Rise in ransomware groups reshapes cybersecurity landscape

Secureworks has published its eighth annual State of the Threat Report, highlighting a significant increase in active ransomware groups and a shifting cybersecurity landscape.

The report details a 30% rise in active ransomware groups over the past year, with 31 new groups entering the ecosystem from June 2023 to July 2024. This demonstrates a fragmentation of an established criminal ecosystem, with LockBit, PLAY, and RansomHub identified as the most active groups.

LockBit, previously considered the dominant ransomware group, accounted for 17% of listings, a decline of 8% from the previous year. PLAY doubled its victim count year-on-year, emerging as the second most active group. RansomHub, a new player emerging after the LockBit takedown, has quickly become the third most active group, accounting for 7% of victim listings.

A broader range of smaller ransomware players has surfaced, altering the previously stable landscape. As Don Smith, Vice President of Threat Intelligence at Secureworks Counter Threat Unit, stated, "Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration. As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders."

The report also notes that law enforcement actions against key ransomware groups like GOLD MYSTIC (LockBit) and GOLD BLAZER (BlackCat/ALPV) have disrupted the traditional ransomware landscape. Despite the increase in groups, the number of victims has not increased at the same pace, suggesting uncertainty about the success of newer groups.

The report identifies scan-and-exploit attacks and stolen credentials as the most prevalent initial access vectors in ransomware incidents. Additionally, there has been an observed rise in adversary-in-the-middle (AiTM) attacks, presenting a notable concern for cyber defenders. These attacks threaten to bypass certain types of multi-factor authentication.

AI technology has seen increased use in cybercriminal activity, enhancing the scale and credibility of attacks like CEO fraud or tactics by "obituary pirates." These actors exploit AI to produce fraudulent content based on trends observed on platforms such as Google.

Smith further noted the psychological and procedural shift required for organisations to defend against these evolving threats, saying, "The cybercrime landscape continues to evolve, sometimes minor, occasionally more significant. The growing use of AI lends scale to threat actors; however, the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture."

The report also provides a comprehensive review of state-sponsored threat activities, involving countries such as China, Iran, North Korea, and Russia. Chinese cyber activity remains focused on information theft aligned with political and economic goals. In Iran, state-sponsored cyber activity primarily targets regional adversaries, appearing under fake hacktivist personas.

North Korea continues its focus on revenue through cryptocurrency theft and fraudulent employment tactics. Meanwhile, Russian cyber activity remains heavily influenced by the ongoing conflict in Ukraine, with espionage against Ukrainian critical infrastructure being a primary focus.

During the Israel-Hamas conflict, an increase in cyber activities targeting Israeli entities was observed, attributed to groups thought to have links with larger state actors like Russia or Iran.