Darktrace, a global leader in AI for cybersecurity, has provided its 2024 Annual Threat Report.
HIGHLIGHTS:
- Malware as a Service (MaaS) accounted for 57% of all cyber threats detected – marking the continued growth of Cybercrime-as-a-Service (CaaS) models
- Ransomware payments rose dramatically to $US2.73 million per case (up $US1 million from 2023), despite fewer overall incidents
- Threats detected against Operational Technology and Critical Infrastructure more than double
- Edge device vulnerabilities became a primary attack vector, with major campaigns exploiting Ivanti, Palo Alto Networks, and Fortinet devices
- Living-off-the-Land (LOTL) techniques saw increased adoption, with attackers leveraging native Windows tools to evade detection
Quotes attributable to Darktrace Field CISO, Tony Jarvis:
“Darktrace detected a phishing attack nearly every second in 2024 and, with 70 per cent of malicious emails bypassing standard authentication checks, Australian organisations need to understand two things.
“AI has supercharged the abilities of threat actors to deliver highly-sophisticated attacks at unprecedented speed and scale. That means humans can no longer be relied on as the last line of defence.
“It’s no longer a matter of if a cyberattack will happen, but when. Only through harnessing AI in their security stacks can organisations defend themselves.”
OT and Critical infrastructure is under attack
- Significant increase in sophisticated attacks against Critical National Infrastructure (CNI)
- State-sponsored attacks surge
- OT/ICS attacks more than doubled from the previous year
- Energy sector was targeted over three times more frequently than other critical sectors
- Healthcare sector saw a shift from encryption-based ransomware to data exfiltration attacks
Email security
- 30.4 million phishing emails detected across Darktrace’s global customer base
- 70% of malicious emails passed DMARC authentication
- 55% bypassed existing security layers
- 96% used previously established domains rather than new ones
- Growing trend of legitimate service abuse (Zoom, QuickBooks, HelloSign, Adobe, SharePoint)
Ransomware
A dramatic surge in ransomware costs is creating unprecedented pressures in Australian boardrooms, with the average attack now costing organisations $US2.73 million – a million-dollar increase from last year. This mounting financial threat comes as cybercriminals increasingly leverage everyday business tools such as SharePoint and QuickBooks, forcing ASX-listed companies to reassess their cyber insurance coverage and security investments. This release would explore how Australian businesses are grappling with these escalating costs while trying to maintain operational resilience in an increasingly hostile digital environment.
Supporting data:
- Average ransomware payment rose to $US2.73 million, a $US1 million increase from 2023
- 96% of malicious emails used previously established domains
- Documented abuse of legitimate business services including Zoom, QuickBooks, HelloSign, Adobe, and Microsoft SharePoint
- 55% of malicious emails passed through all existing security layers
- Data showing RaaS (Ransomware-as-a-Service) model is increasing, lowering barriers to entry for attackers
The rise of RansomHub
A new ransomware group called RansomHub has emerged as a significant threat to organisations across the Asia-Pacific region, bringing sophisticated attack methods and a ruthless double-extortion strategy. The group has already targeted approximately 500 organisations globally, with concerning implications for Australian businesses. This technical analysis would explore RansomHub’s tactics, techniques, and procedures, examining how they’re exploiting vulnerabilities in common enterprise systems and what this means for Australia’s cybersecurity landscape.
Supporting data on RansomHub:
- Targeted approximately 500 organisations globally
- Uses sophisticated double extortion tactics
- Exploits vulnerabilities in Windows, Linux, ESXI, NAS, and Zerologon
- Uses legitimate tools like Atera and Splashtop for command and control
- Uses NetScan for reconnaissance
- Only accepts Bitcoin and Monero for ransom payments
- Notable attacks including Mexico’s presidential legal counsel and Scottish housing society
Energy infrastructure
Energy infrastructure operators are facing an alarming rise in sophisticated cyber-attacks, with new data from Darktrace revealing energy providers are targeted more than three times as frequently as other critical sectors. This vulnerability comes at a crucial time as the government rolls out new critical infrastructure protection measures. The article would examine how this surge in attacks against energy providers could impact Australia’s national security, particularly in the context of broader Indo-Pacific tensions and the growing sophistication of state-sponsored threats.
Supporting data:
- Energy sector targeted over three times more frequently than the next most attacked sectors (critical manufacturing and transportation)
- OT/ICS attacks more than doubled from previous year
- Specific case study of attack on Canadian energy provider’s PLC motor in SCADA environment
- IoT adoption and control automation in solar and wind sectors increasing attack surface
- Documented evidence of state-sponsored actors targeting energy infrastructure
Email security
Traditional email security measures are proving increasingly ineffective, with new data revealing 70% of malicious emails are now successfully passing DMARC authentication. This technical investigation would explore how cybercriminals are bypassing these traditional safeguards, particularly through the abuse of legitimate services. This release would examine the practical implications for Australian IT teams, who are now facing a situation where more than half of malicious emails are slipping through existing security layers, forcing a fundamental rethink of email security strategies.
Supporting data:
- 30.4 million phishing emails detected across the fleet
- 70% of malicious emails passed DMARC authentication
- 55% bypassed existing security layers
- 2.7 million multistage payload emails identified
- Over 940,000 malicious QR codes detected
- 38% were spear-phishing attempts
- 32% contained novel social engineering features
- 27% contained over 1,000 characters (approximately 200 words)
- 96% used previously established domains
Emerging threats
- New ICS-specific malware strains appeared (e.g., FrostyGoop), demonstrating growing sophistication in OT attacks
- Increased exploitation of vulnerabilities in edge devices and IoT systems
- Rise in state-sponsored attacks, particularly targeting critical infrastructure
Key recommendations from Darktrace
- Prioritise edge device security in vulnerability management
- Implement zero trust policies
- Focus on early anomaly detection
- Strengthen identity access management
- Regularly assess and test incident response plans
- Monitor supply chain risks
- Stay informed about evolving threats
- Adopt AI integration strategies
- Take a risk-based approach to security
- Maintain comprehensive asset inventory
