More than 50% of cyberattacks are now motivated by extortion and ransomware, according to Microsoft’s latest Digital Defense Report. The tech giant revealed that outdated security systems are no longer capable of defending against today’s evolving cyber threats.
In its sixth annual report, Microsoft highlighted that around 80% of the cyber incidents its security teams investigated last year were financially motivated.
"That’s at least 52% of incidents fueled by financial gain, while attacks focused solely on espionage made up just 4%," said Amy Hogan-Burney, CVP for Customer Security and Trust at Microsoft.
She added, "Nation-state threats remain a serious and persistent threat, but most of the immediate attacks organizations face today come from opportunistic criminals looking to make a profit."
The report noted that critical public sectors, including hospitals and local governments, are prime targets. These institutions often handle highly sensitive information but operate with limited cybersecurity resources and response capabilities. In many cases, healthcare and other essential services are more likely to pay ransoms due to the critical nature of their operations.
Although nation-state-driven attacks account for a smaller share of total incidents, their volume is steadily increasing. Microsoft’s findings show that China continues its aggressive campaigns across industries to steal sensitive data, using covert systems and exploiting internet vulnerabilities to avoid detection.
Iran has widened its scope, targeting sectors from the Middle East to North America, including shipping and logistics companies in Europe and the Persian Gulf to gain access to valuable commercial data.
Meanwhile, Russia has extended its operations beyond Ukraine, focusing on small businesses in pro-Ukraine countries, perceiving them as softer targets compared to larger corporations.
Microsoft also identified North Korea as a major concern for both espionage and revenue-driven cyber operations. Thousands of North Korean IT workers are reportedly employed remotely by global companies, funneling their salaries back to the regime. When exposed, some of these operatives have shifted to extortion tactics.
"The cyber threats posed by nation-states are becoming more expansive and unpredictable," Hogan-Burney warned. "In addition, the shift by at least some nation-state actors to further leveraging the cybercriminal ecosystem will make attribution even more complicated."
She stressed the importance of collaboration: "This underscores the need for organizations to stay abreast of the threats to their industries and work with both industry peers and governments to confront the threats posed by nation-state actors."
Microsoft’s report also underscored how artificial intelligence and automation have empowered cybercriminals, even those with minimal expertise, to execute more complex attacks. AI tools are being used to develop malware faster, generate convincing fake content, and enhance phishing and ransomware campaigns.
More than 97% of identity attacks are now password-related, with a 32% surge in the first half of 2025 alone. Attackers commonly exploit leaked credentials and use large-scale password guessing.
"However, credential leaks aren’t the only place where attackers can obtain credentials," Hogan-Burney explained. "This year, we saw a surge in the use of infostealer malware by cyber criminals. Infostealers can secretly gather credentials and information about your online accounts, like browser session tokens, at scale."
She added, "Cyber criminals can then buy this stolen information on cyber crime forums, making it easy for anyone to access accounts for purposes such as the delivery of ransomware."
The report concludes by urging governments to establish stronger frameworks to ensure credible consequences for cyber activities that breach international laws and norms.