2025年全球网络安全威胁分析报告

TABLE OF CONTENTS FOREWORDINTRODUCTION Unsecured RDP is the root cause of the largest portion of ransomware casesSpotlight: The usual suspects02 P A R T0 2BUSINESS EMAIL COMPROMISE Financial services organizations are the prime targetsSocial engineering (phishing in particular) drives BEC cases Intrusions, the first step towards greater threatsIntruders disproportionately leverage a small number of vulnerabilitiesVulnerabilities keep increasing CONCLUSION FOREWORD By deliberately focusing on cyber attacks that escalated to a level of requiring an incident response 02 evade detection long enough to pursue actions on objective (e.g., deploying ransomware,tricking organizations into transferring funds, conducting intrusions, etc.) from such incidents Very broadly, we see evidence that threat actors are adapting to target stronger cybersecuritypostures by looking for novel methods of attack or embracing low-tech — but effective — means ofbypassing high-tech safeguards. At the same time, competition within their own ranks and betterresilience on the part of their victims has ransomware operators engaging in more aggressive tactics How do organizations protect themselves in the continuing cybersecurity arms race? By focusing on •An adaptable security posture•Detection and response spanning the full attack surface Our hope is that reading this report will equip you with insights and actions Vice President, Incident Response KEY TAKEAWAYS Organizations typically reserve third-party IR engagements for only the most disruptive anddamaging incidents, so it’s telling thatour cases are dominated by ransomware (44% of cases),business email compromise (27%), and intrusions (24%). While their combined contribution is quiteconsistent year over year, an increase in the intrusion proportion is largely offset by a decrease in 96% As potential victims implemented more reliable backup and restoration processes, ransomwareoperators introduced data exfiltration as a means to apply additional pressure and protect theirrevenue streams. Today, this double extortion is undeniably the norm, as96% of ransomwareincidents we investigated included this element. Nevertheless, preparedness on the part of The well-established ransomware-as-a-service (RaaS) model has democratized access to ransomwaresoftware, intrusion tools, and — via initial access brokers — IT environments. One result is a very longtail of threat actors all vying for a piece of the cybercrime pie; as such,we observed more than 50unique ransomware threat actors in victim environments. Like the Hydra of Greek mythology, when In the not-too-distant past, most ransomware actors showed at least some willingness to negotiatewith the victim to arrive at a workable solution. Nowadays, though, harassment and a stated refusalto negotiate are commonplace. Expert incident responders have encountered all these tactics before.Despite attackers’ persistent threats and aggressive tactics, our IR professionals were able toreduce KEY TAKEAWAYS The finance and insurance industry accounted for 26.5% of BEC IR cases, roughly double thesecond-place industry (legal and government, at 13.3%). In fact, BEC accounted for 53% ofIR cases pertaining to finance and insurance — the only industry for which BEC outnumbered Why kick down the door when you already have the key, or can find someone to open it onyour behalf, or — best of all — you find it unlocked to begin with?Unsecured Remote DesktopProtocol (RDP) and compromised VPN credentials are the leading root causes of ransomwareand intrusions, while phishing and previously compromised credentials are behind the vast In 76% of intrusion cases, threat actors employed at least one of 10 specific vulnerabilities,none of which were zero-days and seven of which were associated with remote access toolsor other externally facing services. Vulnerability management can seem like a never-endinggame of high-stakes Whac-A-Mole — but a little prioritization can take away attackers’ While zero-day exploits almost never appeared in ransomware (0.4% of cases) or BEC (0%)incidents, they represented the fifth-leading root cause in intrusions — accounting for 6% ofsuch cases. This stark contrast suggeststhreat actors are selective, reserving such actions for Accordingly, we will examine these three types indetail to provide an overview of the threat, and: •Reveal which industries are most impacted•Understand root causes The IR case data is augmented with telemetryfrom the Arctic Wolf Aurora Platform and researchfrom our threat intelligence team, digital forensics However, many cyber incidents include multipleelements, as threat actors rarely execute a singleaction. For instance, an attacker may employ socialengineering to obtain credentials which are then Data sourcing and methodology To enable the holistic analysis within this report,all data is aggregated without any identifying The vast majority of these IR engagements wereinitiated