Group-IB estimates that nearly one-third of victims succumb to extortion
According to data from the threat intelligence company Group-IB, the amount of information leaked by ransomware abused by cybercriminals through data breach sites has increased tenfold in just 12 months.
In the second half of 2020 and the first half of 2021, the data of 2,371 companies (an increase of 935%) were published on the ransomware data breach website.
The increasing use of data leakage sites by cybercriminals is a symptom of the evolution of the entire ransomware market.
Over the years, cyber scammers have used a combination of phishing and network vulnerabilities to penetrate corporate networks and encrypt data, and then demand payment in exchange for decryption keys.
Recently, ransomware vendors have threatened that if the ransom requirements are not met, sensitive information will be leaked-a so-called “double ransomware” threat that relies on data breach sites.
Conte crowned the most prolific
Conti became the most aggressive ransomware strain, which resulted in obtaining public information on 361 victims through data breach sites. The Lockbit (251), Avaddon (164), REvil (155) and Pysa (118) groups are also used to leaking the data of victims who are not involved in extortion.
In 2021, ransomware operators released data on the data breach domain in the United States (968 companies), Canada (110), and France (103), while most of the affected organizations belonged to the manufacturing industry (9.6%), Real estate (9.5%) and transportation (8.2%).
You might also like Insider threats: The FBI claims that technology companies have been hacked and extorted by their own employees
According to Group-IB, even after paying the ransom, victims can still find their data on the data breach site. According to Group-IB’s estimates, less than one-third of ransomware needs will result in payment.
It is worth noting that in the first three quarters of 2021, ransomware operators released 47% more data on attacked companies than in 2020. There may be dozens more victims of ransomware attacks. The proportion of companies paying the ransom is estimated to be 30%.
Group-IB today (December 2) in its High-tech crime trends in 2021/2022 Report during its annual CyberCrimeCon conference.
Ransomware boom
The ransomware market has generally diversified and expanded.
For example, many malware developers and planners have launched affiliate programs that provide low-tech but stubborn cybercriminals with opportunities to earn income from successful phishing attacks.
According to Group-IB data, as of the end of June 2021, a total of 21 new ransomware as a service (RaaS) affiliate programs have appeared this year.
Another booming criminal sells compromised corporate network access to ransomware gangs and other cybercriminals. The number of these so-called Initial Visiting Brokers (IAB) tracked by Group-IB tripled to 262-higher than the 86 active brokers recorded from the first half of 2019 to the first half of 2020.
Learn about the latest ransomware news and analysis
At the same time, the number of proposals to sell company access rights almost tripled to 1,099.
Other threat intelligence companies, including Digital Shadows, have also linked IAB’s activities to the surge in ransomware attacks.
‘Much faster’
Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, told Drink it every day: “As the entry barrier for cybercriminals has decreased, the popularity of Initial Access Brokers (IAB) has increased. Using IAB allows ransomware operators and other cybercriminals to speed up their mission time.
“By using IAB, cybercriminals can complete the reconnaissance and weaponization phases of the cyber kill chain at a faster rate, enabling them to quickly access the target network for subsequent use,” Morgan added.
Morgan explained that the vulnerable virtual private network (VPN) system is one of the main ways for cybercriminals to gain a foothold in the target environment.
“Given the large number of vulnerable networks and low access prices, the use of IAB in 2022 may continue at a similar rate; the most popular types of access observed by Digital Shadows in 2021 are Remote Desktop Protocol (RDP) and virtual Private network (VPN),” Morgan said.
“The increase in IAB usage may be affected by the rise of remote services. Threat actors often identify services exposed on public ports, which often have weak credentials that can be brute-forced, and usually allow VPN and RDP access through these ports.”
Cybercrime bazaar
Most transactions are conducted through the online cybercrime market.
At a CyberCrimeCon meeting, an analyst from the banking group Santander explained how they used social network analysis to understand the ransomware business and identify key players, the intelligence they passed to law enforcement, and led to some arrests. Including the most recent bankruptcy in Ukraine.
As the partnership between ransomware operators and IAB under the RaaS model continues to grow, other long-standing scams, such as card swiping (transactions of stolen credit and debit cards) have declined.
Compared with the previous period, the carding market has fallen by 26%, from US$1.9 billion to US$1.4 billion.
“The reduction can be explained by the reduction in the number of dumps sold (data stored on the magnetic strip of the bank card): The number of offers has been reduced by 17%, from 70 million records to 58 million records due to the infamous card shop. Joker’s Stash Closing.” According to Group-IB.
On the contrary, the sales volume of bank card text data (bank card number, expiration date, owner name, address, CVV) for sale increased from 28 million records to 38 million records, an increase of 36%. Group-IB also noticed an increase in the number of phishing network resources imitating well-known brands during the pandemic.
According to threat intelligence companies, the average price of text data climbed from $12.78 to $15.20.
scam
Another group of cybercriminals who actively established partnerships during the review period were scammers. Group-IB estimates that there are more than 70 phishing and fraud affiliate programs.
“The affiliate program involves a large number of participants, has a strict hierarchy, and uses complex technical infrastructure to automate fraudulent activities. Phishing and fraud affiliate programs actively use Telegram bots to provide participants with ready-made scam and phishing pages. This It helps to expand the scale of phishing campaigns and customize them for banks, popular email services and other organizations,” Group-IB said.
According to Group-IB, the phishing and scam affiliate program that initially focused on Russia and other CIS countries has recently begun to migrate online to Europe, America, Asia, and the Middle East.Examples of these scams include Classic camera, An automated fraud-as-a-service designed to steal money and payment data.
Group-IB has registered 71 brands in 36 countries/regions, which are the targets of these scams. Phishing and scam sites created by affiliate program members most often imitate the market (69.5%), delivery services (17.2%), and ride-sharing services (12.8%).
related: Exploit as a service: Cybercriminals explore the potential of renting out zero-day vulnerabilities
