BEFORE YOU BEGIN!!!

This is ENTIRELY speculative. I didn't read or know what is / has gone into the Mandiant 2025 M-TREND report. I simply admire the work that they do each year for the community, and since I created this fancy AI service, thought it'd be fun to see if there was any overlap- If anything, it's interesting data... and may help me tune the service in the long run :)

If you want to reserve your copy of their report when it comes out, go here

What you SHOULD be asking yourself after reading this AND M-TRENDS (when it's released)... where do I pivot next? ;-)

Thank you for taking the time to read this, I'd love to hear your feedback.. What areas do you think I missed? How could you use this to prime your team for the report's release?

Cheers-

the Janitor

How this report was made

TL;DR

Key Points

1. • AI-driven cyber threats are on the rise, with attackers using AI for phishing and malware.
   • Organizations should implement AI-driven security solutions for real-time threat detection.
2. • Ransomware attacks have surged by 73% from 2022 to 2023, with significant financial impacts.
   • Enhance employee training and incident response protocols to mitigate ransomware risks.
3. • Supply chain attacks are increasingly frequent, affecting 63% of organizations.
   • Strengthen supply chain security by assessing third-party vendors and implementing strict access controls.

Summary

I think Mandiant's 2025 M-Trends report MAY highlight the growing sophistication of AI-driven cyber threats, the evolution of ransomware, and the critical need for enhanced supply chain security.

AI-driven threats are becoming more prevalent, with attackers leveraging AI to automate phishing and malware attacks. A case study shows AI being used to create adaptive phishing campaigns that bypass traditional security measures, particularly impacting finance and healthcare sectors.

Ransomware attacks have increased dramatically, with notable incidents such as the LockBit attack on Royal Mail and the Medusa attack on Minneapolis Public Schools. These incidents underscore the need for robust incident response protocols and employee training to recognize and respond to sophisticated threats.

Supply chain security remains a significant concern, with 63% of organizations reporting attacks. High-profile cases like the MOVEit vulnerability exploited by the Clop group highlight the vulnerabilities in third-party vendor relationships. Organizations are advised to conduct thorough assessments and implement strict security measures to protect against these threats.

Research

1. AI-Driven Cyber Threats

• Emerging Trends: I think the Mandiant report may indicate a significant rise in AI-driven cyber threats, with attackers increasingly leveraging AI tools to automate and enhance their attacks. This includes the use of AI for phishing, malware development, and exploiting vulnerabilities.
• Case Study: A notable example is the use of AI by threat actors to create sophisticated phishing campaigns that adapt in real-time based on user behavior. This trend has been observed in various sectors, including finance and healthcare, where attackers utilize AI to craft personalized messages that bypass traditional security measures.

2. Ransomware Evolution

• Recent Statistics: Ransomware attacks surged by 73% from 2022 to 2023, with over 4,600 reported cases in 2023 alone. The financial impact of these attacks exceeded $1 billion, highlighting the growing threat to organizations.
• Key Incidents:
  • Royal Mail (January 2023): The LockBit group attacked the UK's postal service, demanding an $80 million ransom after encrypting critical systems. Royal Mail opted not to pay, resulting in data leaks.
  • Medusa (March 2023): This group targeted Minneapolis Public Schools, exfiltrating sensitive data and demanding $1 million to prevent its release. The leaked data included confidential case files, raising significant privacy concerns.
  • ALPHV/BlackCat (March 2023): This group attacked Lehigh Valley Health Network, leaking sensitive patient data after the organization refused to pay the ransom. The incident led to lawsuits and highlighted vulnerabilities in healthcare cybersecurity.

3. Supply Chain Security

• Challenges: I think the Mandiant report might emphasize the increasing frequency of supply chain attacks, with 63% of organizations reporting such incidents in the past year. These attacks exploit vulnerabilities in third-party vendors, leading to significant data breaches.
• Case Studies:
  • MOVEit Vulnerability (June 2023): Exploited by the Clop ransomware group, this vulnerability affected around 600 organizations, compromising data for nearly 40 million individuals. The incident underscored the critical need for robust supply chain security measures.
  • UCSF (February 2023): A supply chain attack disrupted the hospital's electronic health record system, leading to canceled surgeries and compromised patient data. The attackers exploited a vulnerability in third-party software used by UCSF.
  • Airbus (January 2023): A compromised employee account at Turkish Airlines allowed attackers to access sensitive data related to over 3,000 Airbus vendors, demonstrating the risks associated with third-party relationships.

