Ransomware attacks in 2024 have escalated to new heights, surpassing the scale and sophistication of threats seen in 2023. Attackers have become more aggressive than the previous year, using advanced tactics such as double and triple extortion. Organizations are not only facing encrypted files but also the threat of a data breach, with stolen data being leaked or even sold on the dark web. This increases the risks of reputational damage and regulatory penalties.

No organization is immune, and attackers now use more accessible tools like Ransomware as a Service (RaaS). Industries once considered less vulnerable, such as logistics and energy, have increasingly been in the crosshairs alongside traditionally targeted sectors like healthcare and education. This year alone, ransom payments have skyrocketed—rising from under $200,000 in early 2023 to $1.5 million in June 2024—with some organizations shelling out tens of millions of ransomware payments to regain access to their systems or prevent private data from being exposed.

In this blog post, we’ll examine the most significant ransomware incidents of 2024, their impacts, and practical measures your organization can take to strengthen cybersecurity.

Major ransomware attacks of 2024

Ransomware attacks in 2024 have become increasingly sophisticated and common, affecting industries worldwide and causing lasting financial and operational damage. Here are some of the most notable incidents of the year:

7. Healthcare: Change Healthcare

Date: February 2024
Impact: A phishing campaign exploited vulnerabilities in Change Healthcare’s email systems, deploying ransomware that encrypted critical operations. Services like claims processing and prescription drug management were disrupted across numerous U.S. hospitals, affecting thousands of providers and millions of patients.

The attackers demanded $22 million, which the company paid to restore essential services swiftly and limit disruptions to patient care. Strengthening cybersecurity has become key for healthcare providers, and tailored tools like NordLayer help safeguard personal data and ensure continuity.

6. Finance: Latitude Financial Services

Date: February 2024
Impact: Attackers stole 14 million customer records, including sensitive information like driver’s licenses, passports, and financial data. Latitude Financial decided not to pay the ransom, aligning with Australian government policies that discourage ransom payments. They stated that paying the ransom would not guarantee the secure return of data and could encourage further attacks. Instead, the company focused on restoring systems, contacting affected customers, and strengthening its cybersecurity measures.

Financial institutions can mitigate risks with NordLayer’s robust network security solutions, which safeguard critical systems and help meet regulatory compliance.

5. Non-profit: A global organization supporting orphans

Date: March 2024
Impact: A global non-profit supporting orphans (the organization’s name hasn’t been disclosed) was targeted by a ransomware group that encrypted sensitive files, including children’s photographs and medical records. The attackers initially demanded a ransom large enough to bankrupt the organization. After learning it was a non-profit, they lowered their demand.

However, this incident shows how non-profits, with limited defenses but valuable data, are becoming prime targets. Organizations can protect themselves with NordLayer’s security tools, which are tailored to address unique vulnerabilities in the sector.

4. Manufacturing: Allied Telesis

Date: May 2024
Impact: A LockBit ransomware attack encrypted corporate files and stole sensitive data dating back to 2005, disrupting operations for the telecommunications equipment manufacturer. The attackers threatened to release the stolen information if their ransom demands were unmet. The incident underlined the manufacturing sector’s vulnerability to such sophisticated threats.

This security breach is a stark reminder of the need forproactive cybersecurity measures. To mitigate risks like this, NordLayer offers tailored network security solutions for manufacturing industries to help protect critical systems and data.

3. Government: Indonesia’s National Data Center

Date: June 2024
Impact: The Brain Cipher ransomware group targeted Indonesia’s National Data Center, disrupting critical government services, including immigration processing at Jakarta’s airport. The attack encrypted sensitive data and temporarily paralyzed various government operations, highlighting the vulnerability of national infrastructure to sophisticated cyber threats.

Agencies can strengthen their defenses with NordLayer’s solutions for government institutions, designed to safeguard critical operations.

2. Software & IT: CDK Global

Date: June 2024
Impact: CDK Global, a key software provider for North American car dealerships, fell victim to a BlackSuit ransomware attack. Dealerships had to revert to manual processes for sales and paperwork, causing delays in registrations and transactions. The attack compromised sensitive customer data, such as social security numbers and bank account details, exposing millions to potential fraud.

CDK Global temporarily shut down its systems, creating substantial operational and financial challenges for dealerships dependent on its digital solutions. To speed up recovery, CDK Global reportedly paid a $25 million ransom in cryptocurrency. Despite the payment, the impact lasted about two weeks, with most systems restored by early July.

