2024 Cyber Crime Review

Cyber threats are getting faster, smarter, and harder to detect. Whether you're in technology, finance, manufacturing, or healthcare, attackers are constantly finding new ways to breach defenses and exploit vulnerabilities. Cutting-edge tools or advanced malware are no longer the exclusive focus of these actors: people, processes, and hidden vulnerabilities offer evergreen opportunities for exploiting organization’s most valuable resources. Here's our in-depth Year in Review covering the Who? What? and Why? of this year’s most pernicious attacks. 

Related Resource: 2025 Cybersecurity Forecast: Trends to Watch and How to Prepare

What Happened in 2024?

Top Targeted Sector:

1. Technology Sector: Technology companies remained a bullseye for cybercriminals this year. Why? Data, innovation, and the sheer value of what’s under the hood. Supply chain attacks and cloud misconfigurations gave attackers a front-row seat to sensitive information. As remote work continues to reshape the industry, gaps in third-party integrations and mismanaged servers made it easier for threat actors to sneak in. Staying ahead means thinking beyond just patching vulnerabilities – it’s about understanding the bigger picture and putting up smarter, multi-layered defenses.

2. Finance Sector: When there’s money, there’s motive. The finance sector saw a sharp rise in phishing scams powered by AI and sophisticated ransomware campaigns. Deepfakes made impersonations almost impossible to spot, and cryptocurrency platforms gave attackers new ways to cover their tracks. With tighter regulations coming into play, financial organizations are doubling down on zero-trust security models and keeping a close eye on transaction anomalies. It’s a race to outsmart the attackers – and every second counts.

3. Manufacturing Sector: Manufacturers took a big hit in 2024. Threat actors zeroed in on operational technology (OT) networks – those machines and systems keeping factories running 24/7. OT is often less protected than IT, and attackers know it. Ransomware brought production lines to a standstill, costing companies more than just money. With digitization on the rise, protecting manufacturing processes means investing in OT-specific defenses and being ready to respond the second something goes wrong.

Top Threat Actors Worldwide:

1. FIN7 – Also known as Carbanak, is a sophisticated cybercriminal group primarily targeting financial institutions and businesses worldwide. Active since at least 2013, they are notorious for orchestrating large-scale heists resulting in substantial financial losses. Their tactics include spear-phishing campaigns to deploy malware such as the GRIFFON backdoor and the POWERPLANT backdoor, enabling unauthorized access to sensitive systems.

2. Earth Krahang – An advanced persistent threat (APT) group linked to China, active since early 2022. They focus on cyberespionage, primarily targeting government entities across Asia, Europe, America, and Africa. Their methods include exploiting vulnerabilities in public-facing servers and conducting spear-phishing attacks to deploy custom backdoors like RESHELL and XDealer. Notably, Earth Krahang abuses compromised government infrastructure to launch further attacks, often using legitimate government domains to enhance the credibility of their malicious activities.

3. Ghostsec – Ghostsec, also known as “Ghost Security” is a vigilante hacker group that emerged to combat online extremism, particularly targeting ISIS-affiliated websites and social media accounts. Initially considered an offshoot of the Anonymous collective, GhostSec gained prominence after the 2015 Charlie Hebdo shooting in Paris.

Most Observed Malware Worldwide:

1. Cobalt Strike – A legitimate penetration testing suite designed for adversary simulations and red team operations. It provides tools for covert communication, spear-phishing, and post-exploitation activities, allowing security professionals to assess the resilience of networks against attacks. Cobalt Strike is a favorite of ransomware gangs like LockBit and Royal.

2. Mimikatz – Mimikatz is an open-source tool developed to demonstrate vulnerabilities in Windows authentication mechanisms. It allows users to view and extract plaintext passwords, hash, PIN codes, and Kerberos tickets from memory. Its misuse has been observed in various ransomware campaigns for credential dumping, allowing an attacker to quickly escalate and move laterally within victim networks.

