Cyber Threat Intelligence Reports

Threat intelligence from over 3,000 yearly incident response engagements feeds the Cyber Threat Landscape Reports from Kroll. The reports also include real-life case studies to help security and risk leaders “see” how incidents can play out. Get the latest report now.

2025 Cyber Threat Landscape Report: Cybercrime in the Crypto Era

The first half of 2025 saw the continuation of the complex themes that shaped the threat landscape in 2024. Email compromise retained its place as the most prominent threat type, while phishing continued to take the lead in initial access methods. Yet another trend that persisted was that of groups such as Akira, PLAY and LockBit retaining their place as key ransomware players.

However, alongside familiar threat types and players, risks associated with cryptocurrency proved to be a notable theme in Q1 2025, likely due to changing regulations and a rise in malware leveraging the blockchain. As a result, this report focuses on key findings and observations around cryptocurrency.

Key Findings

  • Emerging trends in cryptocurrency and how businesses can stay ahead of these threats
  • Analysis of novel attack methods used in Q1 which leverage the blockchain
  • Case studies on notable crypto-related cybercrime from Q1 2025 and what can be learned from these events
  • Specific steps your organization can take to stay secure in the year

Dive Deeper

Cybercrime in Crypto Era

Q4 2024 Cyber Threat Landscape - Gone Phishing. Evolving Techniques Keep Organizations on the Hook

Trends observed by Kroll in Q4 confirm that 2024 was a year of fragmentation and fast-moving evolution for cyber threats, and they suggest that 2025 is likely to be similar.

A key trend was the ongoing development of phishing techniques and approaches. Aligning with trends from last year and previous years, professional services stands out as 2024’s most targeted sector. However, patterns for other sectors are also concerning, with manufacturing remaining a firm favorite as a target for attackers.

Key Findings

  • Notable themes and patterns defining the threat landscape, such as an increase in phishing attacks
  • The continuing rise of nation-state activity
  • Critical shifts in attacker behavior, for example, the ongoing evolution of ransomware methods
  • The escalation of threats to perimeter/edge devices

Dive Deeper

Q4 2024 Cyber Threat Landscape: Gone Phishing. Evolving Techniques Keep Organizations on the Hook

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

In Q3 Kroll noticed threat actors increasingly focusing on the tech and telecommunications sector. Other notable trends observed were the rise in nation-state actor activity and the diversification of ransomware groups.

In a quarter that was defined by the global disruption resulting from the CrowdStrike IT outage, our findings point to a complex and fast-moving threat landscape. Read the report to gain the full picture of the past quarter’s security trends, plus key recommendations to help your organization stay resilient.

Key Findings

  • Professional services stayed at the top spot as the most targeted industry, with the tech and telecoms sector seeing a five percent increase from Q2 2024
  • Insider Threat was observed as a significant risk factor for the tech and telecoms sector
  • The emergence of several new ransomware variants, highlighting possible rebrands and spin-offs following earlier law enforcement disruptions
  • Q3 also marked a significant increase in information stealer attacks

Dive Deeper

Q3 2024 Threat Landscape Report: Rising Attacks on Tech and Telecoms Reinforce Need for Business Continuity Planning

Q2 2024 Threat Landscape Report: Threat Actors Do Their Homework, Ransomware and Cloud Risks Accelerate

In Q2 Kroll saw professional services retain their top spot as the most targeted industry, with other sectors seeing increases in comparison with the previous quarter. Kroll’s key findings for Q2 highlight a 7% increase in incidents related to unauthorized access. Our experts also noted attackers targeting cloud services, highlighting threat actors’ increasing focus on the cloud as an entry point into networks, and the growing use of information stealing malware.

Key Findings

  • Professional services stayed at the top spot as the most targeted industry, with other sectors, such as healthcare, seeing increases in comparison with the previous quarter
  • A 7% increase in incidents related to unauthorized access
  • The education sector is a key focus for FOG ransomware group
  • A rise in unauthorized access incidents as threat actors target SaaS applications

Dive Deeper

Q2 2024 Threat Landscape Report: Threat Actors Do Their Homework, Ransomware and Cloud Risks Accelerate

Q1 2024 Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices

In Q1 2024, we saw an evolution in techniques used by attackers, some of which may point to longer term trends in the variation and sophistication of attacks faced by organizations. In particular, with regards to phishing, we saw SMS and voice-based tactics being used, which raises concern around the potential for deep fakes and AI-type technologies to further enhance the effectiveness of phishing attacks.