Software and IT companies can enhance security with NordLayer’s solutions, which help mitigate vulnerabilities and maintain operational efficiency.

1. Transportation: Port of Nagoya, Japan

Date: July 2024
Impact: The ransomware attack on Japan’s busiest port targeted the port’s computer systems, encrypting critical data and disrupting operations. As a result, cargo handling and customs clearance processes were severely impacted, causing shipment delays and creating a ripple effect throughout international trade networks.

The incident underscored the vulnerabilities in critical infrastructure and the need for robust cybersecurity measures in transportation. NordLayer offers tailored solutions for retail companies to protect dynamic networks and global supply chains, ensuring continuity even in the face of sophisticated threats.

These incidents highlight the urgent need for organizations to adopt comprehensive cybersecurity strategies. Ransomware attacks continue to grow in both sophistication and impact, making it crucial to counter these evolving threats.

Online threats keep evolving

Ransomware attacks are growing in sophistication, using tactics like double extortion, where stolen data is threatened with public release unless a ransom is paid. The increasing accessibility of Ransomware as a Service (RaaS) has lowered the entry barrier, enabling less-skilled cybercriminals to execute high-impact attacks with more frequently.

Key trends in 2024 include:

• Higher ransom demands: The financial stakes are higher than ever. Ransom payments in 2024 are now exceeding $10 million in many cases, with some organizations facing demands well beyond that. Attackers are increasingly targeting organizations with high-value data or critical infrastructure, knowing the urgency to recover will push companies to pay.
• Target expansion: While healthcare, finance, and education have long been prime targets for ransomware groups, other critical sectors like logistics and energy are now in the crosshairs. As supply chains and energy grids become more interconnected and reliant on digital systems, these industries face greater risks of disruptions with global consequences.
• Advanced tactics: Ransomware groups are not only focusing on traditional on-premise networks but also exploiting vulnerabilities in cloud environments, which is becoming a bigger concern. This highlights the need for more advanced, tailored security solutions.

These trends show how ransomware incidents are becoming more sophisticated and multifaceted. This increases the potential for significant damage and calls for organizations to adopt more comprehensive, layered defense strategies.

Protecting against ransomware threats

A comprehensive strategy involves protecting not just your systems but also your data and network infrastructure. Each layer of defense plays a crucial role in minimizing the impact of a ransomware attack and preventing it from escalating. Below are essential strategies organizations should adopt:

1. Identify vulnerabilities and patch systems

Many ransomware attacks exploit vulnerabilities in outdated systems. To address known vulnerabilities and maintain a secure network, regularly update software. Ensure that all systems—operating systems, applications, and firmware—are consistently patched. This process should include automated updates where feasible, and IT teams should conduct routine vulnerability scans to identify and fix any weak points before they can be exploited.

2. Use endpoint detection

Use endpoint security solutions to identify and neutralize threats early. These tools not only detect ransomware but also offer insights into the nature of the attack, helping teams understand how it infiltrated the network. Ensure these solutions are configured to alert IT staff of suspicious activity and automatically block unauthorized file encryption attempts.

3. Implement multi-factor authentication (MFA)

MFA adds an extra layer of security, ensuring only authorized users can access sensitive systems, especially those handling sensitive or critical data. By requiring additional verification steps, such as a mobile authentication app, biometric verification, or a hardware token, MFA helps prevent unauthorized access even if login credentials are compromised.

4. Segment the network

Network segmentation isolates critical systems, much like fire doors prevent the spread of fire in a building. This limits the spread of ransomware within the network and minimizes potential damage. You can achieve it by segmenting critical applications, databases, and other high-value assets into subnets with strict access controls.

5. Backup data regularly

Frequent backups of important data should be a cornerstone of your ransomware defense strategy. Regularly schedule backups and ensure they are stored in secure, immutable formats that prevent tampering. The 3-2-1 rule—three copies of data, two different storage types, and one off-site—can provide extra security. Verify the integrity of backups periodically and run simulated recovery drills to confirm that data can be restored efficiently in case of an attack.

6. Train employees

Educate staff on recognizing phishing and other tactics used by ransomware groups. Awareness is a vital defense against social engineering attacks. Beyond that, offer comprehensive training on recognizing signs of suspicious activity, safe browsing practices, and the importance of reporting incidents promptly. Consider including scenario-based training that immerses employees in real-world attack simulations, reinforcing proper responses in a controlled environment.