3. LockBit – LockBit is a custom malware developed by the ransomware-as-a-service operation of the same name. This malware is designed to spread laterally within a compromised network by exploiting vulnerabilities or using stolen credentials. LockBit malware is also widely used by LockBit Ransomware’s affiliates, making it one of the more widely used malware tools. This malware is intended to exfiltrate data prior to encryption, providing an attacker with multiple options for extorting a victim.

Top Threat Actors and Malware used against Technology and Finance:

• APT38 – Also known as the Lazarus Group, is a North Korean state-sponsored threat group specializing in financial cyber operations. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide.

• APT29 – Also known as Cozy Bear, is a Russian threat group attributed to Russia’s Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. The group is known for its stealth and sophistication, employing advanced malware platforms like “Duke” to conduct cyber espionage.

• APT41 – APT41, also known as Double Dragon, is a Chinese threat actor known for conducting a mixture of state-sponsored espionage and financially motivated cybercrime. The group has been active since at least 2012 and has targeted various sectors, including healthcare, telecommunications, and technology, across multiple countries. The group is believed to have ties to the Chinese Ministry of State Security (MSS). 

The malware used in technology sector →

• RedLine – A malicious information-stealing software that uses a customizable file-grabber to collect victims’ sensitive data from web browsers, applications, emailing and messaging apps, and cryptocurrency wallets. Most often distributed through phishing messages. 

• Remcos – Short for “Remote Control & Surveillance” it is a Remote Access Trojan (RAT) that allows attackers to remotely control and monitor compromised systems. Typically delivered via phishing messages.

• Mirai – Malware that infects smart devices and turns them into bots for DDoS attacks. Most often systems are infected via open, unsecured Telnet ports.

The malware used in finance sector →

• Lumma Stealer – An information-stealing malware that has been active since at least August 2022. It operates under a Malware-as-a-Service (MaaS) model, allowing cybercriminals to purchase and deploy it to exfiltrate sensitive data from compromised systems. Most often distributed via deceptive CAPTCHA verification that tricks users into executing scripts.

• RedLine – A malicious information-stealing software that uses a customizable file-grabber to collect victims’ sensitive data from web browsers, applications, emailing and messaging apps, and cryptocurrency wallets. Most often distributed through phishing messages. 

• Remcos – Short for “Remote Control & Surveillance” it is a Remote Access Trojan (RAT) that allows attackers to remotely control and monitor compromised systems. Typically delivered via phishing messages.

Top Threat Actors and Malware used against Manufacturing:

1. APT38 – Also known as the Lazarus Group, is a North Korean state-sponsored threat group specializing in financial cyber operations. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide.

2. APT41 – Also known as Double Dragon, is a Chinese threat actor known for conducting a mixture of state-sponsored espionage and financially motivated cybercrime. The group has been active since at least 2012 and has targeted various sectors, including healthcare, telecommunications, and technology, across multiple countries. The group is believed to have ties to the Chinese Ministry of State Security (MSS).

3. APT40 – Also known as Leviathan or Bronze Mohawk, is a Chinese state-sponsored cyber espionage group attributed to the Ministry of State Security’s Hainan State Security Department. Active since at least 2009, Leviathan has targeted various sectors, including academia, aerospace, biomedical, defense, government, healthcare, manufacturing, maritime, and transportation, across regions such as the United States, Canada, Europe, the Middle East, and Southeast Asia.

The malware used →

• Cobalt Strike – A legitimate penetration testing tool designed for red team operations, providing features for adversary simulations that has been widely adopted by threat actors for malicious purposes. Most often delivered via phishing emails or exploiting unpatched software vulnerabilities.

• LockBit – A custom tool designed by the LockBit Ransomware-as-a-Service operation. It is known for exfiltrating files before encrypting them as well as using multi-threaded encryption to minimize detection and stay ahead of defenders. It also includes features that allow automated lateral movement within systems, further reducing defenders ability to contain it. It is most often distributed by phishing messages and exploiting known vulnerabilities.

• StellarInjector – A component associated with the SolarMarker malware, facilitating the injection of malicious payloads into legitimate processes. This malware is most often distributed via “Drive-By Downloading” wherein users are tricked into visiting a malicious website and downloading the malware.

