Regional Threat Landscape
Cyberattacks recorded a sharp year-over-year increase in 2024, with volume and targeting patterns varying significantly by region.
| Region | YoY Increase | Weekly Attack Average | Primary Targets |
|---|---|---|---|
| Latin America | +53% | 2,667 | Finance, public services |
| Africa | +37% | 2,960 (highest frequency) | Infrastructure, telecoms |
| Asia-Pacific (APAC) | +23% | N/A | Manufacturing, technology |
Africa maintains the highest absolute attack frequency despite a lower growth rate than Latin America, suggesting an already-elevated baseline threat environment. APAC targeting reflects adversary interest in large-scale industrial and technology databases.
Sector-Specific Vulnerabilities
Manufacturing The most targeted sector for ransomware, accounting for 29% of cases. The primary exploitation surface is Operational Technology (OT), which frequently runs legacy systems with limited patching cadence.
Education and Research Persistently targeted due to the combination of high-value intellectual property and underfunded security infrastructure. The asymmetry between data sensitivity and defensive investment makes this sector a reliable opportunity for threat actors.
Healthcare Faces a dual threat profile: ransomware disrupting critical operations and data breaches exposing protected health information (PHI). Regulatory exposure and patient safety implications make this sector a high-priority target and an urgent candidate for security investment.
Emerging Tactics and Trends
AI-Powered Attack Automation Adversaries are operationalizing artificial intelligence and machine learning to automate reconnaissance, phishing content generation, and exploit development. Defensive programs must incorporate equivalent proactive capabilities to reduce mean time to detect (MTTD) and respond (MTTR).
Evolved Ransomware: Beyond Encryption Ransomware operations have shifted from single-stage encryption to multi-stage extortion models. Double extortion combines encryption with the threat of public data disclosure. Triple extortion extends this by adding pressure through DDoS or direct contact with victims’ clients or partners.
Supply Chain Exploitation Adversaries are increasingly targeting third-party vendors and software providers as a vector to bypass the hardened perimeters of primary targets. This approach allows mass compromise through a single trusted entry point.
Primary Attack Vectors
1. Ransomware
Ransomware is malicious software that encrypts victim data and demands payment, typically in cryptocurrency, in exchange for a decryption key.
Mechanics Initial access is commonly achieved through phishing campaigns or exploitation of unpatched software vulnerabilities. Following access, actors deploy ransomware payloads and exfiltrate data prior to encryption to enable extortion leverage.
MITRE ATT&CK Alignment
- Initial Access: Phishing (T1566)
- Execution: User Execution (T1204)
- Impact: Data Encrypted for Impact (T1486)
- Exfiltration: Exfiltration Over C2 Channel (T1041)
Ransomware-as-a-Service (RaaS) RaaS is a subscription or affiliate model in which ransomware developers license their tooling to operators. This lowers the technical barrier to entry and significantly increases the volume of active campaigns.
Key Threat Actors
| Actor | Notable Characteristics |
|---|---|
| REvil | Popularized the double extortion model |
| Conti | Targeted critical infrastructure including finance and education |
| LockBit | Dominant RaaS affiliate program; known for rapid encryption speed |
CTI Role Analysts track encryption algorithm evolution, monitor threat actor data leak sites, and profile affiliate behavior to inform organizational defense postures. IOC-based blocking of known C2 infrastructure is a core Tactical CTI output for active ransomware campaigns.
2. Nation-State Supported Cyber Warfare
Nation-state operations are government-sponsored campaigns designed to achieve political, economic, or military objectives. These operations are typically classified as Advanced Persistent Threats (APTs) due to their long-term dwell time and use of custom tooling.
Characteristics
- Extended dwell time within target networks, often measured in months or years
- Custom-built implants and evasion techniques
- Objectives range from intelligence collection to disruption of critical infrastructure
MITRE ATT&CK Alignment
- Persistence: Valid Accounts (T1078), Scheduled Task/Job (T1053)
- Defense Evasion: Obfuscated Files or Information (T1027)
- Collection: Data from Information Repositories (T1213)
- Command and Control: Application Layer Protocol (T1071)
Notable Threat Groups
| Group | Attributed Sponsor | Primary Focus |
|---|---|---|
| APT28 / APT29 | Russia | NATO entities, government agencies, election interference |
| Lazarus Group | North Korea | Financial institutions, cryptocurrency exchanges |
| APT41 | China | State espionage combined with financially motivated operations |
| Charming Kitten | Iran | Political institutions, Middle East regional targets |
CTI Role Analysts identify and document TTPs, develop and disseminate indicators of compromise (IOCs), and support threat hunting operations targeting long-duration intrusions. TTP profiling and hunt hypothesis generation are primary outputs of Operational CTI.
