Ransomware and Phishing Rates Decline, Threat Landscape Shifts
Key Points
- The IBM X‑Force Threat Intelligence Index highlights how insight into hacker activity—gleaned from dark‑web chatter and real‑world incidents—helps organizations build stronger defenses.
- Ransomware activity has declined for the third consecutive year, with ransom payments falling 35%, thanks in part to law‑enforcement takedowns of high‑profile ransomware groups.
- Attackers are shifting tactics from pure encryption‑for‑payment attacks to data‑theft and extortion schemes, threatening public disclosure or personal use of stolen information.
- Phishing attempts dropped by 50%, offering a temporary reprieve, but the report cautions that the underlying risk of data breaches remains and warrants continued vigilance.
- Persistent, sophisticated malware infections decreased as investments in security tools—particularly endpoint detection and response (EDR) solutions—enhanced advanced detection and mitigation capabilities.
Sections
- IBM X-Force Threat Report Overview - A concise walkthrough of IBM’s annual threat intelligence findings, highlighting the recent decline in ransomware payments, law‑enforcement successes, evolving attacker tactics, and a bonus dark‑web insight.
- Credential Theft and Rising Infostealers - The speaker notes that compromised credentials remain the primary entry point for attacks, phishing overall is down but infostealer usage has surged 84%, and dark‑web discussions reveal that the top disclosed vulnerabilities are being widely shared.
- AI Production Surge Fuels New Threats - As AI moves from proof‑of‑concept to full production, a rapidly expanding attack surface is leading to high‑profile data breaches and ransomware‑as‑a‑service incidents, underscoring the urgent need for robust AI security.
- Mitigating Sprawl with Centralized Security - The speaker urges replacing passwords with passkeys and using automated discovery, centralized identity, and secrets management to curb data and identity sprawl—including shadow AI—thereby shrinking the attack surface before AI‑driven threats become prevalent.
- Managing Risk of Core Infrastructure Tools - The speaker warns that essential networking and security tools pose significant threats, urging listeners to monitor advisories and keep software patched as outlined in the IBM X‑Force Threat Intelligence Index.
Full Transcript
# Ransomware and Phishing Rates Decline, Threat Landscape Shifts **Source:** [https://www.youtube.com/watch?v=iGE7b_XQqtY](https://www.youtube.com/watch?v=iGE7b_XQqtY) **Duration:** 00:12:54 ## Summary - The IBM X‑Force Threat Intelligence Index highlights how insight into hacker activity—gleaned from dark‑web chatter and real‑world incidents—helps organizations build stronger defenses. - Ransomware activity has declined for the third consecutive year, with ransom payments falling 35%, thanks in part to law‑enforcement takedowns of high‑profile ransomware groups. - Attackers are shifting tactics from pure encryption‑for‑payment attacks to data‑theft and extortion schemes, threatening public disclosure or personal use of stolen information. - Phishing attempts dropped by 50%, offering a temporary reprieve, but the report cautions that the underlying risk of data breaches remains and warrants continued vigilance. - Persistent, sophisticated malware infections decreased as investments in security tools—particularly endpoint detection and response (EDR) solutions—enhanced advanced detection and mitigation capabilities. ## Sections - [00:00:00](https://www.youtube.com/watch?v=iGE7b_XQqtY&t=0s) **IBM X-Force Threat Report Overview** - A concise walkthrough of IBM’s annual threat intelligence findings, highlighting the recent decline in ransomware payments, law‑enforcement successes, evolving attacker tactics, and a bonus dark‑web insight. - [00:03:07](https://www.youtube.com/watch?v=iGE7b_XQqtY&t=187s) **Credential Theft and Rising Infostealers** - The speaker notes that compromised credentials remain the primary entry point for attacks, phishing overall is down but infostealer usage has surged 84%, and dark‑web discussions reveal that the top disclosed vulnerabilities are being widely shared. - [00:06:14](https://www.youtube.com/watch?v=iGE7b_XQqtY&t=374s) **AI Production Surge Fuels New Threats** - As AI moves from proof‑of‑concept to full production, a rapidly expanding attack surface is leading to high‑profile data breaches and ransomware‑as‑a‑service incidents, underscoring the urgent need for robust AI security. - [00:09:17](https://www.youtube.com/watch?v=iGE7b_XQqtY&t=557s) **Mitigating Sprawl with Centralized Security** - The speaker urges replacing passwords with passkeys and using automated discovery, centralized identity, and secrets management to curb data and identity sprawl—including shadow AI—thereby shrinking the attack surface before AI‑driven threats become prevalent. - [00:12:23](https://www.youtube.com/watch?v=iGE7b_XQqtY&t=743s) **Managing Risk of Core Infrastructure Tools** - The speaker warns that essential networking and security tools pose significant threats, urging listeners to monitor advisories and keep software patched as outlined in the IBM X‑Force Threat Intelligence Index. ## Full Transcript
Information is power.
