XDR roundup 2024: Ransomware rises fourfold in a year of complex threats

In 2024, Barracuda Managed XDR logged many trillions of IT events to identify the critical security threats targeting organizations and neutralize malicious activity. Threat analysts in Barracuda Managed XDR’s Security Operations Center (SOC) have drawn on this unique dataset to highlight the most common ways threat actors tried — and ultimately failed — to breach and disrupt targets in 2024. 

Key findings

• In 2024, Barracuda Managed XDR logged 11 trillion IT events — around 350,000 events per second — to identify a million potential risks.
• Of these, 16,812 confirmed malicious instances required immediate defensive action. These high-severity threats were spread relatively evenly across the year.
• Ransomware threats increased fourfold during the year, likely driven by prolific Ransomware-as-a-Service (RaaS) activity.
• Email threats that made it through to user inboxes were the fifth most detected threat overall, highlighting the growing risk of sophisticated and evasive attacks enabled by Phishing-as-a-Service (PhaaS) platforms.

The big numbers of 2024

The number of IT events taking place in any organization at any time is immense. For security teams, every login, connection, file creation, data transfer, and more could be an employee just doing their job or an adversary trying to breach the network and implement a cyberattack.

Security professionals need to cut through the noise to uncover suspicious and malicious activity to understand what it means and how it can be contained and neutralized. The numbers for Barracuda Managed XDR give a sense of what defenders are facing:  

• In 2024, Barracuda Managed XDR logged 11 trillion IT events – 350,000 events per second.
• Just over 1 million were flagged as a potential risk. Each one was checked to assess its malicious nature or intent. 
• Of these, 16,812 were identified as high-severity threats that required immediate defensive action.
• That’s 0.00000015% of the overall IT events logged. Impossible to find without powerful engines, analysis tools, and human expertise. 

Around 2,000 high-severity alerts were contained by Barracuda Managed XDR’s Automated Threat Response, which enables real-time detection and response to attacks without the need for manual intervention.

The cyber time zone

Cyberattacks are getting faster. Advances in security tools and strategies mean that intruders are now more easily and quickly detected and removed from the network. Threat actors have responded by accelerating their attacks. Barracuda Managed XDR’s detection data and incident examples show how these two approaches might compare.

The threat landscape in 2024: Rampant ransomware and risks at DEFCON 3

The level of high-severity threats mitigated by Barracuda Managed XDR — the ones that required immediate defensive action — remained relatively consistent throughout 2024, with roughly 1,000 to 2,000 each month.

For organizations, this means that their everyday security baseline should be an elevated state of vigilance and response-readiness. (DEFCON 3 is defined as the need to increase readiness to above normal, with the Air Force ready to mobilize in 15 minutes.)

Ransomware is the exception to this largely steady state. Barracuda Managed XDR’s ransomware threat data is based on the detection of instances (tools, techniques, and behaviors) that indicate a likely ransomware attack. These detections reveal a fourfold increase in ransomware threats over the course of the year.

This rise is likely driven by the prevalence of Ransomware-as-a-Service (RaaS) offerings. The developers behind RaaS platforms often have the time, resources, and skills to invest heavily in advanced and evasive toolsets and templates. The RaaS operational model also extends the pool of attackers deploying ransomware, bringing it within reach of anyone willing to lease and leverage the kits.

Top XDR detections overall for 2024

The five most common threats targeting XDR-protected systems show where threat actors expect customers to be most vulnerable.

For example, many expect to find inadequate authentication measures for account logins, poor password policies, and a lack of education regarding social engineering, alongside under-protected VPNs and poorly managed use of remote desktop protocols.

The top five detections cover activity and payloads seen in the earlier stages of the attack chain, which is where threats are most likely to be spotted and blocked by comprehensive XDR coverage.

They include detections for network traffic coming from known malicious or unusual IPs or geolocations, Microsoft 365 ‘impossible travel’ detections where two consecutive logins to the same account are geographically too far apart for them both to be legitimate, and mass-targeted password spray attacks to see if a known or common combination succeeds in compromising an account.

Endpoint threat detections cover a wide spectrum of threats, including but not limited to harmless elements, potentially unwanted applications (PUA), adware, spyware, downloaders, cryptominers, malicious documents, exploits, viruses, worms, Trojans, backdoors, rootkits, information stealers, ransomware, interactive or remote shells, lateral movements, and more.

The high number of detections for suspicious post-delivery email threats underscores the growing sophistication and evasive nature of email-based attacks.

Recent reports show how phishing and Phishing-as-a-Service (PhaaS) are evolving and increasing the likelihood of an incident making it past initial defenses. Automated post-delivery incident response and remediation is now a fundamental part of effective email protection.

Top malicious traffic in 2024

Barracuda Managed XDR Intrusion Detection System (IDS) integrations scrutinize traffic trying to cross a firewall to get into an organization’s network. Analysis of the top IDS detections in 2024 shows threat actors targeting firewalls with tools to support initial access and discovery as well as the ongoing implementation of an attack.

How to stay safe in a world of complex and evasive threats

Implementing effective and comprehensive security is more important than ever.

Organizations need to start with the basics. This should include robust multifactor authentication and access controls, a solid approach to patch management and data protection, and regular cybersecurity awareness training for employees.

However, in the face of continuous high-severity threats targeting ever expanding digital attack surfaces, combined with the trend towards faster, more complex, and evasive attacks, most organizations are likely to need more robust security and help managing it.

Attackers will exploit every security gap they find to further their attacks. A comprehensive XDR solution that integrates network, endpoint, server, cloud, and email security, even when the tools come from different vendors, means that every corner of the digital infrastructure is monitored and protected with advanced security measures and a full spectrum of defensive tools, combined with proactive threat hunting and response strategies. This allows for swift action and minimizes the window of opportunity for threat actors.  

The findings in this report are based on detection data from Barracuda Managed XDR, an extended visibility, detection, and response (XDR) platform, backed by a 24×7 security operations center (SOC) that provides customers with round-the-clock human and AI-led threat detection, analysis, incident response, and mitigation services. 

Barracuda Managed XDR features like threat intelligence, Automated Threat Response, and the integration of wider solutions such as XDR Server Security, XDR Network Security, and XDR Cloud Security provide comprehensive protection and can drastically reduce dwell time.