go2damax 
Kaspersky provides rapid and fully informed incident response services to organizations, ensuring impact analysis and effective remediation. Our annual report shares anonymized data about the investigations carried out by the Kaspersky Global Emergency Response Team (GERT), as well as statistics and trends in targeted attacks, ransomware and adversaries’ tools that our experts observed throughout the year in real-life incidents that required both comprehensive IR unit support and consulting services aimed at assisting organizations’ in-house expert teams.
Download the full version of the report.
Regions and industries of incident response requests
In 2024, we saw the share of incident response requests rise in most of the regions, with the majority of investigations conducted in the CIS (50.6%), the Middle East (15.7%) and Europe (10.8%).
Geographic distribution of incident response requests, 2024
The distribution of IR requests by industry followed the 2023 pattern, keeping industrial (23.5%), government (16.3%) and financial (13.3%) organizations in the top three most targeted industries. However, this year, the majority of requests came from industrial enterprises, whereas the government agencies were targeted less often than in 2023. We also observe a growing tendency in incidents related to the transportation industry — the number of requests for IR services has doubled since 2023.
Distribution of organizations that requested IR assistance, by industry, 2024
Key 2024 trends and statistics
In 2024, ransomware attacks saw an increase of 8.3 p.p. from the 2023 numbers and amounted to 41.6% of incidents overall. Our GERT experts estimate that ransomware will persist as the main threat to organizations worldwide in the upcoming year, continuing the trend of the recent years, as we observe this threat holding top positions among incidents in organizations. In the majority of infections, we encountered samples of the LockBit family (43.6%), followed by Babuk (9.1%) and Phobos (5.5%). Our investigations also revealed new ransomware families, such as ShrinkLocker and Ymir. What is more, GERT experts discovered noteworthy malicious campaigns like Tusk and a set of incidents with CVE-2023-48788 exploited.
Another alarming trend identified in real incident response cases is wider use of such tools as Mimikatz (21.8%) and PsExec (20.0%). They are commonly used during post-exploitation for password extraction and lateral movement. We also observe a strengthening tendency for data leakage to be the second most common reason for an incident response request, amounting to 16.9% of all incidents, which correlates with our assumptions regarding trends in credential access techniques.
Recommendations for preventing incidents
To protect your organization against cyberthreats and minimize the damage in the case of an attack, Kaspersky GERT experts recommend:
- Implementing a strong password policy and using multi-factor authentication
- Removing management ports from public access
- Adopting secure development practices to prevent insecure code from reaching production environments
- Establishing a zero-tolerance policy for patch management, or having compensation measures in place for public-facing applications
- Ensuring that employees maintain a high level of security awareness
- Implementing rules to detect utilities commonly used by adversaries
- Conducting frequent, regular compromise assessment activities
- Employing a security tool set that includes EDR-like telemetry
- Constantly testing the security operations team’s response times with simulated attacks
- Prohibiting the use of any software being used within the corporate network that is known to be used by attackers
- Regularly backing up your data
- Working with an Incident Response Retainer partner to address incidents with fast SLAs
- Implementing strict security programs for applications that handle personal information
- Implementing security access control over important data using DLP
- Continuously training your incident response team to maintain their expertise and stay up-to-date with the evolving threat landscape
The full 2024 Incident Response Report features additional information about real-life incidents, including new threats discovered by Kaspersky experts. We also take a closer look at APT activities, providing statistics for the most prolific groups. The report includes comprehensive analysis of initial attack vectors in correlation with the MITRE ATT&CK tactics and techniques and the full list of vulnerabilities that we detected during incident response engagements.
About The Author
