Microsoft has come up with its second edition of Cyber Signals, highlighting the rise of RaaS infrastructure empowering ransomware attacks. The threat intelligence report also gives organizations deep visibility into threat actors’ actions. 

This edition provides insights into the evolving cybercrime economy and the rise of RaaS.

Key findings

  • More than 80% of ransomware infections can be traced back to common configuration errors in software and devices.
  • Some RaaS programs now have over 50 affiliate groups on their books, referring to users of their service with varying goals.
  • Bad news for defenders as the median time for an attacker to access a company’s private data is 1 hour and 12 minutes.
  • If an endpoint is compromised, the median time for an attacker to begin moving laterally within the corporate network is 1 hour and 42 minutes.

New RaaS business model

  • RaaS ransomware threats, such as Conti and REvil, are leveraged by a variety of threat actors who switch between RaaS programs and payloads.
  • The attacks follow a pattern of first gaining access through malware infection/exploitation of a vulnerability, then stealing credentials to elevate privileges and move laterally.
  • Since Conti's decline, some affiliates have switched to LockBit and Hive payloads, while QuantumLocker and Black Basta have emerged as potential replacements.

The rise in cybercrime and ransomware attacks

  • According to the FBI's 2021 Internet Crime Report, the cost of cybercrime in the U.S is more than $6.9 billion.
  • The ENISA reported that the ransomware threat actors stole approximately 10TB of data per month between May 2021 and June 2022, with 58.2% of stolen files containing employees' personal data.


The report is based on data from Microsoft's 43 trillion security signals and 8,500 security experts. To tackle the cybersecurity challenges, the company recommends clarity, prioritization, and information sharing between the public and private sectors.
Cyware Publisher