7. Get cyber insurance

Cyber insurance can help organizations recover financial losses from a ransomware attack, including ransom payments, recovery costs, and legal fees. Cyber insurance can be an important financial safety net, but it’s not a substitute for solid security practices. Make sure the policy clearly defines what qualifies an insurable event and what documentation or proof is required for claims.

How NordLayer enhances security

NordLayer aligns closely with the recommended strategies to protect against ransomware:

1. Identity vulnerabilities and patch systems. With the Device Posture Security (DPS) feature, NordLayer identifies device types and their operating system versions accessing sensitive data. DPS provides timely notifications when a device with an outdated OS version connects to the network, enabling proactive measures such as restricting access to private gateways for devices that don’t meet security rules.

2. Endpoint protection. NordLayer offers Download Protection to block malicious files before they can infect devices and spread malware, which could lead to ransomware attacks.

3. Implement multi-factor authentication (MFA). NordLayer facilitates advanced authentication layers to bolster Zero Trust Network Access (ZTNA). Beyond basic MFA, NordLayer supports additional methods like Single Sign-On (SSO), IP allowlisting, and encrypted connections, ensuring that access to sensitive systems remains secure.

4. Segment the network. Customers can implement granular network segmentation Using Access Control Lists (ACL) within NordLayer’s Cloud Firewall tool. This isolates critical applications and high-value assets, minimizing lateral movement and potential damage in case of a breach.

5. Backup data. While NordLayer does not directly handle backups, its security measures protect access to systems where backups are stored.

6. Cyber insurance. Although NordLayer does not directly offer cyber insurance, pairing NordLayer with NordProtect provides a comprehensive solution for securing critical infrastructure.

By integrating these features, NordLayer supports organizations in addressing ransomware threats while reinforcing their overall security framework.

Lessons from 2024

The top ransomware attacks of 2024 are a stark reminder that no organization is immune to ransomware threats. Whether it’s healthcare organizations, financial firms, or critical infrastructure, the potential for a data breach remains high.

By adopting proactive measures and advanced cybersecurity solutions like NordLayer, businesses can strengthen their defenses and minimize the impact of ransomware attacks. As the threat landscape evolves, staying ahead of cybercriminals is not just a necessity—it’s a responsibility.

Every download presents a potential risk, but now there’s a powerful new way to stay ahead of threats. NordLayer is proud to introduce Download Protection, a game-changing feature built on the reliable technology behind NordVPN Threat Protection Pro—trusted by millions of NordVPN users worldwide. By bringing this proven solution to NordLayer, we’re not only enhancing your organization’s defense but also strengthening our Secure Web Gateway (SWG) offering with a proactive, real-time malware detection tool.

With this feature, your business gains a robust layer of protection, capable of scanning and blocking malicious files before they reach your system. Together, we’re making it easier than ever to safeguard your network and users from evolving cyber threats.

How does it work?

Once Download Protection is activated, every file downloaded from the web—whether through the browser or any other network app (Slack, Outlook, etc.)—is immediately scanned by the NordLayer Windows application. The file is removed if a threat is detected, and the user and the organization admin are alerted.

Key highlights include:

• Uninterrupted protection: Works at all times, even without an active VPN connection
• Seamless integration: No workflow disruption; security is enforced in the background
• One-click activation: Admins can enable this feature in seconds, ensuring organization-wide protection

Administrators retain complete control, with the option to apply Download Protection to all organization members or specific teams only. They can further customize the settings while individual users remain safeguarded without the ability to modify configurations.

Feature characteristics: what to expect

• File types covered: Download Protection covers a wide range of file types commonly used in cyberattacks, including executable files (e.g., .exe, .bat), document formats (e.g., .pdf, .docx), scripts (e.g., .js, .vbs), and more.
• Analytics and reporting: Admins gain visibility into file download activity through the Control Panel. Reports include scanned files, detailed logs of threats detected, and actions taken, offering actionable insights to mitigate risks.
• Advanced threat detection: Intelligent Malware Detection leverages machine learning to identify unknown malware and suspicious files, such as those with double extensions (e.g., filename.pdf.exe).

For comprehensive guidance on formats and reporting, refer to our Help Center article.

Why Download Protection matters

Downloading files remains a daily necessity for most users, but each download introduces potential risks. The emergence of new ransomware groups in 2024, with 27 new groups identified by Q2, further complicates the ongoing threat. Many of these groups utilize sophisticated social engineering tactics to trick users into downloading malware-laden files.

Download Protection addresses these risks by acting as a crucial first line of defense.

