Blogs
The latest cybersecurity trends, best practices, security vulnerabilities, and more
Cyber Threat Landscape Q&A with Trellix Head of Threat Intelligence John Fokker
By Trellix · January 27, 2025
As we step into 2025, it's time to reflect on the seismic changes that shaped the cybersecurity landscape in 2024 and anticipate what's on the horizon for 2025. The past year saw significant developments in ransomware techniques, the strategic use of generative AI by cyber adversaries, an uptick in politically motivated hacktivism, and cyber operations tied to international conflicts. Efforts by law enforcement disrupted these criminal networks, causing operational setbacks and prompting the adoption of innovative methods by malicious actors. With these dynamics in mind, let’s examine the major trends of 2024 and evaluate the potential challenges and risks awaiting us in 2025.
We sat down with Trellix Head of Threat Intelligence John Fokker to get his thoughts on the most pressing cyber threats of 2025 and biggest takeaways from 2024.
What shifted the cyber landscape in 2024?
Law enforcement action: This year we saw more law enforcement action - more takedowns, indictments and more disruption. Tactics utilized by law enforcement are expanding and changing. We’ve seen this be successful in sowing confusion and distrust among cybercriminal groups.
Ransomware ecosystem: The ransomware ecosystem is vastly different than a year ago. Notably, we’ve seen more smaller groups and wholly new groups operating, especially in the last half of the year. The change in players may be due to takedowns and law enforcement action. For example, after the initial LE action against LockBit, we observed copycat groups and impersonators pop up. We’ve also observed a stronger focus on extortion.
GenAI: GenAI has certainly been infiltrating operations of criminal and nation-state groups. More threat actors are embracing it, and it’s been a utilized tool for creating and spreading misinformation campaigns by nation-state actors. Despite its use for malicious purposes, it hasn’t really achieved transformed cyber threats. We do expect it to, however.
Hacktivism: Hacktivism has become more intensified in 2024. It’s a natural progression due to political ideologies, a pressurized economy and global events. We’ve very much expected a growth in hacktivism. What has been interesting is that certain hacktivist groups have been linked to nation-states directly, where governments have influenced and sponsored their activity. We’ve observed this in Iran and Russia.
Warfare: Cyber activity timed with kinetic warfare has continued, especially as it relates to Russia-Ukraine and Israel-Hamas conflicts. Where we see increases in activity from Iran-aligned nation-state groups, it's largely a consequence of war where malicious activity is often triggered by emotional reactions and disruptive attacks are an immediate response. What’s interesting is that we’ve seen activity linked to Iran really change with behavior changing from a focus on information gathering and espionage to instead putting muscle behind causing disruption and spreading misinformation.
How do you differentiate between hacktivists, cybercrime groups, and state sponsored groups when there is overlap?
We are seeing state sponsorship of hacktivist groups in Russia and other regions. Classic APT groups are typically government agency employees and their primary focus is espionage. Hacktivists are very different in how they execute attacks, communicate and organize. They are typically formed loosely by individuals grouped by a common ideology or emotional response. They'll use DDoS attacks or ransomware to make a point or steal data. Hacktivist groups may be sponsored by their governments for their ability to target different organizations and use of less resources. They also provide plausible deniability for the state. In the case of physical warfare, we see this in Russia with the Wagner Group.
What threats are top of mind for you in the next year?
Ransomware targets integrity of data: If you look at ransomware attacks, they most often target the availability of data or the confidentiality of data. We’ve not yet seen attacks that target the integrity of data, but it’s something I am thinking about. As more organizations use AI, agents and models in their daily operations, the potential for criminals to tamper with data is definitely there. The result here is a poisoned AI model where outputs are a hallucination and further complicates restoration and management postattack.
Hacktvists: One thing that keeps me up at night is thinking about the risk of hacktivists utilizing ransomware. A big differentiator between hacktivist actors and run-of-the-mill cybercriminals is their motivation. A hacktivist is looking to cause disruption where a typical ransomware operator is looking to make money. This leads hacktivists to take action with less discipline and less skill, and let emotion fuel their decision making. Cybercriminals have an incentive to restore damage caused by their ransomware, and typically have the skills to do so. In the case of hacktivists deploying ransomware, this is not the case.
RECENT NEWS
-
Feb 5, 2025
Trellix Accelerates Secure Cloud Adoption in Australia with New Government Accreditations
-
Jan 28, 2025
Trellix and NEXTGEN Accelerate Cybersecurity Platform Adoption in Australia and New Zealand
-
Jan 22, 2025
Trellix Welcomes New CEO to Lead Next Phase of Growth
-
Jan 14, 2025
Trellix Accelerates Global Partner Growth with Revamped Xtend Partner Program
-
Jan 13, 2025
Trellix Promotes Gareth Maclachlan to Chief Product Officer
RECENT STORIES
Latest from our newsroom
Get the latest
Stay up to date with the latest cybersecurity trends, best practices, security vulnerabilities, and so much more.
Zero spam. Unsubscribe at any time.