IBM X-Force report finds shift from ransomware to credential theft in 2024

A new report out today from IBM Corp. shows that cybercriminals are evolving their tactics, increasingly opting for stealth over spectacle.

The finding comes from the annual 2025 X-Force Threat Intelligence Index, based on data from IBM X-Force incident response cases, dark web monitoring, threat intelligence sources and partner collaborations. The report reveals that identity attacks surged in 2024, with credential theft emerging as a favored strategy, while surprisingly ransomware attacks were found to have declined overall.

Among the findings in the report, IBM’s researchers observed an 84% year-over-year increase in phishing emails delivering infostealers, signaling a broader shift toward credential theft. Infostealers are a type of malware that secretly collects and exfiltrates sensitive information such as usernames, passwords, browser data and credentials from infected devices.

Nearly one in three incidents in 2024 involved stolen credentials, allowing attackers to gain access quickly and make money from data while avoiding detection. The report points to artificial intelligence-generated phishing and adversary-in-the-middle kits as being key driving forces behind the trend.

Critical infrastructure was found to be disproportionately targeted, making up 70% of IBM’s incident response cases last year, with a quarter of the incidents stemming from unpatched vulnerabilities. The researchers note that many of the top Common Vulnerabilities and Exposures discussed on dark web forums are tied to nation-state actors, increasing the risks of espionage and system disruption.

The one arguably surprising finding in the report, particularly given more recent reports of surges in ransomware levels through the first quarter of 2025, is that ransomware declined in 2024 as operators adjusted to global enforcement crackdowns. Though ransomware still accounted for 28% of all malware cases observed by IBM last year, the report claims that groups such as Wizard Spider and QakBot were seen reducing activity or shifting tactics, increasingly relying on short-lived malware variants and smaller-scale operations.

It wouldn’t be a security report in recent times without a mention of AI, and IBM’s report does warn how it’s leading to a new class of vulnerabilities, including a remote code execution flaw in an AI agent framework.

By region, the report finds that Asia and North America bore the brunt of global attacks last year, accounting for 60% of IBM’s responses. Manufacturing remained the top target for ransomware for the fourth year running, as attackers exploit its low tolerance for operational disruption.

“Cybercriminals are most often breaking in without breaking anything, capitalizing on identity gaps overflowing from complex hybrid cloud environments that offer attackers multiple access points,” said Mark Hughes, global managing partner of cybersecurity services at IBM. “Businesses need to shift away from an ad-hoc prevention mindset and focus on proactive measures such as modernizing authentication management, plugging multifactor authentication holes and conducting real-time threat hunting to uncover hidden threats before they expose sensitive data.”

Image: SiliconANGLE/Reve