practices observed by Sophos. These included compromised network edge devices, abuse of software-as-a-service platforms, compromise of business emails due to phishing of credentials, and fraudulent apps with malware.
Trends In Cybercrime Techniques, Tactics And Practices
According to Sophos, below were the major trends in cybercrime in 2024:
Remote Ransomware Grows: Ransomware never runs on computers directly since these "remote" ransomware attacks access and encrypt files on other devices via network file-sharing connections. Sophos found that use of remote ransomware increased 50% in 2024 over the year before, and 141% since 2022.
Social Engineering Via Teams Vishing: Threat actors began utilising a mix of technical and social engineering attacks against organisations using Microsoft 365 (previously Office 365) in the second half of 2024, especially in the fourth quarter. These attacks used email bombing followed by a fake technical support call over Microsoft Teams to target users.
MFA Phishing: In MFA phishing, the phishing platform steals credentials and passes to the cybercriminal, who can target sites and gain access. MFA phishing platforms operating in 2024 included Dadsec-derived Tycoon, along with Rockstar 2FA and FlowerStorm (both using Telegram as a channel), compromising a large number of accounts.
Adversarial AI: Phishing emails are one instance where generative AI has been used. Content filters that detect signatures in spam and phishing emails can be circumvented by using large language models like ChatGPT to generate grammatically accurate content in a format that can differ depending on the target.
Quishing: In quishing attacks observed by Sophos, emails containing QR codes that purportedly offered secure access to a document were included as PDF attachments. However, the QR code actually led to a fake document-sharing website leading to phishing attacks.
Malvertising And SEO Poisoning: Using malicious web advertisements continued to be a favoured method for distributing malware. Sophos observed a browser hijacking campaign linked to Google search malvertising in the second half of 2024. The campaign used keywords that targeted people looking to download a PDF tool, which led to downloads of malicious files. Malvertising was associated with many malware campaigns of 2024: DanaBot, Lumma Stealer, and GootLoader.
EDR Killers: EDR killers are tools that exploit kernel drivers to gain access to the operating system and kill endpoint security software for ransomware/malware to be deployed. Various would-be EDR killers were used by ransomware actors in 2024, most notably EDRSandBlast, which attempted multiple ransomware attacks throughout the year.
