Customer portal
Category

Ransomware

"SOS
Ransomware

Ransomware – State of Play July 2024

Ransomware – State of Play

July 2024

SOS Intelligence is currently tracking 206 distinct ransomware groups, with data collection covering 424 relays and mirrors.

In the reporting period, SOS Intelligence has identified 388 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 2% increase in July when compared to the previous month, and a 16% increase in activity when compared to the previous year.  Furthermore, the number of active groups has decreased to 34 from 37 the previous month.

This month has seen a significant increase in activity from Ransomhub, making a significant charge to fill the void left by LockBit.  Data for this strain may be skewed, however, by the group using multiple data leak sites to advertise and disseminate stolen data.

Significant activity has been noted from the Handala group, who have exclusively targeted Israel and Israel-based entities over the month.  Handala (Arabic: حنظلة) is a prominent national symbol and personification of the Palestinian people, so this activity is highly likely a response to the continued conflict in the Middle East.  Handala has been increasing activity against Israel throughout the year, including significant attacks against Zerto, and allegedly Israel’s Iron Dome air defence system.

Analysis of Geographic Targeting

Over the last month, targeting continues to follow financial lines, with the majority of attacks targeted at G7, EU and BRICS bloc countries.  Furthermore, a significant number of attacks have been directed towards Israel, with likely political motivations.

Compared to June, 4% more countries were targeted in July.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

Scattered Spider, a threat actor group known for its social engineering tactics and attacks on VMware ESXi servers, has recently incorporated new ransomware strains into its operations. The group has adopted RansomHub, a rebranded variant of Knight ransomware, and Qilin ransomware. Previously, Scattered Spider used the now-defunct BlackCat ransomware, but it has since shifted to deploying RansomHub in post-compromise scenarios, reflecting its evolving tactics and adaptation to new tools within the cybercriminal landscape.

A flaw in the cryptographic scheme of the DoNex ransomware family has been identified, enabling victims to recover their files for free using a newly released decryptor. This vulnerability, affecting all variants of DoNex, was revealed at a recent cybersecurity conference and involves issues with the encryption key generation and application of ChaCha20 and RSA-4096 algorithms. The decryptor, available through private channels since March 2024, was publicly released following the flaw’s disclosure. Victims are advised to use a large example file for decryption and to back up their encrypted data before proceeding.

Two Russian nationals have pleaded guilty to their involvement in LockBit ransomware attacks that targeted victims worldwide. As affiliates of LockBit’s ransomware-as-a-service operation, they breached vulnerable systems, stole data, and deployed ransomware to encrypt files. One of the individuals has been arrested and faces up to 25 years in prison, while the other has been sentenced to four years. Despite recent law enforcement actions that have seized LockBit’s infrastructure and decryption keys, the ransomware group remains active, continuing to target victims and release stolen data.

Threat Group Development

Change in threat group TTPs to target VMWare ESXi

Play ransomware has recently expanded its focus to target VMware ESXi environments, marking a significant shift in its operations toward broader Linux platform attacks. Utilizing a dedicated Linux locker, Play ransomware encrypts virtual machines (VMs) by first verifying the environment, then scanning for and shutting down active VMs before proceeding with encryption. This approach highlights the group’s advanced evasion techniques and adaptability in the ransomware landscape. The encryption process affects critical VM files, such as disks and configurations, with files receiving a .PLAY extension. Additionally, Play has started using URL-shortening services for its operations, further showcasing its sophistication.

Similarly, Eldorado ransomware, which initially targeted Windows systems, has expanded its scope to include VMware ESXi VMs since its emergence in March. This ransomware employs ChaCha20 encryption across both platforms, allowing affiliates to customise attacks. Meanwhile, the SEXi ransomware operation, rebranded as APT INC, has intensified its focus on VMware ESXi servers since February 2024, leveraging leaked Babuk and LockBit 3 encryptors. APT INC has gained notoriety with high-profile attacks, such as the one on Chilean hosting provider IxMetro Powerhost, with ransom demands reaching millions. The operation continues to use the same encrypted messaging application for negotiations, with no known weaknesses in its encryption for file recovery.

Evolution of BlackBasta

In 2024, Black Basta ransomware has shown significant evolution, adapting to challenges by shifting to custom malware and incorporating new tools after the disruption of its previous partner, QBot. The group now utilizes sophisticated malware like the SilentNight backdoor, memory-only droppers such as DawnCry and KnowTrap, and custom tunneling tools including PortYard and SystemBC. Additionally, it has integrated reconnaissance and execution utilities like CogScan and KnockTrock into its attack processes. These developments underscore Black Basta’s resilience and sophistication, as it continues to pose a formidable global threat by employing advanced tactics and exploiting zero-day vulnerabilities.

New & Emerging Groups

MAD LIBERATOR is a newly emerged ransomware group that launched its leak site in July 2024. The group claims to offer services to help companies fix security issues and recover their files, demanding a fee for their assistance. If the payment is not made, MAD LIBERATOR threatens to publicly list the companies and publish their stolen data. They employ AES/RSA encryption for securing the files. As of the report’s writing, the group had already listed eight victims on its leak site, showcasing their active and ongoing operations.