The more you know, the more you can do.
And that is especially true in the world of cybersecurity.
The more, you know about what hackers are doing, the better job you can in building defenses.
That's why the annual IBM X-Force Threat Intelligence Index Report is so important.
In this report, IBM security researchers published their findings
based upon what they've seen on the dark web
in hacker discussions, as well as in real world incident response scenarios.
In this video, we're gonna take a look at the findings, the good, the bad, and the ugly.
Oh, and also some recommendations as to what you can do to defend yourself against some of the most common attacks.
And stick around to the end for a bonus finding regarding what we learned on the dark web.
Okay, let's start with the good news.
Well, turns out ransomware was actually down.
For the third year in a row, it's been down.
And in fact, payments for ransomware situations are down 35%.
It's a lot of good news.
And also in this good news, part of the reason that these payments
have gone down
and the reason ransomware maybe is not quite as prevalent, law enforcement has been helping us a lot here.
In fact, they've broken up a couple of very high profile ransomware rings and that's showing its effect here as well.
But we're seeing the ransomware attackers change their approach and their tactics and their goals.
So for instance, in the past, they were predominantly looking to encrypt your data and then charge you to get it back.
Now they're looking just to steal the data
and maybe extort you and say, I'm going to publicize this to the world if you don't pay me.
Or they just use the data themselves.
So there's a lot of different things that can be happening here.
It's not all good news, but there's definitely some improvement.
How about another piece of good news?
Phishing attacks.
actually down, 50%.
Now that is good news because phishing has been one of the number one causes of data breaches.
Doesn't mean data breaches are all gone.
In fact, don't celebrate on this one yet.
We're going to talk a little more about this when we get to the bad because there's a flip side to this one.
But it's still good to see that at least there is some improvement in this space.
And then one more bit of good news that I want to give you is that
down were the number of persistent malware samples that were out there.
The number of different cases where people were able to do this kind of really sophisticated malware
that's very difficult to get rid of, we saw that go down.
And why do we think this is a case?
Well, it turns out some of your investments in terms of IT security, cybersecurity tools, it seems to be paying off.
In fact, it looks like EDR, endpoint detection and response capabilities, were contributing to this.
and a better ability to do advanced detection.
of using cybersecurity tools.
All of these contributed to causing persistent malware to have less of an effect on our environment.
All right, let's take a look at the bad.
Well, one of the things that was not good for us is that credential theft was up.
In fact, it was the number one entry point, according to our research,
and it was accounting for up to 30% of the ways that people were getting into systems.
That's a big problem.
It's easier to log in than it is to hack in, as you've heard me say on videos before.
So if I can just steal your credentials, I can get in and I can be you and I could do all the things that you can do.
It's a problem.
We still need to address this.
Related to this is the fact that even though I just told you that phishing attacks were down,
well, it turns out of the types of attacks that are actually getting through, we're seeing an increase in a specific type,
and those are the ones that deal with infostealers.
In fact, we saw those up 84%.
Now, what's an info stealer?
Well, it's basically software that goes on your system and then it's trying to steal information about you.
For instance, credentials.
So we just talked about those.
So it could steal your login, password.
It could steal information about you as well that could later be used as part of an identity theft situation.
We could steal credit card numbers, all those kinds of things.
So information stealing.
is of course what the bad guys are after, and we're seeing that continue to increase.
One more set of bad things that we saw relates to the dark web.
So in our research, when we went and looked at the dark web,
we found that of the top ten vulnerabilities that were being discussed on the dark web,
all of them had publicly available exploits.
So that means these are not just theoretical threats.
These are threats that are real and people are talking about them, the people that are able.
and ready and willing to do something about it.
Another thing we saw was, again, so much of this is about credentials.
And in terms of credentials, we're seeing different types of services.
Yeah, there's a service.
There's a service called access as a service,
where someone basically puts up a system that is able to be able to
steal credentials or allow you to leverage other people's existing credentials.
So access as a service is in fact a thing.
And we're seeing more of this kind of stuff that relates to attacker in the middle.
Attacker in the Middle is another way if I'm able to insert myself into the path
between where you are and where you're trying to log into,
then I may be able to intercept your credentials or other information about you.
So this is something that's been around for a long time, but we're an increase in these types of activities.
Now one other area that still is kind of to be determined, and that's artificial intelligence.
What is this going to do for us or to us?
Well, last year's report, we made an observation, and we're kind of repeating that observation again.
And that is, when a technology hits a certain point in its adoption curve,
that's when we expect to start seeing it really be exploited.
So if you think about AI, well, an AI project, the way it may go would be like this.
We've got different levels.
we've got where we start off with a proof of concept, we might move into a pilot mode, then we go into production.
