Cloudflare Report: Identity-Based Attacks Overtake Malware as Top Ransomware Threat
Cloudflare’s latest annual threat report, published on Tuesday, reveals a major shift in ransomware tactics identity exploitation has surpassed malware as the primary attack vector. Cybercriminals are increasingly leveraging stolen credentials, phishing, and weak passwords to bypass defenses, blending into legitimate traffic before launching extortion operations.
The report highlights that over 50% of targeted attacks now focus on manufacturing and critical infrastructure, sectors where operational disruptions create urgent financial incentives for victims to pay ransoms. Researchers describe the modern threat landscape as an “identity and access crisis,” with attackers weaponizing authorized credentials and insider access to execute high-impact breaches.
Artificial intelligence is further reshaping cyber threats, enabling attackers to prioritize speed and volume over technical sophistication. Cloudflare warns that AI-driven tools such as large language models (LLMs) are automating exploit development, allowing hackers to rapidly convert vulnerabilities into functional attacks. The focus has shifted from rare technical skills to the “velocity of the outcome,” with automated campaigns overwhelming defenses through sheer persistence.
In financial theft, criminals attempted to steal approximately $123.5 million in 2025, often targeting amounts around $49,000 a calculated strategy to evade executive approval thresholds. Thread-hijacking attacks, where fraudsters infiltrate legitimate conversations to request payments, are also on the rise. Cloudflare predicts generative AI will soon automate these scams at scale, maintaining the $49,000 “sweet spot” across thousands of simultaneous fraud attempts.
The report also outlines distinct nation-state tactics: Russia employs high-frequency, broad targeting; China focuses on stealthy pre-positioning in critical infrastructure; Iran aligns cyber intrusions with kinetic military goals; and North Korea exploits identity weaknesses through human-centric operations. Notably, adversaries are abusing legitimate platforms such as Google Calendar, text-paste sites, and Microsoft Azure domains for command-and-control (C2) operations, complicating detection efforts.
Source: https://www.cybersecuritydive.com/news/ransomware-identity-ai-cloudflare/813319/
Cloudflare cybersecurity rating report: https://www.rankiteo.com/company/cloudflare
"id": "CLO1772548440",
"linkid": "cloudflare",
"type": "Ransomware",
"date": "1/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': ['manufacturing',
'critical infrastructure'],
'type': ['manufacturing', 'critical infrastructure']}],
'attack_vector': ['stolen credentials',
'phishing',
'weak passwords',
'identity exploitation'],
'data_breach': {'personally_identifiable_information': 'yes',
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['credentials',
'personally identifiable '
'information (PII)']},
'date_publicly_disclosed': '2025-02-18',
'description': 'Cloudflare’s latest annual threat report reveals a major '
'shift in ransomware tactics where identity exploitation has '
'surpassed malware as the primary attack vector. '
'Cybercriminals are increasingly leveraging stolen '
'credentials, phishing, and weak passwords to bypass defenses, '
'blending into legitimate traffic before launching extortion '
'operations. The report highlights that over 50% of targeted '
'attacks now focus on manufacturing and critical '
'infrastructure, with AI-driven tools automating exploit '
'development and enabling rapid, high-volume attacks.',
'impact': {'financial_loss': '$123.5 million (attempted theft in 2025)',
'identity_theft_risk': 'high (stolen credentials, PII '
'exploitation)',
'operational_impact': 'high (urgent financial incentives for '
'ransom payments)',
'payment_information_risk': 'high (thread-hijacking for fraudulent '
'payments)',
'systems_affected': ['manufacturing', 'critical infrastructure']},
'initial_access_broker': {'entry_point': ['stolen credentials', 'phishing'],
'high_value_targets': ['manufacturing',
'critical infrastructure']},
'lessons_learned': 'Identity and access management (IAM) is now the critical '
'attack surface, with attackers prioritizing speed and '
'volume over technical sophistication. AI-driven '
'automation is accelerating exploit development and fraud '
'campaigns, requiring adaptive defenses.',
'motivation': ['financial gain',
'operational disruption',
'espionage',
'military alignment'],
'post_incident_analysis': {'corrective_actions': ['Implement zero-trust '
'architecture.',
'Deploy behavioral '
'analytics for '
'identity-based threats.',
'Enhance monitoring of '
'legitimate platform '
'abuse.'],
'root_causes': ['weak identity and access '
'management (IAM) controls',
'abuse of legitimate platforms for '
'C2 operations',
'AI-driven automation of exploits '
'and fraud']},
'recommendations': ['Strengthen identity and access controls (e.g., '
'multi-factor authentication, password policies).',
'Monitor for abuse of legitimate platforms (e.g., Google '
'Calendar, Azure domains) for C2 operations.',
'Implement AI-driven threat detection to counter '
'automated attack campaigns.',
'Enhance fraud detection for thread-hijacking and payment '
'diversion scams.',
'Segment networks to limit lateral movement in critical '
'infrastructure.'],
'references': [{'date_accessed': '2025-02-18',
'source': 'Cloudflare Annual Threat Report 2025'}],
'threat_actor': ['cybercriminals',
'nation-state actors (Russia, China, Iran, North Korea)'],
'title': 'Identity-Based Attacks Overtake Malware as Top Ransomware Threat',
'type': ['ransomware',
'identity-based attacks',
'phishing',
'thread-hijacking'],
'vulnerability_exploited': ['identity and access weaknesses',
'legitimate platform abuse (e.g., Google '
'Calendar, Azure domains)']}