Ransomcortex is a lesser-known ransomware group with limited information available. However, the group has claimed responsibility for three attacks, all targeting the healthcare sector in Brazil. Despite the lack of detailed information, the choice of victims within such a critical industry highlights the potentially serious impact of their activities.

Vanir Group is a new ransomware group that has quickly gained notoriety for its aggressive and professional tactics. They publicize their attacks via a data leak site and issue intimidating messages to CEOs and domain administrators of the affected companies. These messages warn that the companies’ internal infrastructure has been compromised, backups deleted or encrypted, and critical data stolen. The Vanir Group stresses the importance of cooperation to avoid further damage, threatening to sell or distribute the stolen data if demands are not met. Their website also features an interactive terminal for updates and invites potential affiliates to join their operations. Interestingly, their leak site bears a resemblance to that of Akira, another notorious ransomware group.

Vulnerabilities Observed in Use

"SOS
Ransomware

Ransomware – State of Play June 2024

Ransomware – State of Play

June 2024

SOS Intelligence is currently tracking 199 distinct ransomware groups, with data collection covering 393 relays and mirrors.

In the reporting period, SOS Intelligence has identified 381 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 20% decrease in June when compared to the previous month, but a 10% increase in activity when compared to the previous year.  Furthermore, the number of active groups has decreased to 34 from 37 the previous month.

This month has seen a significant increase in activity from Ransomhub, making a significant charge to fill the void left by LockBit.  Data for this strain may be skewed, however, by the group using multiple data leak sites to advertise and disseminate stolen data.

Analysis of Geographic Targeting

Over the last month, the percentage volume of attacks against the US dropped by 7%.  Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to May, 22% fewer countries were targeted in June.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

Australian Mining Company Reports Breach

Northern Minerals, an Australian rare earth exploration firm, reported a security breach where data was stolen and later appeared on the dark web. The stolen information includes corporate, operational, and financial data, as well as details about personnel and shareholders. The company informed authorities and affected individuals. Despite the breach, its mining operations continue uninterrupted. The BianLian ransomware group claimed responsibility and published the data after Northern Minerals refused to pay the ransom.

Black Basta Hits Keytronic

Keytronic, a leading PCBA manufacturer, suffered a major data breach due to the Black Basta ransomware gang. The attack halted operations in the U.S. and Mexico for two weeks. Black Basta leaked 530GB of stolen data, including personal and corporate information. In an SEC filing, Keytronic reported that the breach would significantly impact their fourth-quarter financials, with expenses of around $600,000 for external cybersecurity services. The company is notifying affected parties and regulatory agencies as required by law.

Conti and LockBit Ransomware Specialist Arrested

Ukrainian cyber police have apprehended a 28-year-old Russian in Kyiv for assisting Conti and LockBit ransomware groups. The individual specialized in making their malware undetectable and also carried out a ransomware attack himself. The arrest, part of ‘Operation Endgame,’ was the result of a Dutch police investigation. The suspect could face up to 15 years in prison.

Qilin Targets Healthcare Sector

A ransomware attack by the Qilin group disrupted multiple London hospitals by targeting Synnovis (formerly Viapath). This affected operations at Guy’s and St Thomas’ NHS Foundation Trust and King’s College Hospital NHS Foundation Trust. Over 800 surgeries and 700 appointments had to be rescheduled, with IT system recovery expected to take months. The attack caused shortages in blood supplies, especially O-positive and O-negative types, prompting urgent donation appeals from NHS Blood and Transplant.

Ransomhub Makes Headlines

British auction house Christie’s faced a data breach by the RansomHub ransomware group, resulting in the theft of sensitive client information. Christie’s quickly secured their network, enlisted external cybersecurity experts, and notified law enforcement. The breach affected potentially 500,000 clients. Christie’s is offering a free twelve-month subscription to an identity theft and fraud monitoring service for those impacted. RansomHub, known for its data-theft extortion methods, claimed responsibility and announced the sale of the stolen data on their dark web auction platform.

New & Emerging Groups

El Dorado Ransomware

In mid-June 2024, researchers identified a new ransomware group named El Dorado. This variant, derived from the LostTrust ransomware, encrypts files and appends the “.00000001” extension to filenames. It also generates a ransom note titled “HOW_RETURN_YOUR_DATA.TXT.”

Cicada3301

Cicada3301 has recently emerged as a significant cyber threat, targeting organizations worldwide. Known for their sophisticated attack methods, they have been involved in several high-profile ransomware attacks. Their operations typically involve detailed reconnaissance and exploiting network vulnerabilities, especially those neglected in IT security protocols. As of this report, the group has listed four victims, with all the companies’ data leaked on their site.

SenSayQ

SenSayQ is a new ransomware actor recently observed in the threat landscape. While their exact methods remain unclear, they are known to use double-extortion tactics, involving both data exfiltration and file encryption. SenSayQ utilizes a variant of LockBit ransomware, leaving ransom notes in most folders. Currently, the group has two victims listed on its leak site.

