Cyber risk is set to intensify next year as attackers switch tactics in response to better corporate cyber defences, and as advances in artificial intelligence (AI) increase the volume and effectiveness of their strikes, says Moody’s Ratings.
According to Moody’s 2025 cybersecurity outlook, ransomware attackers are expected to shift to targeting larger organisations, which will ultimately lead to a greater overall credit impact.
“Ransomware attacks are increasing, both in number and size of ransom demand, but the share of victims paying the ransom is falling. This is likely due to greater adoption of cybersecurity measures and business continuity plans. In response, ransomware groups are prioritizing attacks against larger organizations that can afford higher ransom payments. Because outstanding debt is concentrated in issuers with higher revenues, we expect this shift will increase the potential credit impact for a higher share of rated companies,” Moody’s said.
It’s worth highlighting that the number of ransomware attacks globally grew by 70% between 2022 and 2023 to 4,399 from 2,581, according to data from cyber threat intelligence company Recorded Future. Blockchain researchers at Chainalysis also reported that ransom payments rose to $1.1 billion dollars in 2023, setting a new record, with 2024 on track to surpass it.
“The share of targeted organizations that paid a ransom has fallen, however, likely because organizations have implemented security measures and business continuity plans that help them avoid paying ransoms,” the agency added.
Accordingly, the cyber insurance market has seen moderate pricing declines and some easing of terms and conditions since 2023 on strong profitability for the sector, Moody’s noted.
Moreover, as generative AI (GenAI) continues to advance, many tools have spawned that make it easier for attackers to commit fraud.
“Generative artificial intelligence techniques used to create written text and images, as well as audio and video content, are a boon to malicious actors who use GenAI tools to defraud organizations and their customers. These tools have proliferated in recent years, making GenAI capabilities accessible to large portions of the population. As a consequence, phishing attacks are soaring and companies are losing millions of dollars to GenAI-enabled scams,” Moody’s added.
In addition, the agency also expects supply chain attacks to increase in 2025. According to Moody’s as organisations improve their network defenses, cybercriminals will increasingly turn to supply chain attacks, exploiting the trust between software supplier and end user, as well as the access many suppliers have to end users’ networks.
In order to mitigate this risk, organisations will need to conduct risk assessments of their vendors and suppliers, states Moody’s.
The agency also highlights the CrowdStrike outage as being an example of how cyber risk can come from non-malicious supply chain incidents.
Readers will recall, that on July 19, 2024, cybersecurity firm CrowdStrike pushed a faulty update to its Falcon Sensor software, which led to widespread outages on devices running Microsoft Windows and Falcon Sensor, impacting many different industries, including airlines, healthcare and financial services. Many Fortune 500 companies’ IT systems were also disrupted due to the outage too.
“The widespread outage revealed the broad risks posed by a single point of failure and the degree to which many segments of the economy are interconnected and interdependent. It also shows that cyber incidents need not be malicious to have a significant systemic impact,” Moody’s added.
Furthermore, Moody’s outlook reveals that IBM researchers discovered that attacks using stolen credentials increased 71% between 2022 and 2023 and were the main way that cybercriminals managed to gain initial unauthorized access to companies’ systems last year.
The agency names passkeys – which are alternatives to passwords – as being highly effective against attacks using stolen credentials, and notes that their use is gaining ground, although hurdles for enterprise adoption persist, delaying implementation.
