More than half of cyber attacks are now motivated by extortion and ransomware, according to Microsoft, with legacy security measures no longer enough to counter the threat.
In its sixth annual Digital Defense Report, the company said attackers sought to steal data, mostly for financial gain, in 80% of the cyber incidents its security teams investigated last year.
"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for customer security and trust.
"Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."
Critical public services are a main target, the study noted. Hospitals and local governments, for example, store sensitive data and often have tight cybersecurity budgets with limited incident response capabilities.
Healthcare or other critical organizations, meanwhile, may feel greater pressure to pay a ransom because of the vital importance of their services.
Nation-state hackers are shaking up tactics
While the proportion of attacks by nation-state actors remains low, the number is growing.
China is continuing its broad push across industries to conduct espionage and steal sensitive data, and increasingly attacking non-governmental organizations (NGOs), using covert networks and vulnerable internet-facing devices to gain entry and avoid detection.
Hackers backed by the regime have also become faster at operationalizing newly disclosed vulnerabilities, Microsoft said.
Iran, meanwhile, is going after a wider range of targets than ever before, from the Middle East to North America, including recent attacks on shipping and logistics firms in Europe and the Persian Gulf that gave ongoing access to sensitive commercial data.
Notably, Russia has expanded its range beyond Ukraine, targeting small businesses in countries supporting Ukraine, perhaps viewing them as being easier to access than larger organizations.
North Korean IT workers are a serious problem
Microsoft warned that North Korea remains focused on revenue generation and espionage.
A new tactic involves thousands of state-affiliated North Korean remote IT workers applying for jobs with companies around the world, sending their salaries back to the government as remittances.
When discovered, Microsoft said some of these workers have turned to extortion.
"The cyber threats posed by nation-states are becoming more expansive and unpredictable. In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated," warned Hogan-Burney.
"This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."
AI tools are a cyber crime enabler
Advances in automation and readily available off-the-shelf tools have enabled cyber criminals — even those with limited technical expertise — to expand their operations significantly.
The use of AI, meanwhile, has allowed cyber criminals to accelerate malware development and create more realistic synthetic content, improving the efficiency of activities such as phishing and ransomware attacks.
More than 97% of identity attacks are password attacks, with the number surging by 32% in the first half of 2025 alone, mostly through large-scale password guessing via credential leaks.
"However, credential leaks aren’t the only place where attackers can obtain credentials. This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale," said Hogan-Burney.
"Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."
The report calls on governments to do more to help by building frameworks that signal credible and proportionate consequences for malicious activity that violates international rules.
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
Europol takes down SIM farm network that scammed thousands of victimsNews The sophisticated operation led to crimes from simple phishing to investment fraud
-
Thousands of exposed civil servant passwords are up for grabs onlineNews While the password security failures are concerning, they pale in comparison to other nations
-
77% of security leaders say they'd fire staff who fall for phishing scams, even though they've done the same thingNews A new report uncovers worrying complacency amongst IT and security leaders
-
Hackers stole source code, bug details in disastrous F5 security incident – here’s everything we know and how to protect yourselfNews CISA has warned the F5 security incident presents a serious threat to federal networks
-
Hackers are using a new phishing kit to steal Microsoft 365 credentials and MFA tokens – Whisper 2FA is evolving rapidly and has been used in nearly one million attacks since JulyNews Whisper 2FA is now the third most common Phishing as a Service tool worldwide
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Third time lucky? The FBI just took down BreachForums, again
News The hacking forum is down for now, but the group behind it, Scattered Lapsus$ Hunters, isn't going to stop extorting victims of the Salesforce breach
-
A malicious MCP server is silently stealing user emailsNews Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