Trinity

Trinity is a newly identified ransomware variant, believed to be an updated version of “2023Lock.” This malware encrypts files and appends the “.trinitylock” extension. Trinity shares some of its code with another variant known as Venus. The threat actors behind Trinity use double extortion techniques, exfiltrating confidential files and threatening to release them publicly if their demands are not met. By mid-June, the group listed five victims, but this was later reduced to three, suggesting possible ransom payments or data sales to third parties.

VULNERABILITIES EXPLOITED IN JUNE 2024 BY RANSOMWARE GROUPS

CVECVSSVulnerability NameAssociated Threat actor
CVE-2024-45779.8PHP-CGI OS Command Injection VulnerabilityTellYouThePass ransomware
CVE-2024-261697.8Microsoft Windows Error Reporting Service Improper Privilege Management VulnerabilityBlackbasta
"SOS
Ransomware

Ransomware – State of Play May 2024

SOS Intelligence is currently tracking 193 distinct ransomware groups, with data collection covering 384 relays and mirrors.

In the reporting period, SOS Intelligence has identified 474 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  While this data represents known and publicised data breaches and ransomware attacks, the nature and operation of these groups means that not every successful attack is published and made public, so true figures on the volume of attacks are likely to be higher.   Our analysis of available public data is presented below:

Threat Group Activity and Trends

Ransomware activity showed a 30% increase in May when compared to the previous month, and a 4% increase in activity when compared to the previous year.  Furthermore, the number of active groups has increased to 37 from 36 the previous month.

This significant increase in activity has been driven by a surprise surge of activity from the Lockbit group.  In May, the group published 176 victims to its Data Leak Site (DLS), representing 37% of all publicised attacks for the month.  Further, this is a 633% increase in activity from the previous month and comes at a time when Lockbit was expected to be showing a continued decrease in activity.  Rather what we have seen is Lockbit’s busiest month on record.

The sudden surge from Lockbit has been a surprise to many.  The first tranche of published data emerged shortly after further law enforcement announcements regarding the group and its takedown.  Notable among the data released is an unusually high volume of affected victims in Spain and India being released quickly.  This may indicate the activity of an affiliate or affiliates with a particular proclivity for targeting those countries.  It should be noted that some of the victims had previously had their data released in the previous year, suggesting that Lockbit might be recycling data for additional ransoms and also to appear active.  Furthermore, it isn’t clear when these victims were targeted, so the actual point of breach may have been before law enforcement activity against Lockbit in February 2024.

Analysis of Geographic Targeting

Over the last month, the percentage volume of attacks against the US dropped by 7%.  Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to April, 41% more countries were targeted in May.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries in Southeast Asia, Africa and South America, whereas more established variants focus more on North America, Western Europe and Australia.

Industry Targeting

Targeting has broadly increased across all victim sectors, however significant increases have been seen in the Manufacturing, Construction & Engineering and IT & Technology industries.

Notably, there appears to have been increased targeting against public-sector entities.  This is likely a result of many groups abandoning their affiliate rules on targeting of such victims.

Significant Events

LockBit Black distributed via Botnet in the wild

Since April, the Phorpiex botnet has sent millions of phishing emails to distribute LockBit Black ransomware. These emails, often sent using aliases with simple names, include ZIP attachments containing executables that install the ransomware. Leveraging LockBit 3.0’s leaked builder, the campaign targets various industries worldwide. Active for over a decade, the Phorpiex botnet has evolved from a worm to an IRC-controlled trojan, and has been implicated in sextortion and cryptocurrency theft.

Social engineering attacks delivering Blackbasta

Researchers have observed the threat actor Storm-1811 using Microsoft Teams and Quick Assist for social engineering attacks that result in the deployment of Blackbasta ransomware. Storm-1811 employs voice phishing (vishing) and malicious links to gain access through Quick Assist. They use tools such as Qakbot, remote monitoring and management (RMM) tools like ScreenConnect and NetSupport Manager, and Cobalt Strike. Additionally, Storm-1811 utilises EvilProxy phishing sites and SystemBC for persistence and command-and-control. After compromising a system, they use PsExec to deploy Black Basta ransomware.

INC Ransomware source code for sale

Threat actor “salfetka” is alleging to have for sale the source code to INC Ransom, valued at $300,000.  The legitimacy of the sale is uncertain.   This comes at a time where there have been changes within the groups operation, which suggests possible plans for a new encryptor.

Threat actors targeting Windows admins with fake ads

A ransomware campaign is targeting Windows system administrators by promoting fake download sites for Putty and WinSCP through search engine ads. These fraudulent sites offer Trojanized installers that deploy the Sliver toolkit, facilitating further network access and potential ransomware deployment. The campaign employs tactics similar to those used by BlackCat/ALPHV ransomware, highlighting an increasing threat from search engine advertisements for popular software.

New Groups

SpiderX

SpiderX, a new ransomware-as-a-service promoted by threat actors on underground forums, is designed for Windows systems and boasts advanced features surpassing its predecessor, Diablo. Key capabilities include ChaCha20-256 encryption for rapid file encryption, offline functionality for stealth operations, comprehensive targeting of all connected drives, and a built-in information stealer that exfiltrates data to MegaNz. Priced at $150, SpiderX poses a significant cybersecurity threat due to its affordability and efficiency.