Key Findings

  •  In Q1 2024, attacks against the construction sector accounted for 6% of Kroll IR engagements double the sector’s peak of 3% in Q1 2023
  • At 39% phishing remained the top initial access vector across all threat incident types
  • Insider threats and the sectors most vulnerable to such attacks
  • ScreenConnect CVE Exploited in Less Than 48 Hours by range of Threat Actor Types

Dive Deeper

Q1 2024 Cyber Threat Landscape Report: Insider Threat & Phishing Evolve Under AI Auspices

Q4 2023 Threat Landscape Report: Threat Actors Breach the Outer Limits

Q4’s rise in the use of external remote services as a ransomware attack vector sets the tone for what is already looking to be a demanding year ahead. With the popularity of remote or hybrid working, organizations must be vigilant in ensuring they have strong defenses in place both centrally and at perimeter level.

Key Findings

  • The professional services sector saw a year-on-year 8% rise in incidents
  • Critical changes in attacker behavior, including initial access methods
  • Increased activity among emerging ransomware actors, AKIRA and PLAY
  • Phishing is the most common attack vector, but valid account attacks saw a 10% increase

Dive Deeper

Q4 2023 Cyber Threat Landscape Report: Threat Actors Breach the Outer Limits

Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage

Social engineering in its many forms took center stage in Q3 2023. The quarter saw “human hacking” evolve from a long-standing security challenge to threat actors’ method of choice. This was evidenced by our observations of the dramatic escalation of social engineering tactics, with significant increases in phishing, smishing, valid accounts, voice phishing and other tactics—adding up to the highest volume of incidents we have seen in 2023.

Key Findings

  • The increasing volume of social engineering attacks is matched by a broadening range of approaches leveraged by threat actors
  • A 13% rise in email compromise attacks as part of the rise in social engineering
  • The professional services sector continued to rank first in Q3, with a high concentration of this activity related to legal firms

Dive Deeper

Q3 2023 Threat Landscape Report: Social Engineering Takes Center Stage

Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations

Kroll’s findings for Q2 2023 reveal a notable shift towards increased supply chain risk, driven not only by the CLOP ransomware gang’s exploitation of the MOVEit transfer vulnerability but also by a rise in email compromise attacks. This and other key security trends depict a threat landscape where cyber threats are lurking behind every corner.

Key Findings

  • A 33% rise in CLOP ransomware activity due to the MOVEit transfer vulnerability
  • An 8% rise in email compromise attacks, with new session token stealing tactics and open redirect phishing campaigns challenging blue teams
  • The industries targeted the most in Q2 2023, including an ongoing attack on professional services, closely followed by an increased focus on financial services
     

Dive Deeper

Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations

Q1 2023 Threat Landscape Report: Ransomware Groups Splinter, Swarm Professional Services Sector

In Q1 2023, Kroll observed a 57% increase in the overall targeting of the professional services sector from the end of 2022. Ransomware propelled this increase, as the sector, particularly legal firms, was the most likely target of extortion and encryption attacks in Q1.

Key Findings

  • Key themes and patterns in the changing threat landscape and how these could impact organizations in 2023
  • Critical shifts in attacker behavior in the past quarter, including popular incident types and initial access methods and the use of exfiltration
  • Notable trends, such as a 56% increase in the number of independent attackers conducting ransomware operations outside of the established ransomware-as-a-service (RaaS) groups
  • The continued reinvention and evolution of threat actor groups and attack methods
     

Dive Deeper

Q1 2023 Threat Landscape Briefing: Ransomware Groups Splinter, Swarm Professional Services Sector

Q4 2022 Threat Landscape: Tech and Manufacturing Targeted as Ransomware Peaks for 2022

In Q4 2022 Kroll identified a volatile and fragmented threat landscape, with ransomware peaking and tech and manufacturing sectors being increasingly frequently targeted.