Top Threat Actors and Malware used against Healthcare:

1. APT38 – Also known as the Lazarus Group, is a North Korean state-sponsored threat group specializing in financial cyber operations. Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide.

2. APT29 – Also known as Cozy Bear, is a Russian threat group attributed to Russia's Foreign Intelligence Service (SVR). They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. The group is known for its stealth and sophistication, employing advanced malware platforms like "Duke" to conduct cyber espionage.

3. APT41 – Also known as Double Dragon, is a Chinese threat actor known for conducting a mixture of state-sponsored espionage and financially motivated cybercrime. The group has been active since at least 2012 and has targeted various sectors, including healthcare, telecommunications, and technology, across multiple countries. The group is believed to have ties to the Chinese Ministry of State Security (MSS).

The malware used →

• QakBot – Also known as Qbot, Quackbot, and Pinkslipbot, is a sophisticated banking trojan that has been active since at least 2007. Initially designed to steal banking credentials, it has evolved into a versatile malware platform facilitating various cybercriminal activities, including ransomware distribution. It is most often distributed via Phishing messages and by exploiting known vulnerabilities.

• Strela – Also known as StrelaStealer is an information-stealing malware first identified in late 2022. It primarily targets login credentials from popular email clients, posing significant risks to both individuals and organizations. It is most often distributed via phishing messages and, once installed in a target system, uses WebDAV protocol to stealthily download malicious components, bypassing security measures.

• LockBit – A custom tool designed by the LockBit Ransomware-as-a-Service operation. It is known for exfiltrating files before encrypting them as well as using multi-threaded encryption to minimize detection and stay ahead of defenders. It also includes features that allow automated lateral movement within systems, further reducing defenders ability to contain it. It is most often distributed by phishing messages and exploiting known vulnerabilities.

What Do All of These Attacks and Malware Mean for You?

Let’s cut through the noise: the industries we focus on are under attack by state-sponsored groups for one simple reason – they have time. Time to conduct deep reconnaissance on their targets. Time to uncover vulnerabilities in systems and in how employees operate. And time to craft  phishing campaigns designed to exploit both.

The fact that the industries we focus on are under attack by state-sponsored groups means, in simplest terms, that our adversaries have the time to conduct thorough reconnaissance on their prospective targets. They have the time to identify potential vulnerabilities in both the systems themselves, and the policies behind how employees behave, which helps inform the construction of a phishing campaign.

Even more telling is how they get in. Phishing and exploiting known vulnerabilities remain their go-to tactics. Why? Because targeting people is cheaper, faster, and more effective than going after well-defended systems. It’s not about breaking through the firewall; it’s about getting someone to open the door.

What does all this mean for you? It means the tools and services Avertium provides work! Attackers believe, not without good reason, that it is far easier and more cost effective to target people either via social engineering or by exploiting our natural aversion to basic maintenance by targeting known vulnerabilities that have not been patched.

What Are Avertium’s Expert Predictions for 2025?

Here’s what we see on the horizon: adversaries will continue to double down on targeting people. They will make use of generative AI tools to help themselves with the “busy-work” of a social-engineering campaign (for example, using ChatGPT to create an email impersonating a legitimate contact). This means that operations like LockBit, and other similar adversary groups will become more flexible, and be able to operate at the same level with fewer people. 

Fewer people means fewer weak points for law enforcement to exploit, and so Defenders must continue to: 

• Focus their energy on training their people to spot social engineering
• Make regular system maintenance and updates a high priority effort
• Maintain up-to-date asset inventories (physical and virtual), as well as up-to-date inventories of all authorized software

Avertium continues to guard against these and all other adversaries worldwide. Moving into the New Year, we reaffirm our commitment to bring you the best security possible. 

Cybersecurity doesn’t have to be scary – it just has to be smart. Let’s make sure you’re ready for what’s next. Ready to start? Reach out to Avertium today. Let’s tackle this together.

Visit Avertium.com to learn more about how our Microsoft services and tailored strategies can prepare your organization for what’s ahead in 2025. Let’s tackle the future together.