Microsoft reveals ransomware attacks against its customers nearly tripled last year

Dive Brief:

Microsoft customers confronted nearly triple the amount of ransomware attacks during the one-year period ending in June, the company said Tuesday in its Digital Defense Report.
Microsoft observed a 275% year-over-year increase in human-operated ransomware attacks between July 2023 and June 2024. This increase in ransomware attacks was partially offset by a sustained decrease in cyberattacks reaching the encryption stage, the report found.
“The percentage of attacks reaching actual encryption phase has decreased over the past two years by threefold,” Microsoft said in the report. “Automatic attack disruption contributed to this positive trend in decreasing successful attacks.”

Dive Insight:

While data and systems encryption is a traditional defining characteristic of ransomware attacks, many financially motivated attackers skip the step of encryption and steal sensitive data for extortion.

One of the most consequential ransomware attack sprees this year to date did not involve encryption. In April, a ransomware group compromised the Snowflake environments of more than 100 companies in a wave of attacks, resulting in widespread data theft, exposure and extortion, according to Mandiant.

Ransomware groups ramp up pressure on alleged victims by posting on data leak sites, and the number of those posts increased 67% during the first half of 2024, according to Rapid7. Threat groups claimed responsibility for ransomware attacks in 4,520 posts on data leak sites last year, a 75% increase from 2022, according to a Mandiant report in June.

Microsoft’s research underscores the persistent threat of ransomware and includes findings that exceed the latest figures provided by U.S. cyber authorities.

Earlier this month U.S. officials said ransomware attacks increased 74% from 2,593 global attacks in 2022 to 4,506 attacks in 2023. This year is already on track to surpass 2023’s record. “In the first half of 2024, we’re tracking 2,321 attacks,” said Laura Galante, director of the Cyber Threat Intelligence Integration Center at the Office of the Director of National Intelligence.

Attackers continue to leverage unmanaged devices for remote encryption or initial access, as 92% of successful attacks originated from unmanaged devices, Microsoft’s report found.

The most prevalent initial access techniques observed by Microsoft during the previous year include social engineering, identity compromise and exploited vulnerabilities in public-facing applications or unpatched operating systems, the company said.

“With more than 600 million attacks per day targeting Microsoft customers alone, there must be countervailing pressure to reduce the overall number of attacks online,” Tom Burt, corporate VP of customer security and trust at Microsoft, said in a Tuesday blog post on the report.

“Effective deterrence can be achieved in two ways: by denial of intrusions or by imposing consequences for malicious behavior,” Burt said. “To shift the playing field, it will take conscientiousness and commitment by both the public and private sectors so that attackers no longer have the advantage.”