3. Zero-Day Exploits
Zero-day exploits target software vulnerabilities that are unknown to the vendor at the time of exploitation. By definition, no patch exists at the point of use, rendering signature-based defenses ineffective.
Exploitation Workflow
- Vulnerability discovery (internal research or acquisition via underground markets)
- Exploit development
- Deployment against target before vendor awareness or patch issuance
Detection Methods
- Behavioral anomaly analysis at endpoint and network layers
- Monitoring of dark web forums and exploit broker markets for early indicators of vulnerability sales
MITRE ATT&CK Alignment
- Exploitation for Client Execution (T1203)
- Exploitation of Remote Services (T1210)
- Exploit Public-Facing Application (T1190)
Notable Users
| Actor | Associated Activity |
|---|---|
| Equation Group | Linked to EternalBlue; high-level espionage operations |
| DarkHotel | Targeting of high-profile individuals via compromised hotel networks |
CTI Role Supports risk assessment by prioritizing assets likely to be targeted. Monitors underground markets to provide early warning before broad deployment of newly discovered exploits. This early warning intelligence feeds directly into Strategic CTI for executive risk reporting and resource allocation.
4. Supply Chain Attacks
Supply chain attacks compromise a trusted third-party vendor or software provider to gain indirect access to a larger, more hardened target organization.
Strategy Rather than attacking a primary target’s perimeter directly, adversaries identify and exploit the weakest link in the supply chain, typically a software update mechanism or a managed service provider with privileged access to multiple clients.
MITRE ATT&CK Alignment
- Initial Access: Trusted Relationship (T1199), Supply Chain Compromise (T1195)
- Persistence: Compromise Software Supply Chain (T1195.002)
- Lateral Movement: Software Deployment Tools (T1072)
Major Incident: SolarWinds In the SolarWinds attack, adversaries injected malicious code into the Orion platform software update pipeline. Organizations that applied the legitimate-appearing update unknowingly installed a backdoor (SUNBURST), granting attackers persistent access to thousands of networks, including U.S. federal agencies.
Attacker Advantages
| Factor | Description |
|---|---|
| High Stealth | Updates delivered from trusted vendors are frequently accepted without deep inspection |
| Mass Impact | A single compromised vendor can provide simultaneous access to thousands of downstream clients |
CTI Role Focuses on third-party risk management frameworks, software bill of materials (SBOM) analysis, and code integrity monitoring to detect anomalous injections within trusted update packages. Deep forensic analysis of implants like SUNBURST is a core Technical CTI function.
Comparative Threat Assessment
| Threat Type | Primary Goal | Stealth Level | Detection Difficulty |
|---|---|---|---|
| Ransomware | Financial gain, extortion | Low to Moderate (noisy post-encryption) | Moderate (signature and behavioral analysis) |
| Nation-State (APTs) | Espionage, strategic advantage | Very High (designed for long-term persistence) | High (requires deep TTP analysis and threat hunting) |
| Zero-Day Exploits | System access, data theft | Extreme (exploits unknown vulnerabilities) | Extreme (traditional defenses are largely blind) |
| Supply Chain | Mass infiltration via trusted access | High (concealed within legitimate software) | High (requires code integrity and vendor auditing) |
Analysis Summary
Ransomware remains the most frequent and operationally visible threat class, driven by the scalable economics of the RaaS model. Entry barriers are low, and the financial incentive is high.
Nation-state actors represent the most persistent threat profile. These groups prioritize stealth and longevity over speed, often maintaining access for extended periods to maximize intelligence collection without triggering detection.
Zero-day exploits are the most technically sophisticated and resource-intensive vector. Their high acquisition cost means they are deployed selectively by elite threat actors, typically in high-value, targeted operations.
Supply chain attacks represent a strategic evolution in adversary thinking. Rather than confronting hardened perimeter defenses directly, actors have redirected effort toward compromising the trusted tooling and vendor relationships that organizations rely on daily. This approach scales impact while reducing direct exposure to the primary target’s security controls.