Despite the flurry of law enforcement action to take down ransomware gangs, Secureworks has observed a 30% year-on-year rise in active ransomware groups.
In the eighth edition of the Secureworks annual State of The Threat Report, the firm identified 31 new groups that had entered the ransomware ecosystem in the last 12 months.
The report noted that while the threat landscape had previously been dominated by a few big players, it is now home to a broader set of emerging entities.
The top three most active ransomware groups, based on the number of victims listed, are:
- LockBit, which Secureworks described as the “long established top dog” of ransomware. The group accounted for 17% of all listed victims. This is down by 8% on the previous year with credit for this fall given to the ongoing law enforcement activity, Operation Cronos, which has disrupted much of the groups’ activity
- PLAY was the second most active group and has doubled its victim count year-over-year
- RansomHub has emerged as a new group, entering the fold a week after the initial LockBit takedown in February 2024. The group was responsible for 7% of the share of victims listed
BlackCat/ALPHV, previously one of the most active ransomware groups, has not this year entered the top three, with law enforcement activity causing significant disruption to its operations.
Secureworks noted that despite the growth in ransomware groups, victim numbers did not rise at the same pace. The company said that this demonstrates a more fragmented landscape and poses the question of how successful these new groups might be.
“Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
“As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders,” Smith said.
AI and Adversary-in-the-Middle (AiTM) Growing Threats
AI tools are now widespread and readily available for both legitimate and criminal use.
Secureworks CTU researchers said they have observed an increase in posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes since mid-Febrary 2023.
Much of the discussion relates to relatively low-level activity including phishing attacks and basic script creation, the company said.
Meanwhile, AiTM attacks are being used to steal credentials and session cookies in order to gain access to networks.
This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy and Tycoon2FA.
“The growing use of AI lends scale to threat actors, however the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture,” said Smith.
Analysis of State-Sponsored Threat Activity
China, Russia, Iran and North Korea continue to be the hostile state actors of most concern and Secureworks said they all continue to deploy cyber campaigns against their usual targets.
Russia has evolved its tactics with relation to the conflict in Ukraine to focus on espionage-driven attacks that look to gain military intelligence. This activity has been observed outside of Ukraine.
CTU researchers assessed that Russia’s most aggressive use of cyber capabilities in sabotage operations will remain focused on critical infrastructure targets within Ukraine.
Meanwhile, China has evolved its tradecraft with huge investment in obfuscated networks whilst living off the land, in the edge and in the cloud. China's intent continues to focus on espionage as well as information theft for political, economic and military gain.
In Iran, there are two primary Iranian sponsors of cyber activity: the Islamic Revolutionary Guard Corp (IRGC) and the Ministry of Intelligence and Security (MOIS). Their cyber activity continues to be driven by political imperatives focused on Israel and other regional adversaries including Saudi Arabia, United Arab Emirates and Kuwait, as well as the US.
Finally, North Korean threat actors have continued their revenue generation operations via cryptocurrency theft and sophisticated fraudulent employment schemes to gain access to Western jobs. They were persistent in targeting the IT sector and weaknesses in the supply chain. Targets focused on entities in the US, South Korea and Japan.
North Korea is willing to work with Russian and Iran with the intent to foster relations with countries that are prepared to confront related, perceived enemies despite international sanctions.
The annual State of the Threat Report examines the cybersecurity landscape from June 2023 to July 2024.