Incidence response data shows threat actors doubled while ransomware payments decreased
- Since 2023, the number of threat-actors doubled – marking the biggest increase yet
- Ransomware was the leading incident category for the 3rd year running
- The number of ransomware payments made halved since 2022
- 39% of exploited software vulnerabilities in public-facing systems led to extortion attacks in 2024.
February 25, 2025 – New York – S-RM, leading global cybersecurity and intelligence consultancy, has released its 2025 Cyber Incident Insights Report, which reveals that in 2024, the cybersecurity landscape became increasingly fractured as ransomware attacks increased. While the barrier to entry for criminals lowered, law enforcement groups globally have stepped up action to combat threat actors.
Paul Caron, Head of Cybersecurity, Americas at S-RM, said:
Last year was about staying nimble and adaptable as the number of threat actors proliferated. With increased competition for potential targets, cybercriminals sought out a wider variety of targets going beyond large companies to include small and medium-sized businesses. And we’ve seen they’ve evolved their techniques and tools for example increasing EDR avoidance and Adversary-in-the-Middle’ (AiTM) attacks.”
The report outlines dominant trends observed in 2024 and provides an outlook for 2025. Data points around key 2024 developments were:
Fractures and fissures
Over the course of 2024, S-RM’s Incident Response team encountered more cyber threat actors than ever before—53 separate threat actors, a 96% increase from 27 in 2023. This trend reflects an increasingly fractured threat landscape, with established groups hampered by the efforts of law enforcement and the barriers of entry for new entrants lower than ever.
Ransomware still dominant
Over a third of the incidents S-RM’s team responded to involved ransomware, making it the leading incident category for the third year running. The rate of growth, however, may have slowed slightly. The number of organizations posted on ransomware and data-theft leak sites grew by 13% in 2024, down from 70% growth the prior year.
Ransom payments on the decline
While the threat actors multiply and become increasingly brazen, S-RM has observed that victims are becoming more resilient to ransom demands. Since 2022, the proportion of incidents the team has responded to that resulted in a ransom payment has nearly halved.
Exploited vulnerabilities continue to open doors
Exploited vulnerabilities in public-facing systems accounted for method of entry in 39% of extortion cases S-RM supported in 2024. S-RM also observed a 53% increase the number of small businesses named on ransomware leak sites, indicating that increased competition among ransomware groups has broadened the scope of organizations targeted by threat actors.
For more information, access the full 2025 Cyber Incident Insights Report on S-RM's official website here.
About S-RM
S-RM is a cybersecurity and corporate intelligence consultancy, headquartered in London, with nine international offices including New York and Washington D.C. Specializing in incident response and proactive cybersecurity risk management, they advise companies ranging from insurers and blue-chip corporates to large financial institutions, and beyond. To find out more visit: www.s-rminform.com.
Methodology
The 2025 S-RM Cyber Incident Insights Report seeks to support organisations in their cybersecurity efforts by sharing the insights gained through responding to incidents around the world. This report features data from Polus Analytics, S-RM’s proprietary platform that holds data on over 600 incidents the global IR team responded to across S-RM’s 2024 financial year
For more information, access the full 2025 Cyber Incident Insights Report on S-RM's official website here.
U.S. Media Inquiries
Meir Kahtan Public Relations, LLC
Meir Kahtan
Mobile: 1+ 917.864.0800
mkahtan@rcn.com