For IT admins:

• Mitigate threats: Protect your organization from malware, ransomware, and other attacks executed via malicious files
• Enhanced visibility: Monitor and analyze file downloads, identifying risk factors to prevent exposure
• Centralized insights: Access detailed scan event data and threat reports via the Control Panel

For team members:

• Immediate protection: Automatically block malicious files, preventing accidental downloads from compromising the system
• One-click safety: Enjoy seamless, hassle-free security without interrupting daily operations

What sets Download Protection apart?

At NordLayer, we take a security-first approach. Built on the reliable technology that powers NordVPN Threat Protection Pro, Download Protection improves your organization’s cybersecurity by adding a proactive defense mechanism that complements your existing tools and security stack.

Download Protection adds a responsive layer of defense by actively detecting and responding to potential threats during file downloads, seamlessly integrating into your current setup without additional configuration or cost. This feature strengthens your organization’s overall security posture.

Scan every download and stay one step ahead

Download Protection is available to all customers across every subscription plan, reinforcing our commitment to delivering enterprise-grade security without added complexity. This feature, released in November 2024, ensures proactive protection for organizations of all sizes.

Cyber threats are evolving, but with Download Protection, your organization is equipped with seamless, always-on security. Activate this feature today and experience the next level of cybersecurity, all in just one click.

Private or public? Virtual or local? Cloud deployments come in many varieties. Choosing the right model is critical to performance, ease of use, cost, and security.

This article discusses the two main private cloud solutions: virtual private cloud and private cloud models. Each deployment type has strengths and potential drawbacks. Choosing the right type influences security, cost, and performance. It’s an important decision.

What are the two types of private cloud, and which one should you choose? This article will explain everything you need to know.

What is a virtual private cloud?

A virtual private cloud (VPC) is a virtualized multi-tenant cloud deployment hosted on public cloud infrastructure.

A cloud provider sells public cloud space, and users apply logical segmentation to create a virtual network. This separates the VPC from other resources without needing extra hardware or separate server space.

After that, the VPC functions like a private cloud domain. Users can install applications, create data storage containers, and manage cloud computing as needed.

Virtual private cloud users determine internal routing via IP address subnetting and network access control lists (NACLs). Network gateways enable secure connections from external resources. Users can also connect many VPCs via VPC peering.

Unlike private clouds, VPCs require a direct connection to the public cloud. This potentially makes it accessible to other public cloud users. However, subnetting IP addresses reduces this access risk.

Under the VPC model, users and cloud vendors share responsibility for security. Cloud vendors operate and secure the underlying infrastructure. VPC users must regulate access to resources via tools like security groups, access control lists, subnets, firewalls, and identity and access management (IAM).

Advantages of virtual private cloud architecture include:

• Flexibility. VPCs can scale rapidly as companies grow or contract.
• Cost-effectiveness. VPCs are cheap to set up and deploy because the cloud provider handles infrastructure.
• Low maintenance overheads. Companies can run cloud deployments without large IT teams.
• Sophisticated internal security. VPC users can segment deployments. It’s easy to separate financial data, sales platforms, and DevOps environments.

Virtual private clouds also have negative aspects. Most importantly, VPCs can experience outages and downtime. While VPCs are flexible, users of private cloud systems may have more customization options.

Security is another issue. VPC users must connect to gateways before accessing cloud resources, and this connection can raise security risks. Reliable access controls and multi-factor authentication (MFA) mitigate these risks. Virtual private network (VPN) protection also helps secure the VPC perimeter.

Note: Many users confuse VPC and VPN technology. The key difference is that VPNs encrypt data flows over the public internet. VPCs are virtualized cloud deployments. They complement each other, enhancing overall security.

What is a private cloud?

A private cloud is a standalone cloud solution with a single tenant. Under the private cloud model, users own and manage their cloud computing infrastructure, including data storage and networking solutions. Control is centralized, and users take responsibility for cloud security.

Typically, private clouds reside in data centers managed by the user organization. On-site hardware creates a physical network perimeter. Endpoints on the private cloud perimeter enable access control. Managers can filter inbound and outbound traffic, ensuring a high level of security.

Private clouds have many benefits:

• Support for legacy applications. Ensuring access to legacy applications that do not function well on the public cloud (if at all).
• Enhanced integration management. Managing integrations to ensure operability and maintain security.
• Granular visibility of network access and user behavior.
• Resource segregation and control. The ability to segregate resources and have full control over the underlying infrastructure.
• Robust privacy protection for sensitive information via tight access controls.
• Complete customization. Users have total freedom to design private cloud architecture.

