Market Research
Ransomware, Initial Access Brokers, Carding – Group-IB Presents Report on Trending Crimes

Group-IB has presented its research into global cyber threats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020–H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.
For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyber warfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.
Unwanted guests: over 1,000 accesses to corporate networks were offered for sale in the darknet
One of the underlying trends in the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.
This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019–H1 2020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020–H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.
Most companies affected belonged to manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.
The geography of initial access brokers’ operations has also expanded. In H2 2020–H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim companies in H2 2020–H1 2021, followed by France (5%), and the UK (4%).
In the Middle East alone, the total cost of all the accesses to the region’s companies available in the underground rose by 37% in the review period and totaled $247,836. Most of the accesses on the sale belonged to organizations from the United Arab Emirates (24%), which was followed by Israel (13%) and Turkey (13%), and Saudi Arabia (12%), and Iran (12%).
One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.
Lock, Lock Who’s There? Corporansom
The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020–H1 2021. This is an increase of an unprecedented 935% compared to the previous review period when data relating to 229 victims was made public.
Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.
Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019–H1 2020.
It is noteworthy that in the first three quarters of this year, ransomware operators released 47-percent more data on the attacked companies than in the entire 2020. Taking into account that cybercriminals release the data on only about 10 percent of their victims, the actual number of ransomware attack victims is dozens more. The number of companies that opt for paying the ransom is estimated at 30%.
Having analyzed ransomware DLS in 2021, Group-IB analysts concluded that Conti became the most aggressive ransomware group, which made public information about 361 victims (16.5% of all victim companies whose data was released on DLS), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s Top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).
Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).
In the Middle Eastern region at least 50 organizations fell prey to ransomware attacks so far in 2021. To compare, in 2020, the data on 27 companies in the Middle Easter region was released on DLS, which is an increase of 85%. In the current year, the majority of publicly known ransomware attack victims in the Middle East originated from Turkey (20%), the United Arab Emirates (18%), Saudi Arabia (18%), Israel (10%), and Iran (6%).
The Scamdemic
Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.
Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.
Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites create by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).
Carding: The Joker’s Last Laugh
Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.
An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.
The Middle East stuck to the global trend and showed the carding market drop of 49% in the review period: it decreased from $47.6 million in H2 2019 – H1 2020 to $24.4 million in H2 2020 – H1 2021. The total number of bank cards belonging to the bank customers in the Middle East offered for sale over the examined period totaled 1,546,842, which is a 34-percent decline compared to the previous review period, when 2,353,854 bank card records were offered.
This was accompanied by the increase in the average price of text card data from $8.95 to $14.09 and a dramatic drop in the price of a dump from $69.82 to $22.91.
Artificial Intelligence
Cloud Security Trade-Offs Rise: 91% of Leaders Face AI Threats

Gigamon has released its 2025 Hybrid Cloud Security Survey, revealing that hybrid cloud infrastructure is under mounting strain from the growing influence of artificial intelligence (AI). The annual study, now in its third year, surveyed over 1,000 global Security and IT leaders across the globe. As cyberthreats increase in both scale and sophistication, breach rates have surged to 55 percent during the past year, representing a 17 percent year-on-year (YoY) rise, with AI-generated attacks emerging as a key driver of this growth.
Security and IT teams are being pushed to a breaking point, with the economic cost of cybercrime now estimated at $3 trillion worldwide according to the World Economic Forum. As AI-enabled adversaries grow more agile, organizations are challenged with ineffective and inefficient tools, fragmented cloud environments, and limited intelligence.
Key findings highlight how ai is reshaping hybrid cloud security priorities:
- AI’s role in escalating network complexity and accelerating risk is evident. The study reveals that 46 percent of Security and IT leaders say managing AI-generated threats is now their top security priority. One in three organizations report that network data volumes have more than doubled in the past two years due to AI workloads, while nearly half of all respondents (47 percent) are seeing a rise in attacks targeting their organization’s large language model (LLM) deployments. More than half (58 percent) say they’ve seen a surge in AI-powered ransomware—up from 41 percent in 2024 underscoring how adversaries are exploiting AI to outpace and outflank existing defenses.
- Compromises highlight continued trade-offs in foundational areas of hybrid cloud security. Nine out of ten (91 percent) Security and IT leaders concede to making compromises in securing and managing their hybrid cloud infrastructure. The key challenges that create these compromises include the lack of clean, high-quality data to support secure AI workload deployment (46 percent) and lack of comprehensive insight and visibility across their environments, including lateral movement in East-West traffic (47 percent).
- Public cloud risks prompt industry recalibration. Once considered an acceptable risk in the rush to scale post-COVID operations, the public cloud is now coming under increasingly intense scrutiny. Many organizations are rethinking their cloud strategies in the face of their growing exposure, with 70 percent of Security and IT leaders now viewing the public cloud as a greater risk than any other environment. As a result, 70 percent report their organization is actively considering repatriating data from public to private cloud due to security concerns and 54 percent are reluctant to use AI in public cloud environments, citing fears around intellectual property protection.
- Visibility is top of mind for security leaders. As cyberattacks become more sophisticated, the limitations of existing security tools are coming sharply into focus. Organizations are shifting their priorities toward gaining complete visibility into their environments, a capability now seen as crucial for effective threat detection and response. More than half (55 percent) of respondents lack confidence in their current tools’ ability to detect breaches, citing limited visibility as the core issue. As a result, 64 percent say their number one focus for the next 12 months is achieving real-time threat monitoring delivered through having complete visibility into all data in motion.
With AI driving unprecedented traffic volumes, risk, and complexity, nearly nine in 10 (89 percent) Security and IT leaders cite deep observability as fundamental to securing and managing hybrid cloud infrastructure. Executive leadership is taking notice, as boards increasingly prioritize complete visibility into all data in motion, with 83 percent confirming that deep observability is now being discussed at the board level to better protect hybrid cloud environments.
“Security teams are struggling to keep pace with the speed of AI adoption and the growing complexity and vulnerability of public cloud environments,” said Mark Jow, technical evangelist, EMEA, at Gigamon. “Deep observability addresses this challenge by combining MELT data with network-derived telemetry such as packets, flows, and metadata, delivering increased visibility and amore informed view of risk. It enables teams to eliminate visibility gaps, regain control, and act proactively with increased confidence. With 88 percent of Security and IT leaders agreeing it is critical to securing AI deployments, deep observability is fast becoming a strategic imperative.”
“With nearly half of organizations saying attackers are already targeting their large language models, AI security can’t be an afterthought, it needs to be a top priority,” said Mark Walmsley, CISO at Freshfields. “The key to staying ahead? Visibility. When we can clearly see what’s happening across AI systems and data flows, we can cut through the noise and manage risk more effectively. Deep observability helps us spot vulnerabilities early and put the right protections in place before issues arise.”
Cyber Security
Axis Communications Sheds Light on Video Surveillance Industry Perspectives on AI

