More than half of cyber attacks are now motivated by extortion and ransomware, according to Microsoft, with legacy security measures no longer enough to counter the threat.
In its sixth annual Digital Defense Report, the company said attackers sought to steal data, mostly for financial gain, in 80% of the cyber incidents its security teams investigated last year.
"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for customer security and trust.
"Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."
Critical public services are a main target, the study noted. Hospitals and local governments, for example, store sensitive data and often have tight cybersecurity budgets with limited incident response capabilities.
Healthcare or other critical organizations, meanwhile, may feel greater pressure to pay a ransom because of the vital importance of their services.
Nation-state hackers are shaking up tactics
While the proportion of attacks by nation-state actors remains low, the number is growing.
China is continuing its broad push across industries to conduct espionage and steal sensitive data, and increasingly attacking non-governmental organizations (NGOs), using covert networks and vulnerable internet-facing devices to gain entry and avoid detection.
Hackers backed by the regime have also become faster at operationalizing newly disclosed vulnerabilities, Microsoft said.
Iran, meanwhile, is going after a wider range of targets than ever before, from the Middle East to North America, including recent attacks on shipping and logistics firms in Europe and the Persian Gulf that gave ongoing access to sensitive commercial data.
Notably, Russia has expanded its range beyond Ukraine, targeting small businesses in countries supporting Ukraine, perhaps viewing them as being easier to access than larger organizations.
North Korean IT workers are a serious problem
Microsoft warned that North Korea remains focused on revenue generation and espionage.
A new tactic involves thousands of state-affiliated North Korean remote IT workers applying for jobs with companies around the world, sending their salaries back to the government as remittances.
When discovered, Microsoft said some of these workers have turned to extortion.
"The cyber threats posed by nation-states are becoming more expansive and unpredictable. In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated," warned Hogan-Burney.
"This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."
AI tools are a cyber crime enabler
Advances in automation and readily available off-the-shelf tools have enabled cyber criminals — even those with limited technical expertise — to expand their operations significantly.
The use of AI, meanwhile, has allowed cyber criminals to accelerate malware development and create more realistic synthetic content, improving the efficiency of activities such as phishing and ransomware attacks.
More than 97% of identity attacks are password attacks, with the number surging by 32% in the first half of 2025 alone, mostly through large-scale password guessing via credential leaks.
"However, credential leaks aren’t the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale," said Hogan-Burney.
"Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."
The report calls on governments to do more to help by building frameworks that signal credible and proportionate consequences for malicious activity that violates international rules.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
How the UK is leading Europe at AI-driven manufacturingIn-depth A new report puts the country on top of the charts in adopting machine learning on the factory floor in several critical measures
-
US data center power demand forecast to hit 106GW by 2035, report warnsNews BloombergNEF research reveals a sharp 36% jump in energy forecasts as "hyperscale" projects reshape the American grid
-
The Scattered Lapsus$ Hunters group is targeting Zendesk customers – here’s what you need to knowNews The group appears to be infecting support and help-desk personnel with remote access trojans and other forms of malware
-
Impact of Asahi cyber attack laid bare as company confirms 1.5 million customers exposedNews No ransom has been paid, said president and group CEO Atsushi Katsuki, and the company is restoring its systems
-
If you're not taking insider threats seriously, then the CrowdStrike incident should be a big wake up callNews CrowdStrike has admitted an insider took screenshots of systems and shared them with hackers, and experts say it should serve as a wake up call for enterprises globally.
-
Shai-Hulud malware is back with a vengeance and has hit more than 19,000 GitHub repositories so far — here's what developers need to knowNews The malware has compromised more than 700 widely-used npm packages, and is spreading fast
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
The US, UK, and Australia just imposed sanctions on a Russian cyber crime group – 'we are exposing their dark networks and going after those responsible'News Media Land offers 'bulletproof' hosting services used for ransomware and DDoS attacks around the world
-
Thousands of ASUS routers are being hijacked in a state-sponsored cyber espionage campaignNews Researchers believe that Operation WrtHug is being carried out by Chinese state-sponsored hackers
-
Microsoft opens up Entra Agent ID preview with new AI featuresNews Microsoft Entra Agent ID aims to help manage influx of AI agents using existing tools