Recommendations, Actions and Next Steps

Recommendations

1. Implement AI-Driven Security Solutions: Organizations should invest in AI-based security tools such as Darktrace or CrowdStrike that use machine learning for real-time threat detection and response. These tools can identify unusual patterns indicative of AI-driven cyber threats, particularly in phishing and malware activities, enhancing the organization's ability to respond swiftly to emerging threats.

2. Enhance Employee Training Programs: Develop comprehensive training programs focused on recognizing sophisticated phishing attempts and ransomware tactics. Incorporate simulated phishing exercises using platforms like KnowBe4 to improve employee awareness and response capabilities. This will ensure that staff are equipped to identify and report potential threats, significantly reducing the likelihood of successful attacks.

3. Strengthen Supply Chain Security Measures: Conduct thorough assessments of third-party vendors to identify vulnerabilities. Implement strict access controls and require regular security audits to ensure compliance with security standards. Tools like SecurityScorecard can help organizations evaluate the security posture of their vendors, mitigating risks associated with supply chain attacks.

4. Establish Incident Response Protocols: Create and regularly update incident response plans that specifically address AI-driven threats and ransomware incidents. Ensure that these protocols include clear communication strategies and recovery plans to minimize the impact of potential attacks. Regular tabletop exercises can help test and refine these plans.

5. Collaborate with Industry Peers: Engage in information sharing with other organizations to stay informed about emerging threats and effective mitigation strategies. Participate in industry forums and threat intelligence sharing platforms such as the Cyber Threat Alliance to enhance collective security efforts.

Followup Research

Suggested Pivots

1. What specific AI models or algorithms are being exploited by threat actors in AI-driven cyber attacks, and how can organizations develop countermeasures against these techniques?

2. In light of the recent surge in ransomware incidents, what lessons can be learned from the responses of organizations like Royal Mail and Minneapolis Public Schools to improve incident response protocols?

3. What comprehensive strategies can organizations implement to assess and mitigate supply chain vulnerabilities, particularly in sectors that have been heavily targeted in recent attacks?

4. How can organizations effectively utilize AI-driven security solutions, such as Darktrace or CrowdStrike, to enhance their defenses against evolving ransomware tactics and AI-driven threats?

5. What specific training methodologies can organizations adopt to improve employee awareness and response to sophisticated phishing and ransomware tactics, based on recent attack trends?

Forecasts

Short-Term Forecast (3-6 months)

1. Rise of AI-Driven Phishing Attacks

   • AI-driven phishing campaigns will significantly increase successful attacks, especially in finance and healthcare. Attackers will use AI technologies, such as natural language processing and machine learning, to create personalized and adaptive phishing messages that bypass traditional security measures. Organizations must enhance employee training to recognize these advanced tactics.
   • Examples:
     • Attackers may use AI tools like ChatGPT to generate convincing phishing emails that mimic legitimate communications, making it difficult for employees to discern authenticity.
     • Historical data from 2023 indicates that AI-generated phishing attempts led to a notable increase in credential theft, emphasizing the need for proactive defenses.

2. Escalation of Ransomware Attacks

   • Ransomware attacks are projected to escalate, with increased frequency and sophistication. The financial impact is expected to exceed $1 billion, as seen in 2023. Organizations will face heightened risks, particularly in critical sectors like healthcare and education, where sensitive data is at stake.
   • Examples:
     • The Royal Mail attack by the LockBit group resulted in significant operational disruptions and data leaks, serving as a cautionary tale for organizations that may underestimate the threat.
     • The Medusa attack on Minneapolis Public Schools highlights vulnerabilities in educational institutions, suggesting that similar attacks may target other schools soon.

