Hackers Join the Ecosystem 12 Club

13027416478?profile=RESIZE_400xDespite current of law enforcement action to take down ransomware gangs, Secureworks has observed a 30% year-on-year rise in active ransomware groups.   In the eighth edition of the Secureworks annual State of The Threat Report[1], the firm identified 31 new groups that had entered the ransomware ecosystem in the last 12 months.  The report noted that while a few big players had previously dominated the threat landscape, it is now home to a broader set of emerging entities.[2]

The top four most active ransomware groups, based on the number of victims listed, are:

  • LockBit is described as the “long-established top dog” of ransomware. The group accounted for 17% of all the listed victims. This is down by 8% on the previous year, with credit for this fall given to the ongoing law enforcement activity, Operation Cronos, which has disrupted much of the groups’ activity
  • PLAY was the second most active group and has doubled its victim count year-over-year
  • RansomHub has emerged as a new group, entering the group a week after the initial LockBit takedown in February 2024. The group was responsible for 7% of the share of victims listed
  • BlackCat/ALPHV was previously one of the most active ransomware groups, and law enforcement activity caused significant disruption to its operations.


Secureworks noted that despite the growth in ransomware groups, victim numbers did not rise at the same pace.  The company said that this demonstrates a more fragmented landscape and poses the question of how successful these new groups might be.  “Ransomware is a business that is nothing without its affiliate model.  In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime.  Originally chaotic in their response, threat actors have refined their business operations and how they work.  The result is a larger number of groups, underpinned by substantial affiliate migration,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.  “As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders,” Smith said.

AI tools are now widespread and readily available for both legitimate and criminal use.  SecureWorks CTU researchers said they had observed increased posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes since mid-February 2023.   The company said that much of the discussion relates to relatively low-level activity, including phishing attacks and basic script creation.   Meanwhile, AiTM attacks are being used to steal credentials and session cookies in order to gain access to networks.

This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders.  These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram.  Popular kits include Evilginx2, EvilProxy, and Tycoon2FA.  “The growing use of AI lends scale to threat actors. However, the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture,” said Smith.

China, Russia, Iran, and North Korea continue to be the hostile state actors of most concern, and Secureworks said they all continue to deploy cyber campaigns against their usual targets.

Russia has evolved its tactics about the conflict in Ukraine to focus on espionage-driven attacks that look to gain military intelligence.  This activity has been observed outside of Ukraine.

CTU researchers assessed that Russia’s most aggressive use of cyber capabilities in sabotage operations will remain focused on critical infrastructure targets within Ukraine. Meanwhile, China has evolved its tradecraft with huge investments in obfuscated networks while living off the land, on the edge, and in the cloud. China's intent continues to focus on espionage and information theft for political, economic, and military gain.

In Iran, there are two primary Iranian sponsors of cyber activity: the Islamic Revolutionary Guard Corps (IRGC) and the Ministry of Intelligence and Security (MOIS). Their cyber activity continues to be driven by political imperatives focused on Israel and other regional adversaries, including Saudi Arabia, the United Arab Emirates, Kuwait, and the US.

Finally, North Korean threat actors have continued their revenue generation operations via cryptocurrency theft and sophisticated fraudulent employment schemes to gain access to Western jobs.  They were persistent in targeting the IT sector and weaknesses in the supply chain.  Targets focused on entities in the US, South Korea, and Japan.

North Korea is willing to work with Russia and Iran with the intent to foster relations with countries that are prepared to confront related, perceived enemies despite international sanctions.

 

This article is shared at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5378972949933166424

[1] https://www.secureworks.com/resources/rp-state-of-the-threat-2024

[2] https://www.infosecurity-magazine.com/news/new-ransomware-groups-emerge-2024/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!