Fakepenny

Researchers have identified a new North Korean hacking group, Moonstone Sleet, active since August 2023. This threat actor employs custom ransomware called ‘FakePenny,’ first detected in April 2024, which includes a loader and an encryptor with ransom notes resembling those used by Seashell Blizzard’s NotPetya. Moonstone Sleet’s ransom demands are notably high, with one reaching $6.6 million in Bitcoin, surpassing previous North Korean ransomware demands such as WannaCry 2.0 and H0lyGh0st.

Arcusmedia

First identified in May, the Arcusmedia group has been responsible for at least 17 incidents to date, primarily targeting South America across a wide range of sectors, including government, banking, finance, construction, architecture, music, entertainment, IT, manufacturing, professional services, healthcare, and education.

"SOS
Ransomware

Ransomware – State of Play April 2024

SOS Intelligence is currently tracking 192 distinct ransomware groups, with data collection covering 382 relays and mirrors.

In the reporting period, SOS Intelligence has identified 365 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

Group Activity and Trends

Ransomware activity showed a 13% decrease in April when compared to the previous month, and a 7 % decrease in activity when compared to the previous year. However, the number of active groups has increased to 36 from 33 the previous month.

The overall drop in victim numbers for April is likely an ongoing effect of the dissolution of AlphV/BlackCat and the significant decrease in activity from Lockbit as a result of law enforcement activity in February.

Since February, we have closely monitored group activity for signs of where AlphV and Lockbit affiliates would take their business. The top six groups for the year-to-date are represented above and as yet, no one group has emerged above the others. Hunters International, Play and Ransomhub established themselves as the most active across April, but over the three months, we have also seen significant activity from Blackbasta and 8base. This could suggest that displaced affiliates are not settled on a final product, and have been utilising different ransomware services in the wake of the downfall of AlphV and Lockbit.

Analysis of Geographic Targeting

The volume of targeting against US-based victims has remained steady at around 50% of all reported ransomware attacks.  Targeting continues to follow financial lines, with the majority of remaining attacks targeted at G7 and BRICS bloc countries.

Compared to March, 11% fewer countries were targeted in April.  Our data is also showing interesting geographic targeting data.  We have observed emerging or developing strains targeting developing countries, whereas more established variants focus more on North America, Western Europe and Australia.

Top Strains per Country

United States
Canada
United Kingdom
Germany
Italy
– play
– play
– snatch
– ragroup
– ransomhub
– hunters
– blacksuit
– dragonforce
– 8base
– rhysida
– blacksuit
– akira
– lockbit3
– lockbit3
– ciphbit

Industry Targeting

Despite a reduction in victim volume, Manufacturing and IT & Technology remain at the forefront of threat actor targeting. Health & Social Care and Retail & Wholesale continue to see an emergence as a target of choice amongst multiple different variants, likely due to many groups removing targeting restrictions in the wake of law enforcement activity and continued western support for Ukraine.

Top Strains per Industry

Manufacturing
IT & Technology
Health & Social Care
Construction & Engineering
Retail & Wholesale
– play
– ransomhub
– incransom
– play
– hunters
– hunters
– darkvault
– qiulong
– cactus
– ransomhub
– blackbasta
– cactus
– ransomhub
– lockbit3
– lockbit3

Significant Events

8base targets the United Nations

The United Nations Development Programme (UNDP) was subject to an 8base ransomware attack, resulting in the exfiltration of human resources and procurement information. Despite significant demands being made, the UN has stood fast in its decision to not make payment.

Akira collects ransoms worth USD 42 million

An advisory provided cyber security centre’s in the USA, Netherlands and Europe has revealed that, since March 2023, the Akira ransomware strain has been responsible for attacks against 250 victims, with an estimated total ransom value of USD 42 million.

Lockbit not disappearing without a fight

The District of Columbia Department of Insurance, Securities & Banking,a local government department in the US capital, was added to the long list of Lockbit victims.  An estimated 800GB of sensitive data was obtained in the breach, which has not been made available to the public amid reports of it being sold privately.

New Groups

APT73

  • Suspected to be a LockBit spin-off – several pages on their leaksite resemble those used by LockBit
  • Listed 4 victims since appearing in late April

DarkVault

  • Suspected to be a LockBit spin-off – several pages on their leaksite resemble those used by LockBit
  • Also involved in other illicit activities, such as bomb threats, doxing, and fraud.
  • Listed 22 victims since appearing in April

Quilong

  • Currently exclusively targeting victims in Brazil
  • Listed 6 victims since appearing in April

SEXi

  • Emerged in April 2024, targeting a hosting company in Chile. 
  • Encrypts VMware ESXi servers and backups, appending the .SEXi extension to encrypted files and dropping ransom notes named SEXi.txt. The name ‘SEXi’ is believed to be a play on ‘ESXi,’ as the attacks exclusively target VMWare ESXi servers.

Space Bears

  • Sports a unique front end with corporate stock images but also maintains a classic “wall of shame” for their victims.
  • Alongside instructions for affected companies, they operate both a .onion site and a clearnet website.