3. Increased Supply Chain Attacks

   • Supply chain attacks will rise, with organizations reporting vulnerabilities in third-party vendors. As attackers exploit these weaknesses, organizations will need to implement stricter security measures and conduct thorough assessments of their supply chain partners.
   • Examples:
     • The MOVEit vulnerability exploited by the Clop ransomware group affected around 600 organizations, underscoring the critical need for robust supply chain security.
     • The UCSF attack, which disrupted healthcare services, illustrates the potential consequences of inadequate supply chain security measures.

Long-Term Forecast (12-24 months)

1. Integration of AI in Cybersecurity Defense Mechanisms

   • Organizations will increasingly adopt AI-driven security solutions to combat the evolving threat landscape. These tools will enhance real-time threat detection and response capabilities, particularly against AI-driven attacks. The integration of machine learning algorithms will become standard practice in cybersecurity strategies.
   • Examples:
     • Companies like Darktrace and CrowdStrike are already leading the way in AI-based security solutions, and their adoption is expected to grow as organizations seek to mitigate risks associated with AI-driven threats.
     • Historical data shows that organizations implementing AI-driven defenses saw a significant reduction in successful attacks, indicating a positive trend towards proactive cybersecurity measures.

2. Regulatory Changes and Compliance Requirements

   • As the threat landscape evolves, regulatory bodies will likely introduce new compliance requirements focused on cybersecurity, particularly regarding supply chain security and ransomware response protocols. Organizations will need to adapt to these changes to avoid penalties and ensure data protection.
   • Examples:
     • The introduction of stricter regulations in the EU regarding data protection and cybersecurity compliance, which may serve as a model for other regions.
     • Past incidents, such as the GDPR enforcement, demonstrate how regulatory changes can significantly impact organizational practices and necessitate updates to security protocols.

3. Emergence of New Ransomware Groups and Tactics

   • The ransomware landscape will continue to evolve, with new groups emerging and existing ones adapting their tactics. Organizations will need to remain vigilant and continuously update their defenses to counter these evolving threats.
   • Examples:
     • The emergence of groups like Akira and Play, which have adopted innovative tactics, highlights the dynamic nature of the ransomware threat landscape.
     • Historical trends indicate that as one group is disrupted, others often rise to fill the void, suggesting a persistent and evolving threat.

Appendix

References

1. (2025-03-28) - M-Trends 2025: By the Numbers
2. (2024-04-23) - M-Trends 2024
3. (2023-04-18) - M-Trends 2023
4. (2024-01-22) - Most Impactful Ransomware Attacks of 2023
5. (2023-11-24) - Top 5 famous software supply chain attacks in 2023

MITRE ATTACK

Techniques

1. T1203 (Exploitation for Client Execution) - Exploitation of vulnerabilities in client applications to execute malicious code.

   • This technique is relevant due to the rise of AI-driven phishing attacks that exploit vulnerabilities in user applications to deliver malware, as highlighted in the Mandiant report.

2. T1566 (Phishing) - Use of deceptive emails to trick users into revealing sensitive information or executing malicious code.

   • Phishing remains a primary method for ransomware delivery, especially with AI-enhanced tactics that personalize attacks, as seen in recent case studies.

3. T1499 (Network Denial of Service) - Overwhelming a target's network resources to disrupt services.

   • Ransomware groups often employ DDoS attacks as a distraction while executing their primary attack, which is critical in the current threat landscape.

4. T1071.001 (Application Layer Protocol: Web Protocols) - Use of web protocols for command and control.

   • This technique is frequently used in ransomware operations to communicate with compromised systems, making it highly relevant.

5. T1070.001 (Indicator Removal on Host: File and Directory Permissions Modification) - Modifying file and directory permissions to hide malicious activity.

   • Ransomware actors often use this technique to prevent detection of their activities, which is crucial for their success.

6. T1070.002 (Indicator Removal on Host: Clear Windows Event Logs) - Clearing logs to erase traces of malicious activity.

   • This is a common practice among ransomware groups to evade detection, particularly in high-stakes environments.

7. T1190 (Exploit Public-Facing Application) - Exploiting vulnerabilities in public-facing applications.

   • Supply chain attacks often leverage this technique to gain initial access, as demonstrated in the Mandiant report.

