Insights from the front: Cyber security arms race picks up

Jason Oehley, regional sales manager at Arctic Wolf. (Image: Supplied)

---

The 2025 Arctic Wolf Threat Report has revealed a number of changes in cyber crime tactics and targets since the year before, say Arctic Wolf security experts in South Africa.

Addressing a webinar on the emerging cyber security arms race, Arctic Wolf Regional Sales Director Jason Oehley and Andre den Hond, Senior Systems Engineer at Arctic Wolf, highlighted emerging trends revealed through analysis of tens of thousands of incident response cases and customers.

Den Hond said threat actors now embrace low-tech ways to bypass hi-tech defences, such as using phishing. “The ransomware landscape is a modern day hydra,” he said. “The report also found that three cyber incident types accounted for 95% of all incident response cases in the past year.”

Oehley said: “The 2025 Arctic Wolf Threat Report found that the top six cyber incident types were ransomware and data extortion (44%), business e-mail compromise (27%), intrusions (24%), data incidents (2%), malware infections (2%) and other (1%).”

Oehley noted that ransomware dropped slightly, but intrusions increased by 10%, likely indicating more early detection of ransomware attempts.

The industries most impacted by ransomware and data extortion were manufacturing, healthcare, construction, legal and government, and education and non-profits.

Oehley said: “Close to 93% of the root causes of these attacks were due to external exposure – with threat actors using external remote access or external exploits typically due to known vulnerabilities.”

He added that while there was significant growth in the size of ransom demands between 2022 and 2023, the demands in 2024 remained similar to the year before – around $600 000 on average across industries.

“In South Africa, the number one ransomware group is Lockbit 3.0, which also makes the highest ransomware demands,” Oehley said. “As many as 80% of all victims paid the ransom, but only 30% of Arctic Wolf customers chose to pay. In our incident response cases, our negotiators reduced the demand for customers who wanted to pay by 64% – a saving of over $250 million.”

Oehley said business e-mail compromise (BEC) is just as impactful as ransomware. “Last year, the targets for BEC attacks were largely finance and insurance, accounting for 26.5% of cases. Legal and government, manufacturing, construction and education and non-profits were also among the top targets. Phishing – at 72.2% – was the leading root cause of BEC cases, followed by previously compromised credentials at 18.8%,” he said.

Oehley said employee training, credential management and biometric or possession-based multifactor authentication are effective defences against BEC.

Andre den Hond, Senior Systems Engineer, Arctic Wolf

---

Den Hond noted the finance and insurance sectors have moved to the top of the chart in terms of intrusion cases. He said: “Like ransomware, most intrusions were linked to external exposure, although unlike ransomware, more intrusions used zero-day exploits and user-initiated malicious software downloads.”

Over 76% of these intrusion incidents involved at least one of 10 known vulnerabilities – and of those, four vulnerabilities were used in 51% of incidents, he said.

To mitigate risk, organisations need to create effective incident response plans, use attack surface mapping, enforce strong identity controls with multifactor authentication as a default, and foster and build a security culture across the organisation, Den Hond said.

He noted the Arctic Wolf Security Operations Cloud built on the Aurora Platform is built from the ground up to improve the security posture of any organisation, while Arctic Wolf’s Concierge Security Team does the heavy lifting to proactively and continuously improve customers’ security posture.