Phishing emails delivering infostealers surge 84%

Cybercriminals continued to shift to stealthier tactics, with lower-profile credential theft spiking, while ransomware attacks on enterprises declined, according to IBM.

Researchers observed an 84% increase in emails delivering infostealers in 2024 compared to the prior year, a method threat actors relied heavily on to scale identity attacks.

70% of attacks in 2024 involved critical infrastructure. In this subset, the use of valid accounts made up 31% of initial access vectors, followed by phishing and exploiting public facing applications, both at 26%. Malware was deployed in 40% of cases and ransomware was the malware of choice, occurring in 30% of malware deployments.

More cybercriminals opted to steal data (18%) than encrypt it (11%) as advanced detection technologies and increased law enforcement efforts pressure cybercriminals to adopt faster exit paths.

Nearly one in three incidents observed in 2024 resulted in credential theft, as attackers invest in multiple pathways to quickly access, exfiltrate and monetize login information.

“Cybercriminals are most often breaking in without breaking anything – capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said Mark Hughes, Global Managing Partner of Cybersecurity Services at IBM. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multi-factor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

Legacy technology leaves critical infrastructure open to attack

Reliance on legacy technology and slow patching cycles prove to be an enduring challenge for critical infrastructure organizations as cybercriminals exploited vulnerabilities in more than one-quarter of incidents in this sector last year.

In reviewing the common vulnerabilities and exposures (CVEs) most mentioned on dark web forums, IBM found that four out of the top ten have been linked to sophisticated threat actor groups, including nation-state adversaries, escalating the risk of disruption, espionage and financial extortion.

Exploit codes for these CVEs were openly traded on numerous forums —fueling a growing market for attacks against power grids, health networks and industrial systems. This sharing of information between financially motivated and nation-state adversaries highlights the increasing need for dark web monitoring to help inform patch management strategies and detect potential threats before they are exploited.

In 2024, researchers observed an uptick in phishing emails delivering infostealers and early data for 2025 reveals an even greater increase of 180% compared to 2023. This upward trend fueling follow-on account takeovers may be attributed to attackers leveraging AI to create phishing emails at scale.

Credential phishing and infostealers have made identity attacks cheap, scalable and highly profitable for threat actors. Infostealers enable the quick exfiltration of data, reducing their time on target and leaving little forensic residue behind. In 2024, the top five infostealers alone had more than eight million advertisements on the dark web and each listing can contain hundreds of credentials.

Threat actors are also selling adversary-in-the-middle (AITM) phishing kits and custom AITM attack services on the dark web to circumvent MFA. The availability of compromised credentials and MFA bypass methods indicates a high-demand economy for unauthorized access that shows no signs of slowing down.

Downtrend in ransomware incidents

Ransomware comprises 28% of malware incident response cases and 11% of security cases, representing a decline over the last several years. This likely reflects an evolution in defensive tactics, such as increased collaboration with law enforcement, to take down the infrastructure of prominent botnets linked to ransomware attacks.

As a result of these takedowns, we have seen increased diversification and turnover in the malware activity of actors associated with cybercrime groups such as ITG23, (Wizard Spider, TrickBot Group), ITG25 (Lunar Spider, IcedID), and ITG26 (Qakbot, Pikabot).

Previously well-established malware families linked to these groups are no longer operational and we have seen threat actors turn to other malware, including new and short-lived families, as cybercrime groups attempt to replace botnets that were taken down.

AI security holds steady

While large-scale attacks on AI technologies didn’t materialize in 2024, security researchers are racing to identify and fix vulnerabilities before cybercriminals exploit them. Issues like the remote code execution vulnerability discovered in a framework for building AI agents will become more frequent.

With adoption set to grow in 2025, so will the incentives for adversaries to develop specialized attack toolkits targeting AI, making it imperative that businesses secure the AI pipeline from the start, including the data, the model, the usage, and the infrastructure surrounding the models.

The APAC region experienced the most attacks in 2024, accounting for 34% of all incidents investigated. Attackers frequently employed malware-ransomware (22%), recon/scanning tools (11%), and server access (11%) as their primary actions on objective.

The North America region was second in terms of incidents investigated, accounting for 24% of incidents in 2024. The most common actions on objective included tool-remote access (17%), malware-backdoor (17%), and server access (13%), signaling attackers’ focus on system control and data exfiltration.