There are also downsides. Private clouds are complex and expensive to implement and maintain. They scale poorly compared with VPCs. Users require extensive expertise and may see IT costs spiral.

Differences between virtual private clouds and private clouds

The main difference between VPCs and private clouds is that VPCs reside on public cloud infrastructure while private clouds are hosted within an organization’s own data centers or dedicated hardware.

Both technologies allow single-tenant cloud computing, ensuring greater privacy than public cloud solutions. However, users should know how they differ before making a selection. Let’s quickly run through the main points of difference.

Getting started

Private cloud

Configuring a private cloud takes time and expertise. In-house teams to manage and secure cloud deployments. This may entail recruitment or hiring short-term consultants to handle the process.

VPCs

VPCs are relatively easy to set up. The cloud provider manages infrastructure security and VPC performance. Users can also connect VPCs easily to on-premises resources or other cloud instances.

Ease of use

Private cloud

Private clouds meet organizational needs. As a result, they should meet user demands efficiently. However, ensuring consistent performance is technically challenging for in-house teams.

VPCs

VPCs score highly on usability. Cloud vendors handle demanding technical tasks and support new users. Users do not need in-house expertise to benefit from cloud computing services.

Performance

Private cloud

Private clouds deliver robust performance as they reside inside an organization’s network perimeter. Dedicated IT teams also engineer private clouds to meet operational challenges.

VPCs

Cloud-hosted VPC services often show improved performance compared to locally hosted alternatives. They also scale more easily, accommodating business growth.

Maintenance

Private cloud

In-house teams maintain private cloud infrastructure. Data centers require cooling and power systems, which require regular testing and updating.

VPCs

VPCs need minimal maintenance. Users do not maintain physical hardware, although IT teams must check security parameters and audit network traffic on virtual machines.

Cost

Private cloud

Private clouds are expensive to set up and maintain.

VPCs

VPCs tend to be more affordable. Users can also purchase the capacity needed, keeping costs as low as possible.

Availability

Private cloud

Private clouds are generally very reliable and deliver high levels of availability.

VPCs

VPCs rely on cloud providers to keep systems operational and available. Users can leverage redundancy to hedge against downtime or cyberattacks.

Security

Private cloud

The private cloud model is extremely secure. Organizations can limit external access across the network perimeter and deploy internal segmentation to regulate lateral movement.

VPCs

VPCs are more secure than public cloud solutions but less secure than private clouds. Network access controls and segmentation protect critical data. However, unsecured access points can expose data to the public cloud.

Virtual private cloud vs. private cloud vs. hybrid cloud

Before we discuss how to choose cloud solutions, we need to talk about another issue: hybrid cloud deployments.

Hybrid cloud solutions mix different technologies. The most common type combines public clouds and private cloud services.

This type of hybrid cloud suits businesses that need to cut costs, host large amounts of non-critical data, or regularly experience traffic spikes. However, hybrid cloud security is a critical factor to consider, as securing data and workloads across diverse environments requires careful planning.

For instance, space on public clouds is usually cheaper than private alternatives. You might secure confidential data in VPC containers while keeping low-risk assets public.

Another form of hybrid cloud combines private clouds and VPCs. In this scenario, users might reserve sensitive data in a private cloud service. VPCs can handle other workloads. This suits remote workforces and reduces cloud computing costs.

Choosing the right cloud for your business

Let’s return to the main question: should you choose a private cloud or a VPC-based solution? Here are some factors that influence the decision to choose private cloud vs public cloud technologies:

Complete data protection

In the comparison between private cloud vs. public cloud security, VPCs, and private clouds easily beat shared public cloud solutions.

Private clouds are slightly more secure than VPCs, as users have more control over how and where their data is stored. This makes them a better choice for organizations like healthcare bodies or financial data processors.

In general, organizations in highly regulated sectors should consider a private cloud model. They might also segregate sensitive data within private clouds and use public or VPC solutions for other assets.

Simplicity and ease of use

Virtual private cloud solutions suit smaller companies without dedicated cloud maintenance teams. Private clouds require extensive maintenance and are relatively hard to scale.

A VPC solution lets small businesses benefit from cloud computing, secure data, and adapt their deployment as their needs change. Setting up a VPC is also much easier than a private cloud.

Keeping costs low

Think about the cost of your cloud hosting solution. Private clouds have high upfront costs, while VPCs are very affordable. They lock down confidential data or workloads without needing huge capital investment.

Private clouds may have long-term advantages as the operational costs fall over time, especially for larger organizations.

