Full Report
As another year comes to an end, it’s not only Santa who brings presents for those on his nice list. These days, it’s quite common for well-known firms to publish their annual roundups of the most notable events that have taken place in the cybersecurity landscape, together with predictions of what can we expect in […] The post Top three cyber threats that will persist in 2025 appeared first on Outpost24.
Analysis Summary
# Top Three Cyber Threats Expected to Persist in 2025
## Main Topic
The analysis focuses on anticipating and summarizing the *Top Three* persistent cyber threats that KrakenLabs (Outpost24’s T.I. unit) expects to significantly impact the cybersecurity landscape into 2025, specifically targeting actors thriving within the underground ecosystem focused on profit maximization.
## Key Points
- **Focus Specialization:** KrakenLabs primarily tracks threat actors dominating the underground ecosystem (forums, social media, data leak sites) who aim to maximize profits and notoriety, often excluding highly sophisticated nation-state groups.
- **Ransomware Evolution:** Ransomware remains the primary threat, characterized by high group diversity and continuous evolution.
- **Shift in Ransomware Targeting:** There is a noticeable shift from "Big-Game Hunting" (BGH) to targeting **Small and Medium-Sized Enterprises (SMEs)**, driven by the influx of less experienced actors and hacktivists attracted by the profitability.
- **Data Exfiltration Prioritization:** The success of double extortion has led to **data exfiltration alone generating high revenues**, potentially relegating the actual encryption aspect of attacks to the background.
- **Tooling and Simplicity:** Less sophisticated groups heavily rely on readily available tools, including strains built from **leaked source codes** (e.g., Babuk, LockBit 3.0) and the extensive use of **Living-off-the-Land Binaries (LOLBins)** and open-source tools.
- **Credential Compromise Persistence:** The "as-a-service" model continues to foster specialization, with intermediary actors focusing solely on credential compromise, primarily using **infostealer malware**.
## Threat Actors
- **Target Group Focus:** Actors present in the underground ecosystem focused on "maximizing profits while also making a name for themselves."
- **New Entrants:** A growing participation from **less experienced actors** and **hacktivist groups** entering the ransomware space due to perceived easy money.
- **Intermediaries (Traffers):** Groups specializing in stealing credentials to sell access to other threat actors for subsequent compromises.
- **Specific Mention (Historical Context):** Cl0p group was referenced regarding their highly successful large-scale supply-chain targeting tactics.
## TTPs
- **Ransomware Extortion:** Continued reliance on **double-extortion** (encryption threat + data publication threat).
- **Ransomware Deployment:** Heavy dependence on ransomware strains derived from **leaked source codes** (e.g., Babuk, LockBit 3.0).
- **Evasion/Stealth:** Heavy use of **Living-off-the-Land Binaries (LOLBins)** and open-source tools by less sophisticated actors to maintain stealth and conserve resources.
- **Credential Harvesting:** The most frequent method cited for initial access involves deploying **infostealer malware** (though older families like RedLine/Raccoon Stealer are attracting heightened law enforcement focus, new families are emerging).
- **Novel/Simplicity TTP:** Some actors have attempted extortion threats based merely on **accidentally leaked information**, without even conducting a full attack.
## Affected Systems
- **Primary Target Shift:** Clear trend indicating a transition from large enterprises (BGH) towards **Small and Medium-Sized Enterprises (SMEs)**.
- **General Impact:** Organizations relying on systems vulnerable to credential theft via infostealers.
## Mitigations
*(Note: Specific, actionable patches/IoCs were not provided in the summary text, but general areas for defense based on identified TTPs are derived below)*
- **Ransomware Defense:** Implement robust controls against data exfiltration, as this alone is becoming a significant monetization vector.
- **Code Integrity:** Scrutinize endpoints for activity related to leaked ransomware source codes or known indicators linked to generic variants.
- **Endpoint Security:** Deploy advanced detection capabilities focused on identifying the execution of common **LOLBins**.
- **Credential Protection:** Enhance monitoring and controls around credential access, especially focusing on detecting and preventing execution/distribution of **infostealer malware**.
## Conclusion
The primary threats for 2025 will be characterized by the persistence and volatility of ransomware derivatives and credential harvesting operations within the underground ecosystem. The threat landscape shows a diversification where less sophisticated actors can still achieve significant monetization by focusing on SMEs and exploiting data exfiltration techniques, often substituting complex custom malware with reliance on leaked source code and readily available LOLBins. Organizations, particularly SMEs, must prioritize detection of commodity TTPs and robust data handling policies.