As the digital landscape continues to evolve, cybersecurity has become more complex and critical than ever. 2024 saw an unprecedented surge in cyber threats targeting Software as a Service (SaaS) platforms, with hackers employing increasingly sophisticated tactics. According to the Microsoft Digital Defense Report 2024, the number of blocked password attacks surged by 75%, with over 7,000 attempts blocked every second in Entra ID alone. Phishing attempts spiked by 58%, contributing to a staggering $3.5 billion in losses.

These attacks are not merely opportunistic; they are strategic, involving evasive techniques that mimic legitimate usage patterns to evade detection. From large-scale data exfiltration campaigns to cleverly executed ransomware schemes, SaaS security in 2024 revealed a formidable lineup of threat actors making their mark on the cybercrime world.

As we head into 2025, it’s critical for security teams to prioritize SaaS security risk assessments, adopt tools like SaaS Security Posture Management (SSPM) for continuous monitoring, and proactively defend against the threats that are shaping the future of cybersecurity.

Here’s a rundown of the most prominent threat actors of 2024 who are expected to dominate the cybercrime scene in 2025: the MVPs, rising stars, and relentless strategists who will keep SaaS security teams on their toes.

1. ShinyHunters: The Most Valuable Player

Playstyle: Precision Shots (Cybercriminal Organization)

Biggest Wins: Snowflake, Ticketmaster, Authy

Notable Drama: Exploited one misconfiguration to breach 165+ organizations.

In 2024, ShinyHunters solidified their reputation as one of the most dangerous and precise cybercriminal organizations targeting SaaS platforms. Their hallmark was not exploiting a vulnerability in a vendor’s code but rather capitalizing on misconfigurations within customer environments. In particular, their breach of Snowflake highlighted how overlooked configurations could lead to a massive attack, affecting critical infrastructure and sensitive data across more than 165 organizations.

These hackers exfiltrated data at will, leveraging the lack of multi-factor authentication (MFA) and weak security controls. ShinyHunters’ attacks weren’t just about the money—they also made waves with public leaks and auctions of stolen data.

SaaS Security Lessons: Implementing strong MFA policies, credential rotation, and regular configuration audits can prevent similar attacks. Misconfigurations are a prime target for attackers, and this breach serves as a wake-up call for all SaaS customers.

2. ALPHV (BlackCat): The Master of Deception

Playstyle: Strategic Maneuvering (Ransomware-as-a-Service, RaaS)

Biggest Wins: Change Healthcare, Prudential (Healthcare & Finance)

Notable Drama: The $22M exit scam scandal with RansomHub.

ALPHV, also known as BlackCat, made headlines in 2024 with one of the boldest ransomware attacks in recent history. After extorting $22 million from Change Healthcare, the group staged an FBI takedown on their leak site to mislead authorities and affiliates. The subsequent drama unfolded when an affiliate, RansomHub, accused ALPHV of a scam, claiming they were left empty-handed despite the ransom payment.

Despite this internal conflict, ALPHV’s reach remained unchallenged, with attacks on high-profile targets like Prudential, causing massive data leaks and operational disruption.

SaaS Security Lessons: Regular monitoring of credentials, especially through darknet monitoring, and enforcing Single Sign-On (SSO) can reduce the risk of credential-based attacks. Vigilant monitoring for signs of compromised credentials is crucial to avoid becoming another ransomware victim.

3. RansomHub: Rookie of the Year

Playstyle: Opportunistic Offense (Ransomware-as-a-Service, RaaS)

Biggest Win: Frontier Communications (Telecom & Infrastructure)

Notable Drama: Caught in the fallout of ALPHV’s $22M scam.

RansomHub, a newcomer on the scene in 2024, gained notoriety quickly, especially after their involvement in the Change Healthcare breach, where they exploited SaaS vulnerabilities to steal data affecting over 100 million U.S. citizens. Despite ALPHV’s betrayal, RansomHub continued to score big with high-profile breaches like Frontier Communications, demonstrating their relentless drive for expansion.

They’ve proven to be opportunistic, capitalizing on SaaS misconfigurations and weak authentication methods.

SaaS Security Lessons: Ransomware actors like RansomHub thrive on exploiting weaknesses in identity management systems. Implementing comprehensive identity threat detection and anomaly monitoring tools can help identify and prevent account takeovers.

4. LockBit: Clutch Player of the Year

Playstyle: Relentless Offense (Ransomware-as-a-Service, RaaS)

Biggest Wins: Supply chain attack via Evolve Bank & Trust (Fintech)

Notable Drama: FBI’s Operation Cronos failed to shut them down entirely.

LockBit continued its dominance in 2024, executing multiple high-profile attacks on SaaS companies and fintech organizations. Their involvement in the Evolve Bank & Trust breach caused a ripple effect, affecting downstream companies like Affirm and Wise. Despite the FBI’s Operation Cronos, which sought to dismantle their infrastructure, LockBit demonstrated resilience by bouncing back and taunting authorities with bold statements on their leak site.

SaaS Security Lessons: Third-party vendor risk assessments are essential, as attacks like LockBit’s supply chain breaches can devastate entire ecosystems. Real-time anomaly detection tools and behavior analytics can identify suspicious activities, making it easier to detect attacks early.

5. Midnight Blizzard (APT29): The Silent Operator

Playstyle: Defensive Infiltration (Advanced Persistent Threat, APT)

Biggest Win: TeamViewer (Remote Access Tool)

Notable Drama: Breach as a gateway for silent espionage.

APT29, also known as Midnight Blizzard, continued its covert operations throughout 2024. Unlike ransomware groups, they specialize in silent espionage, focusing on high-value targets for strategic data exfiltration. In 2024, they breached TeamViewer, a widely used remote access tool, to infiltrate corporate networks. They maintain an almost invisible presence, operating under the radar while extracting sensitive data over extended periods.

SaaS Security Lessons: To defend against nation-state actors like APT29, organizations must focus on continuous auditing, multi-factor authentication (MFA), and tight access controls. Regular checks for suspicious login patterns and unauthorized access can minimize the impact of silent infiltrations.

The Sixth Man: The Ones to Watch and Benched Talent

Hellcat (The Ones to Watch): A new ransomware group, Hellcat made an immediate impact with a confirmed breach of Schneider Electric. Their rapid emergence and success in 2024 suggest they will be a significant threat in 2025, with a potential for more aggressive tactics.

Scattered Spider (Benched Talent): After a series of arrests, this once-prominent cybercriminal group has taken a backseat in recent months. However, experts caution against counting them out entirely, as they may make a comeback in 2025.

Key Takeaways for 2025

1. Misconfigurations Remain a Prime Target: Hackers continue to exploit overlooked misconfigurations, gaining unauthorized access to critical systems. Implementing regular audits, enforcing MFA, and rotating credentials are essential defenses.

2. Identity Infrastructure Under Attack: With attackers leveraging stolen credentials and sophisticated authentication bypass techniques, securing identity infrastructure has never been more critical. Identity monitoring and anomaly detection are vital to preventing unauthorized access.

3. Shadow IT and Supply Chain as Entry Points: Unauthorized SaaS applications and integrations can create hidden vulnerabilities. Continuous monitoring and proactive security measures are essential to mitigating these risks.

As we move into 2025, the SaaS security landscape remains a battleground for cybercriminals. By staying informed, vigilant, and adopting a multi-layered security approach, organizations can better defend against the evolving threats posed by these all-star cybercriminals.

Stay ahead of the game—don’t wait for the next breach.