Flexibility

VPCs are more flexible than private clouds. You can spin up virtual servers and storage capacity as needed. For example, you may need a temporary DevOps environment to test code before using it elsewhere.

VPCs can also reside closer to customer communities. If you serve clients on other continents, regional VPCs cut latency and may aid compliance by separating customer data sets.

Private clouds are easier to customize but less flexible. Scaling is complex, making VPCs a better option if your computing or storage needs are uncertain.

Availability

Companies using the cloud to host websites or customer data need high availability. Downtime, which disables web services and workloads, costs money.

VPCs solve the availability issue via redundancy. You can use peering or availability zones to keep systems running, even if part of your deployment fails.

Private clouds are generally reliable but present a single point of failure. Using multiple virtual servers may be a safer option.

Performance

Properly designed private cloud systems perform well because they dedicate resources to essential tasks such as processing AI data sets or video rendering.

VPCs share space with cloud provider customers, leading to variable latencies. Virtual private cloud data centers could also be distant, causing speed issues.

Virtual vs. private cloud: Securing access to both

Whether you choose a virtual private cloud or private cloud solution, security is a top priority. VPC best practices like encrypting data and applying security groups help but are not comprehensive solutions.

Secure cloud access controls are critical to minimize data breach risks. Malicious actors pounce on vulnerable devices and endpoints. There is no room for complacency, no matter what assurances your cloud provider offers.

NordLayer is compatible with the most popular VPC solutions. It can enhance your security by protecting who can access the data stored in the cloud. To secure your VPC, consider these steps:

• Secure Remote Access: Use NordLayer’s Site-to-Site VPN to create an encrypted tunnel, allowing safe access to the VPC without exposing data to public internet risks.
• Prevent unauthorized access: NordLayer’s Cloud Firewall helps you control who can access the VPC. You can limit access to authorized users, reduce the chance of data leaks, and use extra security layers like SSO and MFA to double-check identities before granting access.
• Device Posture Security: NordLayer’s Device Posture Security ensures that only approved devices that meet company security standards can connect to the VPC. It helps prevent compromised or non-compliant devices from accessing sensitive data.

To find out more, contact the NordLayer sales team and discuss your cloud security needs.

If you serve security-conscious clients, why not take a look at our MSP partner program as well? As a cybersecurity partner, you can earn revenue and secure your cloud assets with support from our experts.

The dark web is a key enabler for cybercrime. It allows bad actors to share tools, knowledge, and services secretly.

Anyone wanting to buy illegal items—like cyber-attack tools or drugs—can find them on dark web marketplaces. These markets appear and disappear quickly as they get blocked. They are usually advertised on dark web forums, and some even have mirror sites on the clear web.

Researching the dark web is hard because marketplaces have short lifespans. They come and go quickly. That’s why NordLayer and NordStellar decided to analyze dark web forums instead.

Forums are more stable over time. This stability makes it possible to see trends in discussions. These forums mix legal topics like news, politics, and content sharing with illegal activities.

However, legal activities like whistleblowing make up less than 1% of the content. Illegal activities are the largest part. By studying these forums, we wanted to uncover new trends in illicit activities.

Our research shows that illicit posts peak in November, December, and January. The darkest months of the year also see the most activity in the web’s shadowy corners.

Why is winter the peak season for illicit posts?

We studied posts from June 2023 to October 2024. We categorized posts by topics and focused on illicit ones. Here’s how those posts were distributed:

These numbers reflect posts on the dark web, not actual attacks. However, research by BitNinja Security, Cloud Security Alliance, and Mimecast shows that Q4 is also when most cyber-attacks take place. This suggests a link between increased dark web activity and real-world cybercrime during this period.

Why are threat actors more active in dark months, both discussing illicit topics and committing crimes?

It’s a known issue. Black Friday is already called Black Fraud Day. In the UK only, more than 16,000 reports of online shopping fraud were recorded between November 2023 and January 2024, with each victim losing £695 on average.

But on dark web forums, people discuss not only cybercrime. A big part of forums is about sharing pirated software and media, like movies.

This number grows in dark months. Comparing the summer months of 2023 with November—January, the number of dark forum posts about all kinds of pirated content surged by 105%.

Like advanced persistent threats, “advanced persistent teenagers” are now a problem. Bored but skilled threat actors cause major disruptions. They trick employees with emails and calls, posing as help desk staff. These attacks lead to data breaches affecting millions. Teenagers now show techniques once limited to nation-states.