Vulnerability Exploitation

Threat actors are maintaining techniques focusing on the exploitation of vulnerabilities in public-facing corporate infrastructure.  

In recent weeks, Linux variants of the Cerber ransomware have been seen to be deployed utilising exploitation of Atlassian Confluence Data Center and Server, specifically CVE-2023-22518.  CVE-2023-22518 is a critical severity (CVSS 9.1) Improper Authorisation Vulnerability which allows an unauthenticated attacker to reset Confluence and create an administrator account for persistent access.

"SOS
Investigation, Ransomware

Ransomware – State of Play February 2024

SOS Intelligence is currently tracking 180 distinct ransomware groups, with data collection covering 348 relays and mirrors.

In the reporting period, SOS Intelligence has identified 395 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

LockBit has maintained its position as the most active and popular ransomware strain.

This is despite significant law enforcement interruption, the impact of which will be discussed further below.

Despite law enforcement action towards the end of 2023, ALPHV/Blackcat has maintained a strong presence online and continues to post victim data.  However, owing to how the ransomware process operates, this could be seen to be victims compromised before law enforcement takedown of ALPHV/Blackcat infrastructure.

Increased activity has been identified amongst BianLian, Play, QiLin, BlackBasta, 8base and Hunters ransomware strain.  This increase may be attributed to these strains absorbing affiliates from LockBit and ALPHV/Blackcat as those services went offline.

This month, Ransomhub, AlphaLocker, Mogilevich, & Blackout have emerged as new strains.  Mogilevich has been observed targeting high-value victims, including Epic Games, luxury car company Infiniti, and the Irish Department of Foreign Affairs.

Group targeting continues to follow familiar patterns in terms of the victim’s country of origin.

Attacks have increased in South American countries, particularly in Argentina, which may be a response to presidential elections in November 2023 in which the far-right libertarian Javier Milei was elected.

Targeting continues to follow international, geopolitical lines.  Heavy targeting follows countries that have supported Ukraine against Russia.  Attacks against Sweden continued as it pressed ahead with preparations to join NATO.   This highlights the level of support ransomware groups continue to show towards the Russian state, and they will continue to use cyber crime to destabilise and weaken Western and pro-Ukrainian states.

Manufacturing and Construction and Engineering have remained the key targeted industries for February.  These industries would be more reliant on technology to continue their business activities, and so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems.  The Financial, Retail & Wholesale, Legal, and Education sectors have also seen increased activity over the period.  Health & Social Care has seen a significant increase over the period.  This is likely in response to several groups, including ALPHV/Blackcat reacting to law enforcement activity and allowing their affiliates to begin targeting these industries.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

LockBit Takedown

On 20 February, an international law enforcement effort was successful in taking control of and shutting down the infrastructure of the LockBit ransomware strain.  Much has been disclosed and said regarding the takedown, some of it speculative, however, it was confirmed by the UK’s National Crime Agency (NCA) and the US’s Federal Bureau of Investigation that control of their dark web domains and infrastructure was obtained, providing them with significant information regarding the activity of the LockBit group and its affiliates.

Since then, multiple LockBit blog sites have re-emerged, and new data continues to be published.  However, it is not clear whether or not this is new activity since the takedown.  It is more likely that these are victims compromised before law enforcement activity which are only now being blackmailed with data release.

We are continuing to monitor the ransomware landscape at this time to properly analyse the impact this takedown will have.  This event has had a significant impact on the reputation of the LockBit group, with many affiliates angry at the perceived lack of operational security resulting in the possible identification of their real-world identities.  We are anticipating many of these will look to gain access to the affiliate programs of other strains, and so we will expect to see a significant increase in reported attacks from those strains in the coming weeks and months.  As for LockBit, the threat actors behind the group remain active, and it is likely we will see a re-emergence as a new group in due course.

ALPHV/Blackcat exit scam

The ALPHV/Blackcat group is making headlines for all the wrong reasons.  After first having their leak site taken over by law enforcement, they now appear to have absconded with affiliate funds.

In February 2024, ALPHV/Blackcat announced an attack against healthcare provider Change Healthcare (part of United Health Group).  Following this, a ransom of $22 million was paid to ALPHV.  Several days later, the responsible affiliate took to the cybercrime forum RAMP to state that they hadn’t been paid their share of the spoils (potentially up to 90%).  It appears now that the group has collapsed from within, ending with a final exit scam as they shut down operations.  The group have further claimed to have sold their source code in the process, so we may see copycat groups emerge in due course.

While the dissolution of a notorious group should be celebrated, especially following successful law enforcement activity, it should be noted that shutting down in this way presents a significant risk to recent victims.  The affiliate responsible for the Change Healthcare data, as well as affiliates who may have been similarly affected, are likely to still hold victim data and so, for those victims, there remains a risk that they may be further blackmailed as affiliates attempt to recoup their lost earnings.

Photo by FLY:D on Unsplash

"SOS
Investigation, Ransomware

Ransomware – State of Play January 2024

SOS Intelligence currently tracks 173 distinct ransomware groups, with data collection covering 324 relays and mirrors.

