The brutal dismantling of the LockBit ransomware crew and the humiliation of its key players has been one of the most talked about cyber security success stories of the past 12 months, but looking at the raw data, it doesn’t seem to have done much to dissuade cyber criminals.
This is according to Secureworks’ annual 2024 State of the Threat Report, which today draws back the curtain to reveal a 30% year-on-year rise in active ransomware groups using name-and-shame leak sites, with 31 new actors entering the ecosystem in the period from June 2023 to July 2024.
Given the LockBit takedown took place in February it may not be much of a surprise to learn that the gang accounted for 17% of ransomware listings for the period in scope, although this was down 8% year-on-year given the disruption caused by the UK’s National Crime Agency (NCA), which led the Operation Cronos assault.
Also falling away during the past year was BlackCat/ALPHV, which suffered a similar drubbing at the hands of law enforcement prior to pulling its own product in a possible exit scam, while Clop/Cl0p, which capitalised on the MOVEit file transfer compromise in 2023 to hit hundreds of victims, has also not been as active lately.
Meanwhile, the second most active ransomware gang, Play, doubled its victim count year-on-year, while RansomHub, a new group that emerged shortly after LockBit’s takedown, has in the space of just a few months become the third most active group on the scene, with a 7% share of listed victims. Qilin, as well, has been making its mark, notably in its high-profile attack on NHS partner Synnovis.
“Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime. Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration,” said Don Smith, vice president of threat intelligence at Secureworks Counter Threat Unit (CTU).
“As the ecosystem evolves, we have entropy in threat groups, but also unpredictability in playbooks, adding significant complexity for network defenders,” said Smith.
More gangs, fewer victims
But despite this growth, victim numbers have not yet been seen rising at a similar pace, possibly the result of gangs trying to find their place in a more fragmented landscape.
The CTU team also observed a lot of affiliate movement in the ransomware ecosystem, which may be partly driving this trend. In many cases during the past 12 months, the researchers observed a number of ransomware attacks where victims were listed on more than one site, possibly as a result of affiliates looking for new outlets for their work in the increasingly chaotic ecosystem.
And chaotic the past 12 months have most certainly been; Secureworks analysts said that the trend has clearly been a broadening of the ransomware landscape so that a landscape previously dominated by a smaller number of large operations is now home to a more diverse group of cyber brigands.
However this may be leading to a more dangerous ‘Wild West’ style threat landscape where smaller groups have less responsibility and structure in terms of how they operate. For example, a drop in median dwell times observed this year seems to be the result of criminals moving fast and breaking things in lightning-paced, smash and grab attacks.
As the new ecosystem evolves and coalesces over the coming months, Secureworks said defenders can expect to see a lot more variation and shifts in attack methodologies.
Some of the new methodologies already observed in the field include an increasing tendency for ransomware gangs to steal credentials and session cookies to gain access through adversary-in-the-middle (AitM), sometimes known as man-in-the-middle (MitM) attacks, using phishing kits such es EvilProxy or Tycoon2FA which are readily available on the dark web. The research team said this trend should be ringing alarm bells for defenders as it potentially reduces the effectiveness of some types of multifactor authentication (MFA).
Nor are ransomware gangs immune to the appeal of artificial intelligence (AI). Ever since the launch of ChatGPT nearly two years ago, there has been chatter in the criminal fraternity about how such models can be deployed for nefarious purposes – mostly for phishing – but some of the use cases are rather more novel.
In one attack investigated by Secureworks, a cyber criminal gang monitored Google trends following a celebrity death to identify interest in obituaries, and then used generative AI to create tributes on malicious sites that were manipulated to the top of Google searches by SEO poisoning. Such sites could easily be used as a vector for the spread of malware or ransomware.
“The cyber crime landscape continues to evolve, sometimes minor, occasionally more significant. The growing use of AI lends scale to threat actors, however the increase of AitM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture,” said Smith.