Within 12 months, 31 new ransomware groups will join the ecosystem

Posted on by Vaseline

31-New-Ransomware-Groups-Join-the-Ecosys

Despite the flurry of law enforcement actions to take down ransomware gangs, Secureworks has seen a 30% increase in active ransomware groups year-over-year.

In the eighth edition of the Secureworks yearbook Report on the status of the threatthe company identified 31 new groups that had entered the ransomware ecosystem over the past twelve months.

The report noted that while the threat landscape was previously dominated by a few major players, it is now home to a broader range of emerging entities.

The top three most active ransomware groups, based on the number of victims listed, are:

  • LockBit, described by Secureworks as the “long-established top dog” of ransomware. The group accounted for 17% of all victims mentioned. This is 8% lower than last year, with this decline attributed to the ongoing law enforcement activity, Operation Cronos, which has disrupted much of the groups’ activities.
  • PLAY was the second most active group and has doubled the number of victims year after year
  • RansomHub has emerged as a new group, joining the group a week after LockBit’s initial takedown in February 2024. The group was responsible for 7% of the share of the named victims.

BlackCat/ALPHV, previously one of the most active ransomware groups, failed to crack the top three this year as law enforcement efforts significantly disrupted its operations.

Secureworks noted that despite the growth in the number of ransomware groups, victim numbers were not increasing at the same pace. The company said this shows a more fragmented landscape and raises the question of how successful these new groups could be.

“Ransomware is a business that is nothing without its affiliate model. Over the past year, law enforcement activities have shattered old ties, reshaping cybercrime. Originally chaotic in their response, threat actors have refined their operations and the way they operate. The result is an increased number of groups, supported by substantial partner migration,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.

“As the ecosystem evolves, we face entropy in threat groups, but also unpredictability in playbooks, adding significantly more complexity to network defenders,” Smith said.

AI and Adversary-in-the-Middle (AiTM) growing threats

AI tools are now widespread and readily available for both legitimate and criminal uses.

Researchers at Secureworks CTU said they have observed an increase in posts on underground forums since mid-February 2023 about OpenAI ChatGPT and how it can be used for nefarious purposes.

Much of the discussion concerns relatively low-level activities, including phishing attacks and simple script creation, the company said.

Meanwhile, AiTM attacks are used to steal credentials and session cookies to gain access to networks.

This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits available for rent on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy, and Tycoon2FA.

“The increasing use of AI is giving threat actors scale, but the rise in AiTM attacks poses a more pressing problem for businesses, reinforcing the idea that identity is the perimeter and should prompt companies to take stock and rethink their defenses. attitude,” Smith said.

Analysis of state-sponsored threat activities

China, Russia, Iran and North Korea remain the hostile state actors of most concern and Secureworks said all continue to deploy cyber campaigns against their usual targets.

Russia has evolved its tactics regarding the conflict in Ukraine to focus on espionage attacks aimed at obtaining military intelligence. This activity has been observed outside Ukraine.

CTU researchers believed that Russia’s most aggressive use of cyber capabilities in sabotage operations will continue to target critical infrastructure targets in Ukraine.

Meanwhile, China has developed its craft through massive investments in obfuscated networks as it lives, at the edge and in the cloud. Chinese intentions continue to focus on espionage and information theft for political, economic and military gain.

In Iran, there are two main Iranian sponsors of cyber activities: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Their cyber activities continue to be driven by political imperatives targeting Israel and other regional adversaries, including Saudi Arabia, the United Arab Emirates and Kuwait, as well as the US.

Finally, North Korean threat actors have continued their monetization activities through cryptocurrency theft and sophisticated fraudulent employment schemes to access Western jobs. They were persistent in attacking the IT sector and supply chain weaknesses. The targets focused on entities in the US, South Korea and Japan.

North Korea is willing to work with Russia and Iran with the intention of advancing relations with countries willing to confront related perceived enemies despite international sanctions.

The annual one Report on the status of the threat examines the cybersecurity landscape from June 2023 to July 2024.

Avatar for Vaseline
Vaseline https://newspowergreen.biz.id

You May Also Like

More From Author