In the reporting period, SOS Intelligence has identified 274 instances of publicised ransomware attacks.  These were identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

Threat Actor Activity

Lockbit has remained the market leader, maintaining a market share of approximately 23%.  Blackbasta, Akira, Trigona, 8base and Bianlian have seen significant increases in activity over the month, while there have been decreases in activity from Cactus, Werewolves, Siegedsec, Dragonforce, and Play.

January is typically a quieter month for ransomware threat actors.  In 2022, the volume of attacks was 17% less than the yearly average. In 2023, this increased to 54%.  This slowing of activity is likely due to the proximity of several national and religious holidays observed globally between December and January.  However, in 2024, we observed a significant increase in attacks across January.  Two factors stand out as possible causes for this:

  1. Ongoing global hostilities

It has been observed that pro-Russian cybercriminal groups have been vocally supportive of the ongoing war in Ukraine, and have diverted significant resources in targeting the supporters of Ukraine.  Similar patterns have been noted in the targeting of victims in countries which have shown support for Israel.

Although ransomware groups and threat actors are primarily financially motivated, their resources and skills are often seen turned against perceived enemies of the state, blurring the lines between criminal and hostile state activity.

  1. Counter Ransomware Initiative

The Counter Ransomware Initiative (CRI) is a US-led group of 50 nations and organisations dedicated to promoting solidarity and support in the face of ransomware activity.  In October 2023, CRI members pledged not to pay ransoms when faced with cyber attacks.

As a result, it is expected that the number of observed postings to ransomware blogs will increase as victims no longer pay ransoms.  This may show an increase in victims’ data being published, rather than an overall increase in the number of victims.

Country Targeting

As stated above, ransomware threat actors’ choice of targets can be politically motivated, as well as financially.  This is why we continue to see the majority of attacks target the USA, UK, Canada, France, Germany and Italy.  As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors.  However, this surge in activity may be politically motivated.  Continued support for Israel and Ukraine may give certain threat actors additional motivation to target those countries.

This month has seen an increase in attacks against victims in Sweden.  Sweden is in the process of joining NATO, which appears to have presented the country as a target for pro-Russian threat actors in support of the Russian state.  Sweden’s membership would increase NATO’s presence in and around the Baltic Sea, a key waterway for allowing the Russian Navy into the North Sea and onward into the Atlantic.  Furthermore, it would increase a NATO presence close to Russia’s border with the rest of Europe.

Industry Targeting

Manufacturing, Construction & Engineering, and Logistics & Transportation have remained the key targeted industries for January.  These industries would be more reliant on technology to continue their business activities, so it logically follows that they would be more likely to pay a ransom to regain access to compromised computer systems.  The Financial and Education sectors have also seen increased activity over the period.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

ALPHV/Blackcat

In December 2023, law enforcement agencies from multiple jurisdictions targeted the ALPHV/Blackcat ransomware group, disrupting the groups’ activities and seizing their domain.  Shortly after, the domain was “un-seized” before law enforcement agencies took back control.  As a result of this action, the operators behind ALPHV/Blackcat have publicly withdrawn their rules regarding the targeting of Critical National Infrastructure (CNI), in apparent revenge for law enforcement activity.

Since the takedown, ALPHV/Blackcat activity has slowed but does not appear to have stopped.  In recent weeks they claim to have targeted and stolen confidential and sensitive data from Trans-Northern Pipelines in Canada, as well as Technica, a contractor working with the US Department of Defence, FBI, and USAF. 

The veracity of these claims is still being investigated, and so should be taken with a grain of salt.  The ALPHV/Blackcat group has been hurt by law enforcement, impacting their operations and losing them customers.  Therefore, it is possible that exaggerated claims are being made to save face and their reputation amongst the cybercrime community.

Photo by FLY:D on Unsplash

""/
Investigation, Opinion, Ransomware

Cybersecurity in 2024 – A Forward Look

2023 was a record year for cybercrime and threat actor activity, and we anticipate 2024 to be a continuation of this upward trend. Below we discuss a few key items we consider will be at the forefront of 2024’s cybersecurity landscape.

Expansion of ransomware operations

2023 was a record year for ransomware operators.  Reported attacks were nearly double the numbers seen in 2022. The most successful groups operated as-a-service (RaaS), allowing them time to improve and develop their product whilst others worked to deploy the malware and bring in the money. 

Law enforcement has been extremely active against these groups, taking down infrastructure relating to HIVE and ALPHV variants. However, in the latter’s case, this has seemingly slowed, but not halted their operations and they remain active in some capacity into 2024. Current data has shown a slight decline in the number of posts to their leak site however, this is a common pattern seen across many different variants and is likely due to the links to Russia and periods of inactivity over the holiday period.

We expect this year to be no exception to the continued growth of ransomware operations.  It remains a lucrative opportunity for threat actors and the RaaS operating model allows less-skilled operators to partake in this criminal activity.

It is anticipated that ransomware tactics will expand to provide further opportunities to “motivate” victims into paying a ransom for their data.  This will include the threat of deployment of “Wiper” malware – designed to fully delete an infected device or network in the event of non-compliance.