Another factor is adding to the boredom of dark web forum users. They are mostly from countries where winter is pretty harsh. Most users accessing Tor—the browser used for dark web activities—are from Germany (36%), the US (14%), and Finland (4%). For countries where users access Tor via bridges, the top is Russia (41%). Maybe dark web forums are just the coziest winter hangouts.

Changing platforms and AI effects on cybercrime

Our research shows that September and October of 2024 had much fewer posts about illicit things on dark web forums than a year before. Why is that?

Another trend affecting dark web discussions could be AI use in cybercrime.

Retail and cloud computing giant Amazon, which can now view activity on around 25% of all IP addresses on the internet, says it is seeing hundreds of millions more possible cyber threats across the web each day compared to earlier this year. They used to see about 100 million hits per day, but that number has grown to 750 million over six or seven months.

Amazon’s Chief Information Security Officer is sure AI is making tasks easier for ordinary people, allowing them to do things they couldn’t do before just by asking the computer. This might explain fewer discussions on dark web forums—why ask others when AI can do the work for you?

How to protect organizations during peak cybercrime seasons

So, winter months bring not only holidays but also heightened cyber risks. Instead of enjoying time with your family, you might find yourself dealing with cyber-attacks.

But don’t worry—there are steps you can take to protect your organization. The good news is these measures aren’t expensive or hard to implement.

Many of these precautions are the same as those needed year-round. Basic cybersecurity practices like employee training, strong passwords, and regular software updates are essential.

Employee education is the first line of defense.

Prepare now to minimize risks during the peak cyber-attack season.

With AI making cyber-attacks easier, it’s crucial to think about these things right now, when the cyber-attack season is at its peak. The next year could bring even more advanced threats.

So, give your company a Christmas present and invest in a solid cybersecurity solution.

Methodology

NordStellar acquired data from over 80 forums where illicit activities are most often discussed. These forums span different web layers: the clear web, the deep web, and the dark web. We gathered textual content from forum threads between June 2023 and October 2024. The numbers we obtained represent the number of forum posts.

We used a fine-tuned AI model to categorize dark web posts into 67 tags. These tags were then grouped into 10 broader categories. For example, the tag “SERVICE” refers to posts where users offer services for a fee, including hacking or hiring hitmen. This tag falls under “Illicit services and marketplaces.” 

The study is thorough but has limitations from analyzing posts on approximately 80 forums only. Additionally, the shorter lifecycle of criminal sites and the rapid rise of mirror sites can affect data consistency and completeness.

Now, businesses face many online threats that can jeopardize network security, reduce employee productivity, and compromise regulatory compliance. Domain Name System (DNS) filtering is a powerful tool for protecting against these threats by blocking access to harmful websites—those that may host malware, phishing attempts, or inappropriate content.

Beyond protecting your network, DNS filtering tools improve workplace productivity by limiting access to non-work-related websites. They also help ensure compliance by restricting access to certain types of content.

However, with many DNS filtering providers available, selecting the right one can be overwhelming. This guide will walk you through the key factors to consider when choosing the best DNS filtering solution for your organization.

How DNS filtering solutions work

DNS filtering is like a gatekeeper for internet usage, preventing access to malicious or inappropriate websites before they can harm your network. By intercepting DNS queries—requests users make when accessing a website—the filtering system determines whether the requested domain is safe based on predefined security policies.

Typically, DNS servers function like an internet “phonebook,” translating domain names into IP addresses to connect your browser and the required website.

With a DNS filtering solution in place, however, each query undergoes additional checks. If the requested site is flagged on a blocklist or is identified as a security risk, the DNS resolver blocks the request, preventing the page from loading and neutralizing potential cyber threats.

Benefits of implementing a DNS filtering solution

Deploying a DNS filtering solution offers a range of benefits that go beyond basic Internet browsing controls:

Internet threat prevention

Each organization should control employee online traffic. By blocking access to sketchy sites full of malware, phishing, or ransomware, DNS filtering solutions shield your network from all kinds of cyber-attacks before they even have a chance to strike.

Keeping productivity on point

Let’s face it—distractions are everywhere. DNS filtering tools help minimize those distractions by blocking non-work-related sites so your team can stay focused and get more done.

Improved network performance

No more bandwidth hogs. A DNS filtering solution ensures your network runs smoothly and efficiently by limiting heavy streaming or large file downloads.

Security compliance

Worried about regulations? DNS filtering helps you meet industry standards by controlling access to restricted content and protecting your business from potential legal and reputational risks.