Well it turns out if once a technology kind of hits this sort of fifty percent that's an inflection point.
When AI projects start moving more and more into production,
although right now I think we're seeing some in production but we're seeing a lot that are still down in this space,
once we start seeing more and more projects go into production,
we expect that we're gonna see more and attacks in this space.
So we're seeing early signs of it already, and here's your warning, be on the lookout for this.
Learn how to secure your AI environment because it's a new attack surface.
And now for the ugly.
In one instance, a popular AI chatbot exposed over one million sensitive records, including user chat histories and API keys.
Look, the bottom line is if you don't provide your users with a better alternative that is secure,
then they'll use one that isn't and you'll end up with results like this.
We also learned that when it comes to ransomware as a service,
yeah, that's a thing as well, ransomware as a service,
there may be no honor among thieves.
So for instance, we found in 2024, the largest breach of medical data in US history.
It affected over a hundred million users.
And it resulted in a ransom of $22 million being paid.
Well, how did this thing work?
Well, it turns out that we have what we call a ransomware as a service provider.
So the provider creates this system and then an affiliate,
someone who comes along and leverages the system and uses it in order to attack an organization.
So that's what happened.
And as I said, the 100 million user records were compromised.
They paid the ransom, 22 million, they send it back.
And you would think then the money would go to this individual who actually launched the attack.
Nope, they got cut out of it.
As the provider ended up cutting them out of the deal,
pocketing the money themself, and now you end up with two losers in this situation.
Okay, now we've taken a look at the good, the bad, and the ugly.
What are you supposed to do about this?
Well, I'm gonna give you three main areas of recommendations that you can
do to make yourself less likely to be a victim of these situations.
So the first one we're gonna talk about, look, I mentioned over here a lot about credentials.
The bad guys are coming for your credentials.
So what should you be doing to safeguard those?
Well, there's a lot of things in fact you can do.
Multi-factor authentication is one where you use something
you have something you know, something you are, you combine all of those together,
but let me tell you, what's even better than having a password that is strong is not having a password at all.
Use a passkey.
I've talked about this in other videos, so you can go take a look at that.
But passkeys are a stronger alternative that are much more difficult to be phished and stolen.
So if we just remove that from the attack surface, we're already a lot better situation.
Another area that we need to address is the sprawl.
sprawl of data and identities.
So we've got data that is proliferating across our environment.
It's really easy to copy stuff, spin up a new cloud instance and put some
sensitive data in there because you're wanting to do some testing against it.
Same thing with AI.
And we can end up with shadow AI implementations
that we're not aware of that have now exposed us to some additional threats.
So be able to discover, automatically have tools that can go out and find
data in your environment, AI as it's deployed in your environment.
And when it comes to identities, those can also get sprawled a lot of different places.
So we need to be able to centralize the management of those.
We need a secrets management system where we can store all the sensitive information,
the passwords, the API keys, and the things of that sort, digital certificates, all of those kinds of things.
Do those things in a much more manageable way.
and it will be much more difficult for bad guys to take advantage.
And then as I mentioned, AI is coming.
I'm sure you're aware of that.
What are we supposed to do to be prepared for that?
I put that in one of the things where we haven't seen so many attacks there yet,
so that means there's still time for us to avoid it.
So what should you be doing?
Think about AI as a development pipeline.
In fact, what we do is we have data that then is used to train a model,
and then that model is what we go against and do inferences.
So we have data, we have model, and we have usage.
We need to secure the data, we need to the secure the model, we need secure the usage.
I've got to secure every one of those things and take a look at what are the
attacks like in each one of these, because AI is a new attack surface.
So if I look at this whole thing, the other thing I conclude from this is that it runs on an IT infrastructure.
So I have to secure.
this basic IT infrastructure.
This is IT security 101, the stuff we've always done.
We have to keep doing that, but now we have to secure the data that
goes into training AI, the models themselves, and the usage of those things also,
and maybe even look at governance over the whole system as well.
Do all of those and you'll be in a better situation to deal with these attacks.
Now, let's take a look at what we learned on the dark web with our bonus topic.
X-Force monitors the dark web for attacker discussions.
And what they found was that the top three vulnerabilities discussed made up half of the mentions of the top 10.
So let's drill in on those three.
And what did those three elements have in common?
Well, they were all purpose-built proprietary operating systems for next-gen firewalls,
and they allowed for a remote attack to execute arbitrary code on these systems.
That means a bad guy across the world.
can control your infrastructure.
The reason that's scary is these tools make up the core networking and security infrastructure
for most environments, so the risk is substantial.
What should you do about these?
Well, first of all, monitor security advisories.
Secondly, keep software levels up to date.
So, in the end, that's a quick summary of the IBM X-Force Threat Intelligence Index report,
the good, the bad, and the ugly, and what you can do about it, because information is power,
and now, you have the power.