An increase in Supply Chain Attacks

It is highly anticipated that supply chain compromise will continue to be a tactic of choice for financially motivated and nation-state threat actors, who routinely and opportunistically scan the internet to identify unpatched systems ripe for exploitation.  

The efficiency of supply chain attacks will likely be improved by both the infection and dissemination of software packages granting third-party access.  This in turn allows threat actors to select and target their victims on a larger scale, leading to increased levels of compromise and wider attack surfaces for the deployment of malicious code.  Subsequently, this will allow threat actors to better maintain persistence within victim networks, granting more time to conduct reconnaissance, analyse connected networks, and spread to encompass more victims.

It is anticipated that supply chain attacks will target vulnerabilities in generative AI ecosystems. With AI and LLMs being utilised more and more to improve productivity, inevitably supply chains are becoming more interconnected.  Failure to properly secure these components within the supply chain could be fatal, allowing threat actors to poison AI training data, manipulate updates, inject malicious algorithms, engage in prompt engineering, or exploit vulnerabilities as an entry point to compromise organisations’ data or systems.

The growth of AI-driven cyber-crime

AI has seen a massive boom in 2023, and this is expected to continue into 2024 and beyond as it becomes increasingly integrated into all manner of processes and procedures.

In 2024, we anticipate a surge in threat actors embracing AI to improve the quality and speed of development of the tools in their arsenal. This will include a quick and cost-effective way to develop new malware and ransomware variants.  We also expect to see the increasing use of deepfake technologies to improve the standard of phishing and impersonation to support cyber-enabled frauds and business email compromise (BEC)

In contrast, it is anticipated that cyber security will employ a proactive strategy; as threat actors continue to harness the potential of AI and machine learning, cyber defenders will look to utilise similar techniques to counter these offensive tactics. The cyber security industry is already making substantial investments into the use of AI for defensive purposes, and this is expected to grow and be adopted by more in the field.  Generative AI (GenAI)-powered capabilities such as automated code generation, reverse engineering, and document exploitation will reach previously unthinkable levels of sophistication and speed. 

It is believed that GenAI will provide an improved toolkit to those targeting the human element when seeking to compromise network security.  GenAI will provide threat actors with an easier method for developing more convincing phishing messages at scale, create video and audio deepfakes, and more easily collect information on their targets. This highlights the need in 2024 for an increased focus on awareness training to better prepare staff and colleagues for the inevitable surge of phishing attacks in 2024.

Key Global Events

Geopolitics is a key motivator for threat actors in certain sectors, particularly nation-states and hacktivists.  Many key global events are scheduled for this year, providing high-profile targets for those who would seek to manipulate these events for their own gains.

Elections are due to be held in the following countries:

  • Taiwan
  • USA
  • Iran
  • Russia
  • Ukraine
  • South Korea
  • India
  • Austria
  • United Kingdom
  • European Parliament

The BRICS group is due to expand, taking on the following new members: Egypt, Ethiopia, Iran, Saudi Arabia, and the United Arab Emirates.  BRICS is now seen as an economic group to rival the G7, so it is anticipated that this expansion will lead to increased targeting of G7 financial institutions.

In July, the 2024 Summer Olympic Games will be held in Paris, France.  Such events provide numerous opportunities for threat actors to make financial gains through fraudulent ticketing, and phishing to obtain financial data and credentials.  Furthermore, it provides a canvas with global attention for those with a hacktivist agenda, ensuring their message reaches a wide audience.

Regulatory Changes Driving Threat Actor Innovation

Changes to regulations regarding the reporting of significant breaches, implemented in the USA by the Securities Exchange Commission (SEC), will force threat actors to hone and improve their stealth methods.  We anticipate seeing increased focus on encryption and evasion techniques to allow threat actors to maintain undetected persistence within victim networks, to avoid triggering reporting to the SEC, and the expected forensic-level scrutiny that would follow.  We believe that threat actors may look to non-material systems as a lower-risk target and entry point, quietly building their access, persistence and privileges from there before targeting higher-value network resources.

Additionally, we are also beginning to see ransomware groups using this new reporting requirement as an additional blackmail tool, threatening to report victims to the SEC themselves if their demands are not met.  It is expected that this tactic will expand in use over the year to come.

What’s in store for SOS Intelligence in 2024

2024 looks to be an exciting year for SOS Intelligence.

Our team is growing further with a full time developer joining in early 2024.  This will allow us to focus on improving the usability of the product, implement new features, and generate new data collection streams.

One of our key focus areas will be to improve the quality of the context around the data we provide.  Improvements made to the platform will allow customers to see pertinent information relating to data sources, giving context to the risk and threat posed by that source.  This will allow customers to make more informed decisions about the risks to their business or that of their clients.

We will also be looking to expand and improve the quality of our data collection.  One particular focus will be on improving the reporting of CVEs.  We aim to expedite alerts of new, high-risk vulnerabilities to our clients and subscribers so they can better mitigate and protect against the risks they pose.

SOS Intelligence has been diligently monitoring the digital landscape over 2023.  Our recent findings are a stark reminder of the rising threat of phishing attacks.  Over the past year, we have observed over half a million unique credentials compromised through phishing, and with the growth of GenAI techniques, we expect that number to grow in 2024.