Keeping remote workers safe

With more people working remotely, DNS filtering solutions block online threats and secure sensitive data, no matter where your employees log in.

Filtering for safer Internet access

Whether it’s a school, home, or workplace, DNS filtering blocks inappropriate or harmful content, creating web filtering for schools or employees.

5 considerations for choosing the best DNS filtering solution

When it comes to selecting a DNS filtering provider, it’s essential to weigh your options carefully. With so many choices out there, understanding the key factors can help you find the right fit for your organization. Here are some critical considerations to keep in mind:

#1 Technical architecture

The backbone of a solid DNS filtering solution is its technical architecture. You’ve got two main options: cloud-based or on-premise. Cloud-based solutions are super scalable. They make it easier to grow with your business’s security needs. They are also easier to deploy, need less maintenance, and usually come with real-time updates.

On-premise solutions give you more control over your data. This can be a big help if you have strict privacy rules. However, they might require higher initial costs, more time, and greater expertise to maintain.

Another thing to keep in mind is DNS resolution speed—how fast it can process requests and load websites. A provider with a global network will keep things running smoothly with less lag when accessing sites.

#2 Advanced threat detection

In today’s world, you need more than just the basics. Look for a DNS filtering solution that’s equipped with advanced threat detection. Such a solution must monitor network activity in real-time, spotting and blocking threats like malware and phishing before they can mess with your network. As cyber threats keep evolving, having a tool that adapts is a must.

#3 Integration with existing systems

Whatever DNS filtering solution you pick should be compatible with your current system. Make sure it works well with your existing security infrastructure, like your firewall or Security Information and Event Management (SIEM) tools. Some providers even offer API access for easy integration with third-party tools or custom solutions. A smooth integration means less hassle for your IT team and a more seamless security experience.

#4 Granular policy management

DNS filtering is designed to restrict access to specific content, but when it comes to defining exclusive rules for network access, we enter a different technological area. Therefore, when selecting DNS filtering solutions, it’s best to look for comprehensive products beyond content restriction and address network access use cases.

Fine-tuning access with your DND filtering solution helps boost productivity and security, keeping everyone where they need to be.

#5 Real-time analytics and reporting

Keeping tabs on what’s happening in your network is essential. Make sure your DNS filtering provider offers real-time analytics and reporting so you can spot potential threats, check network activity, and stay compliant. Detailed DNS query logs and custom reports are especially useful for digging into incidents or proving you’re following industry regulations.

Tips for selecting the best DNS filtering solution

• Check out content control features: Look for customizable filtering options that let you block malware, phishing attempts, adult content, gambling sites, and more. Keeping distractions and risks at bay is key for productivity and compliance.
• Make sure it has solid security features: Don’t settle for basic protection. Your DNS filtering solution has strong encryption, advanced threat detection, and malware protection. These features add extra layers of security, especially when your data is in transit.
• Go for user-friendly setup and centralized management: Setting up DNS filtering shouldn’t be a headache. Look for something simple to install with centralized management so your IT team can control everything from one spot, enforce policies, and quickly handle any issues.
• Look for customization options: Every business is different, so you’ll want a solution that lets you fine-tune filtering rules to fit your specific needs. Flexibility is key to keeping security tight without slowing down business activities.

Conclusion

Choosing a DNS filtering solution for your business is critical. It impacts everything from your cybersecurity to productivity and compliance. Take the time to evaluate things like the technical architecture, how the provider handles threats, and how well the solution integrates with your current systems. Opt for providers that offer robust security, real-time reporting, and detailed control over access to make sure you’re getting the best DNS filtering solution possible.

With the right DNS filtering in place, you can protect your network, control online interactions, and create a safer, more productive work environment for your team.

How NordLayer can help

NordLayer offers easy-to-use DNS filtering capabilities to protect your network. With features like DNS filtering by category, Web Protection, and Download Protection, keeping your team safe is simple. Setup is quick, even for non-tech users, and managing security for your whole team is straightforward.

• DNS filtering by category allows IT admins to block content from over 50 categories. This helps keep your network secure and your team focused.
• Web Protection automatically blocks access to websites that are flagged as potentially malicious.
• Download Protection scans every new file download and removes harmful files before they can infect your devices.

These features can work together to prevent risks like malware infections and phishing. But that’s not all. All NordLayer customers get encrypted connections and masked IP addresses. This ensures your internet access is secure, no matter where you are.

Want to learn more? Contact NordLayer’s sales team to see how we can help protect your network.