< Go back

Press Releases

Ontinue Research Reveals Ransomware Attacks Surged 132% Despite 35% Drop in Payments

AiTM Attacks Emerged as a Dominant Threat in 2H 2024, along with Significant Activity from Plugx, Command-And-Control (C2) Traffic, and Vishing And Phishing Campaigns

REDWOOD CITY, Calif., – March 25, 2025 Ontinue, a leading provider of AI-powered managed extended detection and response (MXDR) services and winner of the 2023 Microsoft Security Services Innovator of the Year award, today released its 2H 2024 Threat Intelligence Report, offering a comprehensive analysis of the latest cyber threats identified by its Advanced Threat Operations (ATO) team. The findings reveal a 132% surge in ransomware attacks, even as ransom payments declined by 35%, signaling a shift in attacker strategies to double down on ransomware efforts.

Among other key trends, the report highlights the rapid rise of Adversary-in-the-Middle (AiTM) attacks, which have become a dominant method for stealing authentication tokens and bypassing multi-factor authentication (MFA). Additionally, the PlugX Remote Access Trojan (RAT) remains an active threat, while command-and-control (C2) traffic associated with infostealers and malware loaders continues to escalate.

Vishing: The AI-Powered Threat on the Rise

The report also exposes the increasing sophistication of Vishing (Voice Phishing) attacks, which cybercriminals are now enhancing with artificial intelligence. By leveraging AI-driven voice cloning technologies, attackers can create highly realistic deepfake audio to impersonate trusted individuals, tricking victims into divulging credentials, approving fraudulent transactions, or granting unauthorized system access.

In Q1 2025 alone, Ontinue’s ATO team detected a 1,633% spike in vishing-related incidents compared to the previous quarter. Many of these attacks directed victims to fake Microsoft support pages, often hosted on .shop domains, where users were prompted to call fraudulent support numbers. These campaigns highlight how social engineering, combined with AI-driven deception, is becoming an increasingly effective tactic for cybercriminals. Ontinue forecasts that vishing will remain a rising threat throughout 2025 and beyond.

Attackers Exploiting Built-in Microsoft Tools

Threat actors are increasingly abusing legitimate Microsoft tools to evade detection and maintain persistence in compromised environments. Microsoft Quick Assist, a remote support tool, is being weaponized by attackers to gain unauthorized access to victim devices, often bypassing traditional security controls. Meanwhile, Windows Hello authentication keys have been targeted in credential theft campaigns, allowing adversaries to authenticate as legitimate users without needing passwords. The abuse of built-in administrative utilities highlights the challenge of detecting malicious activity that blends in with routine IT operations, reinforcing the need for continuous monitoring and behavioral analysis.

New Malware Delivery Mechanisms Emerge

As cyber defenses improve, threat actors are evolving their delivery methods to evade detection. Ontinue’s research highlights a shift toward browser extension abuse and malvertising campaigns:

  • Malicious browser extensions, particularly in Google Chrome, are being weaponized to deliver information-stealing malware. These extensions can persist even after system reimaging, allowing attackers to reinfect compromised systems when users reimport their browser profiles.
  • Malvertising campaigns continue to target unsuspecting users by instructing them to copy and paste malicious PowerShell commands into their systems, often through deceptive ads that appear legitimate.

Ransomware: Fewer Payments, but More Attacks

Despite the significant increase in ransomware attacks, fewer victims are paying ransoms, as organizations adopt stronger backup strategies, improved incident response plans, and regulatory pressures discourage payments. In response, cybercriminals are doubling down on exfiltration-based extortion—stealing sensitive data and threatening public disclosure to compel victims to pay.

“The cybercriminal ecosystem is adapting to evolving security measures, leveraging AI-powered deception, novel malware delivery tactics, and persistent social engineering schemes,” said Balazs Greksza, Director of Advanced Threat Operations at Ontinue. “Our research underscores the urgent need for organizations to fortify their defenses against sophisticated phishing, vishing, and malware campaigns, while continuing to harden their environments against ransomware and credential theft.”

Related Resources:

About Ontinue

Ontinue is a leading provider of AI-powered managed extended detection and response (MXDR) services, empowering modern organizations to securely embrace their digital future. We’re on a mission to redefine managed security operations with Nonstop SecOps, a 24/7 approach that delivers continuous protection through trust and innovation.

Ontinue ION leverages an AI-powered platform, human expertise and our customers’ own Microsoft tools to deliver tailored protection that conforms to your environment and operations. The result is fast threat detection and response, and continuous security posture hardening. With ION handling the daily security operations, CISOs and their teams get more time back in their day to focus on the next big initiative to propel their organization forward.

ION’s innovative collaboration model and transparent architecture ensure that security analysts always have instant access to eyes-on-glass SecOps support and complete control of their data. Additionally, Ontinue’s unparalleled Microsoft expertise helps CISOs and CIOs maximize return on their investment in Microsoft controls and consolidate their security stack.

Continuous Trust. Continuous Innovation. Continuous Empowerment.

That’s Nonstop SecOps from Ontinue.

Sharing