Milan, May 27, 2025 – Var Group presents the eighth edition of the Y-Report by Yarix, its cybersecurity center of excellence, to map the cyber threat landscape that affected Italy and the world in 2024.

In 2024, the Yarix Security Operation Center (SOC), the control room where cyberattacks are monitored in real time, analyzed over 485,000 security events (+56% compared to 2023), referring to anomalous or suspicious activities within systems. Nearly 1 in 3 of these events (141,000, +70% from 2023) evolved into incidents, meaning breaches that impacted data or system security. Within this context, critically severe incidents more than tripled (+269% year-on-year), a trend driven by vulnerabilities in key infrastructure components such as firewalls and other security devices.

The two most affected sectors were Manufacturing (12.5%) - especially vulnerable due to outdated equipment and decentralized infrastructure often characterized by limited governance - and IT (11.8%), due to the high number of exposed services prone to various vulnerabilities and the sensitive nature of data handled.

Ransomware

In 2024, 4,721 ransomware events were recorded globally (+5.5% claims compared to 2023), mostly targeting SMEs (54%) and carried out by 92 ransomware groups. Among them, RansomHub remained the most active, responsible for 9.80% of all attacks.

Italy rose to fourth place among the countries most targeted by ransomware, following the United States, United Kingdom, and Canada, and ahead of Germany. In Italy, ransomware attacks affected companies in Manufacturing (32.5%), Consulting (9%), IT (7.5%), Transportation (7.5%), and Construction (6.5%), with the majority located in Lombardy (30.90%), Emilia-Romagna (15.40%), and Veneto (8.80%).

Geopolitical Context and Hacktivism

Italy was the fifth most targeted country by hacktivist groups in 2024, attacked by pro-Russian collectives in response to Italy’s support for the Ukrainian government (especially during the first 2024 G7 meeting in Kyiv) and by Asia-Pacific groups opposing Italy’s support for Israel. Attack peaks occurred in Q1 and Q4 of 2024.

The top targets included Ukraine, Israel, and Romania - the latter due to its strategic and military relevance in the Russia-Ukraine conflict. India ranked fourth, due to territorial or political disputes with neighboring countries, where activity spikes were linked to Asia-Pacific-based groups.

Yarix’s Cyber Intelligence Team identified 97 hacktivist groups globally, with the pro-Russian collective NoName057 being the most active, responsible for over 55% of attacks in sectors such as Energy & Utilities, Healthcare, Banking & Finance, and Transportation & Logistics.

• Pro-Russian groups targeted Ukraine, NATO allies, and countries supporting Kyiv, justifying DDoS attacks as retaliation against Western involvement. In some cases, Moscow-aligned groups expanded their scope to internal dissent in countries (e.g., the European farmers' protests) through disruptive attacks;

• Pro-Arab and pro-Muslim actors focused on nations politically or militarily supporting Israel in the Hamas conflict, using DDoS as retaliation for support to Tel Aviv’s military actions. Similarly, pro-Palestinian actors and Anonymous-affiliated groups targeted nations they deemed responsible for civilian suffering, especially in Gaza;

• Asia-Pacific hacktivists engaged in actions tied to disputes between India and neighbors (Bangladesh, Pakistan) and in humanitarian causes stemming from the Israel-Hamas war.

2024 Trends: AI in Offense and Defense

In 2024, the Incident Response Team managed 146 security breaches (+75.9% vs. 2023). Analysis revealed that Generative AI was used to craft malicious scripts - automated instructions for harmful system actions - enabling faster malware development and allowing less-skilled actors to launch increasingly sophisticated attacks.

Attackers have become more adept at erasing their traces within compromised systems, making it harder to reconstruct events and identify breach points.

However, AI is also a crucial defensive asset. One year after the launch of Egyda, Yarix’s platform integrating advanced automation, machine learning, and AI into the SOC, average response times to incidents dropped by over 50%, thanks to faster and more accurate alert processing.

Other notable trends identified include:

• Custom tools for system compromise and varied encryption methods that hinder data recovery;

• Lower entry barriers for affiliate selection: groups like Akira, LockBit, and BlackBasta allow affiliates with mixed skill levels, aiming to increase attack volume and maximize ransom profits;

• A 333% increase in malware designed to neutralize security controls, including “EDR Killers” that disable endpoint protection (PCs, smartphones, etc.);

• Adoption by advanced groups of sophisticated techniques such as Bring Your Own Vulnerable Driver (BYOVD), where a legitimate, but vulnerable, driver is installed to exploit the system.

Methodology

The report is based on data received and analyzed by Yarix during 2024. The information comes from a specific panel of companies monitored by the SOC and represents Yarix’s client base, spanning multiple sectors of the national economy. Data from incidents involving non-clients were also included.

The panel includes companies with an average of over 1,000 employees and revenues exceeding €50 million. Data were statistically normalized and standardized to produce reliable quantitative outputs supporting qualitative insights. All collected data were automatically anonymized and aggregated to protect privacy and remove any identifiable links to specific companies.