The cyber threat landscape is undergoing a significant and unsettling transformation, moving beyond traditional data theft and simple encryption. The year 2024 marked a pivotal shift in attacker focus toward intentional operational disruption, a new phase of financially motivated extortion that prioritizes sabotage and prolonged downtime to maintain maximum impact and command payment from organizations. This new approach is highly prevalent, with 86% of the incidents responded to by a leading cybersecurity firm in 2024 involving business disruption, which can include operational downtime or reputational damage. Attackers are also becoming faster and more sophisticated, amplified by automation and streamlined hacker toolkits.
The Three Waves of Extortion: From Encryption to Sabotage
The evolution of these extortion attacks can be understood in three distinct waves. The first wave was defined by file encryption, enabled by the rise of cryptocurrency which reduced the risk for criminals. The playbook was simple: get in, encrypt files, and demand a cryptocurrency payment for the key. However, as organizations improved their data backup practices, this tactic became less effective. In 2024, nearly half (49.5%) of impacted victims were able to restore from backup, a significant increase from just 11% in 2022.
The second wave of extortion saw attackers pivot to data exfiltration and harassment. In addition to encryption, they began stealing data and threatening to leak it on dark-web marketplaces to pressure victims and generate additional revenue. While this tactic remains popular, its effectiveness has started to decline due to what is being called "data breach fatigue". Public leak site data supports this, as the number of victims rose by only 2% in 2024, following a 50% increase from 2022 to 2023. Furthermore, in fewer than two-thirds of cases with data theft in 2024 did attackers provide proof of data deletion (only 58%).
We have now entered the third wave: intentional operational disruption. Attackers are going beyond encryption and data theft, visibly disrupting organizations by damaging brand reputation, harassing customers, and destroying data. This extended downtime and strain on business relationships are leveraged to demand increased payments, with the median initial extortion demand increasing by nearly 80% to $1.25 million in 2024 from $695,000 in 2023.
The Speed and Scale of Modern Intrusions
Beyond extortion, the speed of attacks is a major concern. The median time to data exfiltration in attacks was approximately two days in 2024. However, this speed is accelerating rapidly. In a quarter of cases, the time from compromise to exfiltration was less than five hours, which is three times faster than in 2021. Even more concerning, in one in five cases (19%), data exfiltration took place within the first hour of compromise. Despite this, defenders are making progress in reducing the dwell time, which is the period an attacker is present before discovery. Dwell time in 2024 decreased by 46% to 7 days, a continuous trend since 2021 when it was 26.5 days.
Attacks are not confined to a single vector. In fact, 70% of incidents responded to by a major cybersecurity firm happened on three or more fronts, underscoring the need to protect endpoints, networks, cloud environments, and the human factor simultaneously. The most common fronts of attack observed were endpoints (72%), the human element (65%), and identity (63%). The web browser is a key conduit for threats, as nearly half (44%) of security incidents investigated involved malicious activity launched or facilitated through an employee's browser, including phishing and malware downloads.
Cloud and software supply chain attacks are also a growing threat. About one-third (29%) of cases in 2024 were cloud-related, with a significant number (21%) involving damage to cloud assets. Issues with identity and access management (IAM) are a key contributing factor, including excessive policy access, excessive permissions, and weak passwords. While the lack of multi-factor authentication (MFA) is still the most prevalent IAM issue, its frequency has decreased from about a third of the time in 2023 to a quarter of the time in 2024. Exfiltration over web services, specifically to cloud storage, is also a very common technique, observed in 45% of cases where exfiltration occurred.
The rise of insider threats is another critical trend. Nation-states are placing operatives in technical positions within international organizations to steal information and fund national initiatives. These actors exploit traditional hiring processes with stolen or synthetic identities to gain access. The number of insider threat cases tied to a specific nation-state tripled in 2024. These operatives use subtle tactics, such as hardware-based KVM-over-IP solutions, to bypass endpoint monitoring tools, and once embedded, they can engage in data exfiltration, unauthorized tool deployment, and even altering source code.
Early observations show that AI is already being harnessed to enhance attack capabilities. Generative AI (GenAI) can craft highly convincing phishing emails, automate malware development, and accelerate the entire attack lifecycle. A simulated ransomware attack showed that GenAI could reduce the time to exfiltration from a median of two days down to just 25 minutes, about 100 times faster. This rapid progression makes it extremely challenging for organizations to respond in time to mitigate damage.
A Proactive Defense Blueprint
To successfully defend against these sophisticated and rapid attacks, organizations must address three core enablers that allow adversaries to succeed: complexity, gaps in visibility, and excessive trust. Many security environments are a patchwork of disparate tools that lack integration, creating data silos. In 75% of incidents investigated, critical evidence was present in logs but was not readily accessible or effectively operationalized. Gaps in visibility are also common, with unmanaged assets and shadow IT providing easy entry points. These gaps were a contributing factor in nearly 40% of cases. Finally, excessive trust, such as overly permissive accounts and inadequate access controls, is consistently exploited by attackers to escalate their attacks. In 41% of incidents, there was at least one contributing factor related to IAM issues.
To counter these systemic issues, defenders must adopt a proactive, strategic approach. First, empower security operations to see more and respond faster by ingesting all relevant security data for a unified view and leveraging AI-driven capabilities to detect and prioritize threats at machine speed. Second, accelerate the journey to a Zero Trust model. This involves continuously verifying every user, device, and application and enforcing strict least-privilege access. Third, secure applications and cloud environments from development to runtime by integrating security early in the development lifecycle and continuously monitoring for misconfigurations and vulnerabilities. By tackling these core challenges, organizations can build resilience and maintain a decisive edge against the complex and fast-moving threats of today and tomorrow.