8. T1583 (Acquire Infrastructure) - Acquiring infrastructure for use in attacks.

   • Ransomware groups often acquire infrastructure to facilitate their operations, which is a growing trend.

9. T1584 (Compromise Infrastructure) - Compromising existing infrastructure for malicious purposes.

   • This technique is relevant in the context of supply chain attacks, where existing systems are exploited.

10. T1585 (Compromise Cloud Infrastructure) - Compromising cloud services to gain access to sensitive data.

    • Increasingly relevant as organizations migrate to cloud environments, making them attractive targets.

11. T1586 (Compromise Third-Party Software) - Targeting third-party software to gain access to systems.

    • This is a critical technique in supply chain attacks, as highlighted by recent incidents.

12. T1195 (Supply Chain Compromise) - Compromising a third-party vendor to gain access to a target.

    • Directly related to the supply chain security concerns highlighted in the report.

13. T1200 (Hardware Additions) - Adding hardware to a target's environment to facilitate attacks.

    • Relevant in the context of physical supply chain security.

14. T1199 (Trusted Relationship) - Exploiting trusted relationships to gain access.

    • This technique is often used in supply chain attacks, emphasizing the need for vigilance.

15. T1071 (Application Layer Protocol) - Using application layer protocols for command and control.

    • Commonly used in ransomware operations, making it a significant concern.

Tactics

1. TA0001 (Initial Access) - Gaining initial access to a network.

   • This tactic encompasses various techniques used by ransomware groups to infiltrate systems, particularly through phishing and exploitation.

2. TA0002 (Execution) - Running malicious code on a target system.

   • Execution is critical for ransomware deployment, as it directly leads to the encryption of data.

3. TA0003 (Persistence) - Maintaining access to a system over time.

   • Ransomware actors often establish persistence to ensure continued access, which is vital for their operations.

SOFTWARE

2. S0575 (Conti) - A ransomware-as-a-service operation that has been highly effective.
   • Conti's tactics are often studied for their impact on organizations, making it a key player in the ransomware landscape.

MITIGATIONS

1. M1030 (User Training) - Training users to recognize phishing attempts and other social engineering tactics.

   • Essential for reducing the risk of ransomware attacks, especially as phishing tactics become more sophisticated.

2. M1031 (Application Isolation and Sandboxing) - Isolating applications to prevent malicious code execution.

   • This mitigation is crucial for protecting against AI-driven threats and ransomware.

3. M1032 (Network Segmentation) - Segmenting networks to limit the spread of ransomware.

   • Effective in containing ransomware outbreaks and minimizing damage.

GROUPS

1. G1032 (INC Ransom) - A ransomware group known for its aggressive tactics.

   • Their operations highlight the current landscape of ransomware threats and the need for organizations to stay vigilant.

2. G0092 (TA505) - A group that has evolved its tactics over time, including ransomware.

   • Their adaptability makes them a significant threat, particularly in the context of AI-driven attacks.

3. G1024 (Akira) - A ransomware group that has emerged recently.

   • Their tactics reflect the latest trends in ransomware attacks, emphasizing the need for updated defenses.

4. G1040 (Play) - Known for deploying ransomware against various sectors.

   • Their operations are indicative of the broader ransomware threat landscape, particularly in critical infrastructure.

5. G0119 (Indrik Spider) - A group that has transitioned from banking Trojans to ransomware.

   • Their evolution showcases the changing nature of cyber threats and the need for organizations to adapt their defenses accordingly.

AlphaHunt

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Get questions like this:

1. what are the top 3 things likely to be on Mandiants 2025 M-trends report and why?

Does it take a chunks out of your day? Would you like help with the research?

This baseline report was thoughtfully researched and took 10 minutes.. It's meant to be a rough draft for you to enhance with the unique insights that make you an invaluable analyst.

We just did the initial grunt work..

Are you ready to level up your skillset? Get Started Here!

Did this help you? Forward it to a friend!

(c) 2025 CSIRT Gadgets, LLC
License - CC BY-SA 4.0