Dive Brief:
- Credit risk will probably rise in 2025 as cyberattackers evade defenses with artificial intelligence and increasingly target large companies with the resources to pay high ransoms, Moody’s Ratings said Monday.
- “In response to declining revenue per victim, cyberattackers are seeking to wring greater returns from their attacks by demanding higher ransoms,” Moody’s said in a report. “We believe they are accomplishing this by targeting larger businesses that can afford higher ransom payments, and we expect this to increase cyber risk for Moody's rated debt issuers.”
- At the same time, cybercriminals in 2025 may confront weaker opposition from the Trump administration, which is likely to soften cyber-defense regulations, Moody’s said.
Dive Insight:
The FBI’s Internet Crime Complaint Center received a record 880,418 reports from the public last year — a nearly 10% increase compared with 2022 — with estimated losses exceeding $12.5 billion, the law enforcement agency said. Just a fraction of such crimes are reported, the FBI said.
The number of reported ransomware attacks by the U.S. public rose 18% last year to 2,825, with losses surging 74%, the FBI said.
“Cybercriminals continue to adjust their tactics, and the FBI has observed emerging ransomware trends, such as the deployment of multiple ransomware variants against the same victim and the use of data-destruction tactics to increase pressure on victims to negotiate,” the FBI said in a report.
Cybercriminals are increasingly deploying generative AI tools in their efforts at ransomware and fraud, Moody’s said.
“Phishing attacks, aiming to entice a user into clicking a malicious link, will be turbocharged by GenAI,” the ratings company said. “GenAI tools will enable attackers to craft personalized and compelling text, audio and video content that mimic legitimate communications from trusted entities.”
Cybercriminals can increasingly penetrate defenses of a large company by compromising the defenses of third-party software suppliers, Moody’s said. A successful attack on one supplier can yield openings for ransomware and other crimes at many of the supplier’s customers.
Pilferage of employee credentials is also the technique most favored by cybercriminals, Moody’s said. The use of stolen credentials surged 71% last year compared with 2022 and ranked as the most commonly used tactic for gaining unauthorized access to companies’ systems, Moody’s said, citing IBM data.
The Trump administration will likely clear some regulatory obstacles to wrongdoers, Moody’s said.
“The administration will likely roll back cybersecurity mandates and potentially curtail the activities of the U.S. Cybersecurity and Infrastructure Security Agency,” Moody’s said. “This could expose issuers to a heightened risk of cyberattack.”
Companies can use AI to reduce cyber-threats, according to Leroy Terrelonge, a Moody’s Ratings vice president focused on cyber credit risk.
Chief Information Security Officers can use AI tools to translate cybersecurity risks into financial risks for assessment by company boards, Terrelonge said Monday in an email reply to questions.
“Cybersecurity professionals will be able to evaluate threats more rapidly by using generative AI to quickly examine suspicious activity to determine critical details such as the type of attack used, information about the origin of the attack and perhaps even gain further insight into what the attack is targeting,” he said.
“Today, these analyses require skilled practitioners to leverage several tools and often require translation between the lexicon of one tool to another in order to perform the work,” Terrelonge said.
Cybersecurity staff will also be able to use generative AI to build customized security training programs, email campaigns and other resources to inform employees about risks, he said.