Key Findings

  • The Manufacturing, Healthcare and Technology sectors saw significant quarter-over-quarter increases in ransomware attacks in Q4 2022
  • Familiar threats remained active throughout 2022, with phishing rising and unauthorized access increasing from 18% in 2021 to 25% in 2022
  • Since the Conti disbandment, LockBit became the most commonly observed ransomware across Kroll engagements in 2022, with newcomers like BlackBasta and Royal becoming increasingly active

Dive Deeper

Q4 2022 Threat Landscape: Tech and Manufacturing Targeted as Ransomware Peaks for 2022

Q3 2022 Threat Landscape: Insider Threat, The Trojan Horse of 2022

In Q3 2022, Kroll saw insider threat peak to its highest quarterly level to date, accounting for nearly 35% of all unauthorized access threat incidents, set against a background of an increasingly fluid labor market and economic turbulence.

Key Findings

  • Q3 saw an increase in insider threat incidents, accounting for a jump in unauthorized access as a threat incident type, which went from 24% in Q2 to 35% in Q3.
  • Kroll observed an increase in malware due to the increased popularity in credential stealing malware, which has driven a rise in the use of valid accounts as initial access methods.
  • With the shutdown of the Conti ransomware group, the official release of LockBit 3.0 dominated the ransomware headlines in the first part of Q3.

Dive Deeper

Q3 2022 Threat Landscape: Insider Threat, The Trojan Horse of 2022

Q2 2022 Threat Landscape Report: Ransomware Returns, Healthcare Hit

In Q2 2022, Kroll observed a 90% increase in the number of healthcare organizations targeted compared to Q1 2022, dropping the final nail in the coffin for the “truce” some criminal groups instituted earlier in the COVID-19 pandemic.

Key Findings

  • Healthcare overtook professional services as the top targeted sector in Q2, accounting for 21% of all Kroll cases, compared to only 11% in Q1 2022
  • Phishing attacks continued to evolve in Q2, as Kroll observed threat actors using old and new malware such as Qakbot and Bumblebee
  • External remote services such as RDP and VPN were used for initial access 700% more this quarter and CVEs were exploited for initial access 46% more in Q2

Dive Deeper

Q2 2022 Threat Landscape Report: Ransomware Returns, Health Care Hit

Newsletter Subscription

Sign up for Cyber Threat Intelligence Reports

Sign up to receive the next Threat Landscape Report and breaking threat intelligence before anyone else, along with periodic news, alerts and exclusive invitations from Kroll. Our privacy policy describes how your data will be handled.

Sign Up

About Kroll’s Cyber Threat Landscape Reports

Handling over 3,000 cyber incidents worldwide every year, Kroll is one of the largest incident response providers in the world. This unparalleled volume of investigations feeds a rich cyber threat intelligence database, from which our investigators and analysts publish trends every quarter.

Kroll’s Cyber Threat Landscape Reports are solely driven by real-life data from incidents and insights from our investigators on the frontlines. Each report focuses on:

  • The most popular threat incident types, including ransomware, email compromise, unauthorized access, web compromise and more
  • Quarterly threat timelines to help network defenders, security and risk leaders catch up with meaningful developments in malware development, vulnerabilities and threat actor movements
  • Most targeted industry sectors, identifying the industries under the heaviest volume of attacks
  • Most popular initial access methods, including phishing, external remote services (like VPN, RDP, etc.), CVE/ zero-day exploitation, SQL injection and more
  • Most popular ransomware variants, outlining the threat actor groups that have been most aggressive
  • Recommendations from Kroll experts on how to improve your security posture

The reports also include real-life case studies to help security and risk leaders “see” how incidents can play out and understand how Kroll responds to incidents.

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn More

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn More

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn More

Computer Forensics

Kroll's computer forensics experts ensure that no digital evidence is overlooked and assist at any stage of an investigation or litigation, regardless of the number or location of data sources.

Learn More

Ransomware Preparedness Assessment

Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.

Learn More

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Learn More