editorially independent. We may make money when you click on links
to our partners.
Learn More
According to the 2025 Microsoft Digital Defense Report, more than half of all cyberattacks analyzed last year were driven by ransomware or extortion.
Microsoft found that 52% of incidents were linked to financial gain, while only 4% stemmed purely from espionage efforts.
“In 80% of the cyber incidents Microsoft’s security teams investigated last year, attackers sought to steal data—a trend driven more by financial gain than intelligence gathering,” the report said.
From espionage to extortion
This data signals a new normal — one where opportunistic cybercriminals, empowered by automation and artificial intelligence (AI), now pose as great a threat as nation-states.
Microsoft processes more than 100 trillion signals daily, blocks 4.5 million new malware attempts, and scans 5 billion emails for phishing and malicious code.
Yet attackers increasingly bypass traditional security measures by exploiting human error and outdated systems, especially in critical sectors such as healthcare, education, and public services.
Ransomware operators exploit these high-pressure environments where downtime can mean loss of life or public trust — forcing victims to pay quickly just to restore operations.
How the attacks work
The mechanics of modern ransomware campaigns are complex but consistent.
Attackers typically steal credentials or buy them on dark web marketplaces before encrypting data and demanding payment in cryptocurrency.
Alarmingly, Microsoft found that more than 97% of identity-based attacks stem from password attacks, with a 32% surge in identity attacks reported in the first half of 2025.
Infostealer malware has become a preferred method for harvesting login data, browser tokens, and session cookies at scale.
Cybercriminals can then reuse or sell these credentials to facilitate ransomware delivery or extortion schemes.
Fortunately, one simple mitigation remains highly effective: phishing-resistant multifactor authentication (MFA).
Microsoft’s analysis shows MFA can block over 99% of identity-based attacks, even when an attacker has valid credentials.
Layered defense
Security teams must now assume that adversaries aren’t just “breaking in”—they’re logging in with valid credentials. To counter this, organizations should:
- Deploy phishing-resistant MFA (e.g., FIDO2, passkeys).
- Replace legacy systems that cannot support modern identity protocols.
- Implement least-privilege access and continuous monitoring for anomalous sign-ins.
- Invest in AI-powered defense tools capable of detecting adaptive threats.
- Collaborate across industries to share threat intelligence.
Microsoft’s Digital Crimes Unit has taken direct action against some of these threat actors by disrupting infostealer operations such as Lumma Stealer, in cooperation with the U.S. Department of Justice and Europol.
These joint efforts demonstrate that coordinated public-private partnerships can dismantle major cybercriminal infrastructures.
AI and the new cyber arms race
Both attackers and defenders are racing to leverage AI.
Generative AI enables cybercriminals to automate phishing campaigns, craft convincing social engineering content, and develop adaptive malware.
Nation-states, meanwhile, use AI to enhance cyber influence operations and espionage.
Defenders are also turning to AI-powered tools to close detection gaps, protect against AI-powered social engineering, flag abnormal network behavior, and accelerate incident response.
This technological tug-of-war means the effectiveness of a cybersecurity program increasingly depends on its AI maturity and data visibility.
Looking ahead
As digital transformation continues to accelerate, cyber threats are becoming inseparable from global economic stability and public safety.
Organizations that treat cybersecurity as a strategic priority—rather than just a cost—will be best positioned to survive this evolving threat landscape.
To stay resilient against this surge in credential-based attacks and AI-driven threats, organizations should leverage a zero-trust security model—one that assumes breach, verifies every request, and continuously validates trust across users, devices, and data.