One standout feature of our technology is our real-time alert system.  This capability ensures that our clients are promptly notified when their staff have fallen victim to phishing, allowing for a swift response and effective risk mitigation.

The unique services we provide at SOS Intelligence aren’t just about securing your digital assets; it’s a practical investment in proactive cybersecurity.  Join us in creating a more secure digital environment.

Header Photo by freestocks on Unsplash

"SOS
Investigation, Ransomware

Ransomware – State of Play December 2023

SOS Intelligence is currently tracking 170 distinct ransomware groups, with data collection covering 319 relays and mirrors.

In the reporting period, SOS Intelligence has identified 373 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor.  Our analysis is presented below:

We first look at strain activity.  As ever, the ransomware landscape is dominated by strains using affiliate models (Ransomware-as-a-Service (RaaS)).  Lockbit remains the most active strain, and while there has been a decrease in overall activity, it maintains a 22% market share.  8base, AlphV and Play remain significantly active, but this month we have also seen significant activity by Hunters (RaaS), Cactus (RaaS), and Dragonforce.

Dragonforce are a newly emerged group, with little known about them at the time of print.  Given the level of successful disruption by law enforcement during 2023, it is suspected that this group may be a rebranding of a previous threat group.

The Werewolves group has been observed increasing their level of attacks.  The group appears relatively new, however, they have taken responsibility for a 2022 attack on the Electric Company of Ghana which resulted in significant power outages.  The veracity of this claim is not known.  Their level of activity is called into question by several of their victims also appearing on the LockBit breach site.  Six identical posts were seen across both sites.  Additionally, the ransomware used is a public domain version of Lockbit3, while their attacks make use of tools leaked from the Conti group.  This would seem to indicate that the group was previously an affiliate of LockBit.

What makes this group standout is the targeting of Russian victims.  Ransomware groups and operators are quite often pro-russian, with several groups supporting the Russian government publicly in its war against Ukraine.  The targeting may explain a potential split from LockBit, and hint at a possible location for the group.

Finally, we have observed increased activity from the SiegedSec group.  They appear focused more on data exfiltration, and are politically, rather than financially, motivated. Their focus has been on hacktivism, with a significant focus on targeting Israel and the USA.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors.  We have observed a steady release of data from Canada, France, Germany, Italy, and the UK.  As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors. 

However, this surge in activity may be politically motivated.  In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries.  As highlighted previously, there have also been significant increases in the targeting of Israel and Russia.

Manufacturing, Construction and Engineering, and IT and Technology have remained the key targeted industries for December.  These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems.  The Financial and Education sectors have also seen increased activity over the period.

We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

Photo by FLY:D on Unsplash

"SOS
Investigation, Ransomware

Ransomware – State of Play November 2023

SOS Intelligence is currently tracking 166 distinct ransomware groups. Data collection covers 309 relays and mirrors, 110 of which are currently online.

In the reporting period, SOS Intelligence has identified 437 instances of publicised ransomware attacks.  These have been identified through the publication of victim details and data on ransomware blog sites accessible via Tor. Our analysis is presented below:

As in previous months, the ransomware landscape is dominated by strains using affiliate models. Lockbit remains the most active strain, and has seen a 73% increase in breach posts when compared to the previous month. High on the list is 8base, who release a large amount of data on 30th November. In contrast to the other high-profile groups observed, it is believed that the 8base group do not have their own proprietary ransomware, but instead rely on using other ransomware-as-a-service (RaaS) variants, such as Phobos.

As seen in previous months, the USA remains the primary target of ransomware groups and threat actors.  We have observed an increased release of data from France, Germany and Italy, while the UK and Canada have remained high on the list of targeted countries. 

As members of the G7, these countries have strong economies and therefore possess lucrative targets for financially-minded threat actors. However, this surge in activity may be politically motivated.  In recent weeks these countries have all shown support for Israel in its conflict with Hamas, which may give certain threat actors additional motivation to target those countries.

Logistics, manufacturing, and construction have remained the key targeted industries for November.  These industries would be more reliant on technology in order to continue their business activities, and so it logically follows that they would be more likely to pay a ransom in order to regain access to compromised computer systems.  We are seeing a shift in tactics for certain industries, particularly those where data privacy carries a higher importance (such as legal or healthcare), where threat actors are not deploying encryption software and instead relying solely on data exfiltration as the main source of material for blackmail and extortion.

New for this month we have also considered the victim ownership; whether they’re privately or publicly owned.  Within breach sites, the publicised victims are overwhelmingly privately owned.  Publicly-owned victims tend to be either smaller, local government entities or educational districts within the US school system.  Higher level public entities, while offering a lucrative target for hostile state actors, but may be more than a financially-motivated threat actor wishes to take on, owing to the likely increased law enforcement effort to obtain a judicial outcome.

Photo by FLY:D on Unsplash

1 2
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Youtube
Consent to display content from - Youtube
Vimeo
Consent to display content from - Vimeo
Google Maps
Consent to display content from - Google
Spotify
Consent to display content from - Spotify
Sound Cloud
Consent to display content from - Sound