Summary:
In 2024, ransomware groups such as Lynx, Akira, and RansomHub refined their techniques, prioritizing agility and speed over high-profile targets. According to the 2025 Cyber Threat Report by Huntress, these groups adopted a quantity-over-quality strategy, executing a larger number of attacks at an accelerated pace. Their speed was particularly concerning, as Huntress determined the average time-to-ransom across all incidents was just under 17 hours, while Akira and RansomHub often executed their ransomware payloads in approximately six hours—a stark contrast to traditional ransomware dwell times. This shift underscores how adversaries are optimizing their attack chains to minimize the window for detection and response.

Beyond ransomware, phishing attacks surged in 2024 as threat actors enhanced deception techniques to bypass traditional security measures. Attackers increasingly leveraged vishing, QR code phishing, and image-based lures to evade detection by security tools reliant on text-based analysis. Nearly 30% of phishing incidents impersonated e-signature services, with Microsoft and DocuSign being the most commonly spoofed brands. This highlights the growing reliance on business email compromise (BEC) tactics to trick employees into granting access or executing fraudulent transactions. Additionally, remote access trojans (RATs) played a key role in cybercriminal operations, with 75% of remote access incidents involving RATs such as AsyncRAT, Jupyter, and NetSupport RAT. These tools enabled adversaries to maintain persistent access, exfiltrate data, and stage further attacks, making them a core component of modern cyber intrusions.

A notable trend in 2024 was the shift away from fully automated ransomware campaigns toward hands-on-keyboard (HOK) attacks, where hackers actively manipulated compromised systems in real-time. These attacks were most prevalent during U.S. business hours, suggesting a focus on sectors with critical data and relatively weaker security postures. Among the hardest-hit industries, healthcare and education accounted for 38% of all cyber incidents, reflecting their vulnerability due to outdated systems and lower cybersecurity investments. Government agencies saw a rise in info-stealing malware, responsible for 21% of breaches, while manufacturing experienced 17% of incidents linked to malware-based attacks, often disrupting operations and supply chains. Malicious scripts also remained a top threat across industries, appearing in 22% of healthcare attacks, 24% of education breaches, and 19% of incidents affecting technology firms.

Security Officer Comments:
Ransomware groups continued refining their double extortion tactics, moving beyond simple data encryption to stealing and threatening to leak data if victims refused to pay. The report noted that 71% of ransomware incidents involved data exfiltration before encryption, a method that significantly increases pressure on victims. Attackers also demonstrated greater operational complexity, executing an average of 18 distinct actions before deploying ransomware, making it harder for defenders to detect intrusions early. Among the fastest ransomware actors, Play, Dharma/Crysis, and Akira stood out for their ability to breach, steal data, and encrypt systems within hours.


Suggested Corrections:
To mitigate these evolving threats, organizations must adopt a proactive cybersecurity approach by implementing multiple defense layers. Regular, securely stored backups remain essential to prevent data loss, while comprehensive employee training on identifying phishing attempts can reduce initial access vectors. Advanced threat detection tools, such as behavioral analytics and endpoint detection and response solutions, can help identify suspicious activity before an attack progresses. Network segmentation can limit the impact of lateral movement, and a robust patch management policy ensures vulnerabilities are promptly addressed. Additionally, multi-factor authentication (MFA) adds an extra security layer to critical accounts, reducing the risk of credential-based attacks. Organizations should also develop and test an incident response plan to minimize downtime and contain damage in the event of a breach.

Link(s):
https://www.infosecurity-magazine.com/news/ransomware-gangs-prioritize-speed/