One of the most talked-about cyber security success stories of the past year has been the brutal destruction of the LockBit ransomware crew and the humiliation of its key players, but looking at the raw data, it does n’t seem to have done much to deter cyber criminals.
This is according to Secureworks ‘ 2024 State of the threat report, which today draws up the curtain to reveal a 30 % year-on-year rise in effective ransomware groups using name-and-shame leak sites, with 31 new actors entering the ecosystem from June 2023 to July 2024.
Given that the gang facilitated the Operation Cronos assault by the UK’s National Crime Agency (NCA ), which led the gang’s lead ransomware listings for the time period in question, may not come as a surprise that 17 % of ransomware listings for the time period were down 8 % year over year.
BlackCat/ALPHV, which suffered a similar drubbing at the hands of law enforcement before pulling its own product in a potential exit scam, and Clop/Cl0p, which capitalized on the MOVEit file transfer compromise in 2023 to hit hundreds of victims, has also not been as active currently.
However, the second most effective ransomware gang, Play, doubled its victim count year on year, while RansomHub, a group that emerged shortly after LockBit’s takedown, has in the space of just a few months become the next most effective group on the scene, with a 7 % share of listed victims. Qilin, when also, has been making its mark, somewhat in its high-profile attack on NHS partner Synnovis.
Without its affiliate model, Ransomware is a business that is nothing. In the last year, law enforcement activity has shattered ancient allegiances, reshaping the business of cyber crime. Concern actors have changed their business models and how they operate from the beginning and have changed their ways of doing things. The result is a larger number of groups, underpinned by substantial affiliate migration”, said Don Smith, vice-president of threat intelligence at Secureworks Counter Threat Unit ( CTU).
” As the ecosystem evolves, we have mass in threat groups, but even aggressiveness in playbooks, adding considerable complexity for network defenders”, said Smith.
More gangs, fewer victims
However, despite this increase, there have n’t been any reports of similar increases in victim numbers, which could be a result of gangs trying to find a place in a more dispersed environment.
Additionally, the CTU team noted that there is a lot of affiliate movement in the ransomware ecosystem, which may be a factor in this trend. The researchers found a number of ransomware attacks in some cases over the previous year where victims were listed on more than one website, perhaps as a result of affiliates looking for new outlets for their work in the increasingly disordered ecosystem.
Hazard actors have changed the way they conduct business and how they operate. A larger number of groups are created as a result, supported by significant affiliate migration.Don Smith, Secureworks Counter Threat Unit
And truly disorganized the past twelve months have been. According to securityworks analysts, the trend has obviously been a broadening of the ransomware landscape, making a landscape once home to a more diversified group of cyber brigands.
Nonetheless, this may be creating a threat landscape in the Wild West that requires less authority and structure in terms of how they operate. For example, a drop in median dwell times observed this year seems to be the result of criminals moving rapidly and breaking things in lightning-paced smash-and-grab attacks.
Secureworks advised defenders to anticipate much more variation and shifts in attack methodologies as the fresh ecosystem evolves and coalesces over the upcoming months.
An increase in the number of ransomware gangs that are already being detected in the field includes session cookies that can be accessed through adversary-in-the-middle ( AitM), also known as man-in-the-middle ( MTM), attacks using phishing kits like es EvilProxy or Tycoon2FA, which are readily available on the dark web. According to the research team, this trend should be ringing in the ears of defenders because it might lessen the utility of some multifactor authentication ( MFA ) types.
Ransomware gangs are not immune to the appeal of artificial intelligence ( AI ). There has been discussion in the criminal community about how such models can be used for nefarious purposes, typically for phishing, since ChatGPT’s launch roughly two years ago, but some of the use cases are much more novel.
A cyber criminal gang used relational AI to create tributes on malicious websites that were manipulated to the top of Google searches by SEO poisoning in one attack that Secureworks investigated. Such websites are a prime example of how malicious and ransomware can spread quickly.
” The digital crime landscape continues to evolve – sometimes minimal, sometimes more important. The rise in AitM attacks reinforces that identity is the perimeter and should prompt businesses to take stock and reflect on their protective posture, according to Smith. However, the increase of AitM attacks poses a more immediate problem for enterprises as a result of the growing use of AI.
