Group-IB is one of the global cyber security leaders and introduced its research on global cyber threats in the report High-tech crime trends in 2021/2022 At its annual threat tracking and intelligence conference, Cybercrime Congress‘twenty one. In this report exploring the development of cybercrime from the second half of 2020 to the first half of 2021, Group-IB researchers analyzed the increasingly complex global threat landscape and emphasized the growing role of alliances between threat actors. This trend is reflected in the partnership between ransomware operators and initial access brokers under the ransomware-as-a-service model. Scammers also united in the form of tribes to automate and simplify fraud operations. On the contrary, personal cyber crimes such as carding have declined for the first time in a period of time.
For 10 consecutive years, the High-Tech Crime Trends Report has analyzed all aspects of cybercrime industry operations, examined attacks, and provided forecasts for the threat situation in various sectors. The report is divided into five volumes for the first time, each focusing on: ransomware, sales of company network access rights, cyber warfare, threats to the financial sector, and phishing and fraud. The forecasts and recommendations outlined in “High-tech Crime Trends 2020-2021” are designed to prevent losses and downtime for companies worldwide.
Initial visit to brokers: US companies are one of the most common targets
One of the potential trends in the field of cybercrime is the dramatic increase in the number of proposals for the sale of network access rights to infected companies.Created by notorious hackers documentThe initial market access for companies accused by the US Department of Justice in 2020 increased by nearly 16% from the second half of 2020 to the first half of 2021, from US$6,189,388 to US$7,165,387. During the review period, the number of proposals to sell access rights to companies almost tripled: from 362 to 1,099. This exclusive data is obtained by Group-IB’s threat intelligence and attribution system, which even collects deleted information from underground cybercrime forums.
The barriers to entry for this part of cybercrime underground are relatively low. Poor corporate network risk management, coupled with the fact that tools that target corporate networks are widely used, have led to a record number of initial access agents. In the second half of 2019-H12020, the Group-IB threat intelligence team detected only 86 active brokers. However, from the second half of 2020 to the first half of 2021, this number soared to 262, with 229 new players joining the roster.
Most of the affected companies are in manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and business (7%). During the review period, the number of industries utilized by initial visiting brokers surged from 20 to 35, indicating that cybercriminals are beginning to realize the diversity of potential victims.
The business area of the initial access agent has also been expanded. From the second half of 2020 to the first half of 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US companies are the most popular countries for infected Internet visitors-they account for 30% of all victimized companies. From the second half of 2020 to the first half of 2021, followed by France (5%) and the United Kingdom (4%).
One of the main drivers of initial access market growth is the dramatic increase in the number of ransomware attacks. The initial access proxy eliminates the need for ransomware operators to break into the company network on their own.
Lock, who is the lock?body
As part of the ransomware-as-a-service (RaaS) affiliate program, the evil alliance of initial access brokers and ransomware operators led to the rise of the ransomware empire. From the second half of 2020 to the first half of 2021, data related to 2,371 companies were released on DLS (Data Leakage Site). Compared with the previous review period, this number has increased by an unprecedented 935%, when relevant data on 229 victims were released.
With the help of threat intelligence and attribution systems, Group-IB researchers can track the evolution of the ransomware empire since its emergence. The Group-IB team analyzed private ransomware affiliate programs, DLS, in which they released leaked data belonging to victims who refused to pay the ransom, and the most offensive ransomware strains.
During the review period, Group-IB analysts identified 21 new ransomware-as-a-service (RaaS) affiliate programs, an increase of 19% compared to the previous period. During the review period, cybercriminals mastered the use of DLS, which were used as an additional source of pressure on victims to force them to pay a ransom by threatening to leak their data. However, in practice, even if the ransom is paid, victims can still find their data on DLS. During the review period, the number of new DLS more than doubled to 28, compared with 13 from the second half of 2019 to the first half of 2020.
It is worth noting that in the first three quarters of 2021, ransomware operators released 47% more data on attacked companies than in 2020. There may be dozens more victims of ransomware attacks. The proportion of companies paying the ransom is estimated to be 30%.
After analyzing the ransomware DLS in 2021, Group-IB analysts concluded that Conti is the most aggressive ransomware organization: it disclosed information on 361 victims (accounting for all victims whose data was published on DLS). 16.5% of the company), followed by Lockbit (251), Avaton (164), REvil (155) and Pysa (118). The top 5 places last year are as follows: Maze (259), Egregor (204), Conti (173), REvil (141) and Pysa (123).
In terms of countries/regions, most companies where ransomware operators publish data on DLS in 2021 are located in the United States (968), Canada (110), and France (103), while most of the affected organizations belong to the manufacturing industry (9.6 %), real estate (9.5%) and transportation (8.2%).
Sorting out: the clown has the last laugh
During the period under review, the carding market dropped by 26% compared to the previous period, from US$1.9 billion to US$1.4 billion. The reason for the decrease is the decrease in the number of dumps (data stored on the magnetic strip of bank cards) sold: due to the closure of the infamous card shop Joker’s stash. At the same time, the average price of a bank card dump fell from US$21.88 to US$13.84, while the highest price soared from US$500 to US$750.
The trend of selling bank card text data (bank card number, expiration date, owner’s name, address, CVV) on the market is the opposite: its number has soared by 36%, from 28 million records to 38 million records, among which other reasons can be explained During the pandemic, the number of phishing network resources imitating well-known brands has increased. The average price of text data climbed from $12.78 to $15.2, while the highest price soared 7 times: from $150 to an unprecedented $1,000.
scam
Another group of cybercriminals who actively established partnerships during the review period were scammers. In recent years, phishing and scam affiliate programs have become very popular. Research conducted by Group-IB shows that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. During the reporting period, the threat actors who participated in such programs earned a total of at least 10 million U.S. dollars. The average amount stolen by fraud affiliate program members is estimated to be $83.
The affiliate program involves a large number of participants, has a strict hierarchical structure, and uses complex technical infrastructure to automate fraudulent activities. The phishing and scam affiliate program actively uses Telegram bots to provide participants with ready-made scam and phishing pages. This helps expand phishing campaigns and tailor them to banks, popular email services, and other organizations.
The phishing and scam affiliate program initially focused on Russia and other CIS countries, and recently began to migrate online to Europe, America, Asia, and the Middle East.This is reflected in Classic camera: An automated fraud-as-a-service designed to steal money and payment data. Group-IB knows that at least 71 brands from 36 countries have been impersonated by affiliate program members. Phishing and scam sites created by affiliate program members most often imitate the market (69.5%), delivery services (17.2%), and ride-sharing services (12.8%).
