RedCanary Threat Detection Report 2025

Keypoints

• The report is structured into main sections: Introduction, Methodology, Trends, Top Threats, Field Guide, Techniques, and Acknowledgements, each discussing threat landscape analysis, detection methods, and notable trends to inform cybersecurity practices.
• Red Canary detected nearly 93,000 threats in 2024, a 33% increase from the previous year, with significant growth in identity attacks (4x), info-stealers, macOS threats, and business email compromise.
• The rise of cloud-native attack techniques is evident, with three of the top five MITRE ATT&CK techniques related to cloud and identity breaches, underscoring the expanding attack surface.
• Malicious actors increasingly use social engineering, fake CAPTCHA lures, and browser injects like Paste and Run, along with RMM tools such as NetSupport Manager and AnyDesk, to facilitate initial access, command, and control operations.
• Emerging ransomware variants like FOG, RansomHub, and new groups have led to record-high ransom payments, some reaching up to $75 million, while law enforcement operations like Operation Cronos have disrupted major ransomware groups like LockBit, though they often resume activity quickly.
• The report underlines the ongoing importance of early detection, patching vulnerabilities, monitoring endpoints, and understanding attacker tradecraft to minimize ransomware and other cyber threats effectively.
• Adversaries are adopting advanced techniques such as paste-and-run exploits and exploiting VPNs with weak passwords, highlighting the need for vigilant, layered security controls and user awareness training.