Axis Communications has published a new report that explores the state of AI in the global video surveillance industry. Titled The State of AI in Video Surveillance, the report examines the key opportunities, challenges and future trends, as well as the responsible practices that are becoming critical for organisations in their use of AI. The report draws insights from qualitative research as well as quantitative data sources, including in-depth interviews with carefully selected experts from the Axis global partner network.
A leading insight featured in the report is the unanimous view among interviewees that interest in the technology has surged over the past few years, with more and more business customers becoming curious and increasingly knowledgeable about its potential applications.

Mats Thulin, Director AI & Analytics Solutions at Axis Communications
“AI is a technology that has the potential to touch every corner and every function of the modern enterprise. That said, any implementations or integrations that aim to drive value come with serious financial and ethical considerations. These considerations should prompt organisations to scrutinise any initiative or investment. Axis’s new report not only shows how AI is transforming the video surveillance landscape, but also how that transformation should ideally be approached,” said Mats Thulin, Director AI & Analytics Solutions at Axis Communications.
According to the Axis report, the move by businesses from on-premise security server systems to hybrid cloud architectures continues at pace, driven by the need for faster processing, improved bandwidth usage and greater scalability. At the same time, cloud-based technology is being combined with edge AI solutions, which play a crucial role by enabling faster, local analytics with minimal latency, a prerequisite for real-time responsiveness in security-related situations.
By moving AI processing closer to the source using edge devices such as cameras, businesses can reduce bandwidth consumption and better support real-time applications like security monitoring. As a result, the hybrid approach is expected to continue to shape the role of AI in security and unlock new business intelligence and operational efficiencies.
A trend that is emerging among businesses is the integration of diverse data for a more comprehensive analysis, transforming safety and security. Experts predict that by integrating additional sensory data, such as audio and contextual environmental factors caught on camera, can lead to enhanced situational awareness and greater actionable insights, offering a more comprehensive understanding of events.
Combining multiple data streams can ultimately lead to improved detection and prediction of potential threats or incidents. For example, in emergency scenarios, pairing visual data with audio analysis can enable security teams to respond more quickly and precisely. This context-aware approach can potentially elevate safety, security and operational efficiency, and reflects how system operators can leverage and process multiple data inputs to make better-informed decisions.
According to the Axis report, interviewees emphasised that responsible AI and ethical considerations are critical priorities in the development and deployment of new systems, raising concerns about decisions potentially based on biased or unreliable AI. Other risks highlighted include those related to privacy violations and how facial and behavioural recognition could have ethical and legal repercussions.
As a result, a recurring theme among interviewees was the importance of embedding responsible AI practices early in the development process. Interviewees also pointed to regulatory frameworks, such as the EU AI Act, as pivotal in shaping responsible use of technology, particularly in high-risk areas. While regulation was broadly acknowledged as necessary to build trust and accountability, several interviewees also stressed the need for balance to safeguard innovation and address privacy and data security concerns.
“The findings of this report reflect how enterprises are viewing the trend of AI holistically, working to have a firm grasp of both how to use the technology effectively and understand the macro implications of its usage. Conversations surrounding privacy and responsibility will continue but so will the pace of innovation and the adoption of technologies that advance the video surveillance industry and lead to new and exciting possibilities,” Thulin added.
Cyber Security
Rising Cyber Insurance Pressures Push UAE Firms to Fix Identity Silos and AI Vulnerabilities

CyberArk has announced the release of the CyberArk 2025 Identity Security Landscape Report, a global survey revealing how organizations are inadvertently creating a new identity-centric attack surface through growing use of AI and cloud. The report shows that machine identities are mostly unknown and uncontrolled within organizations, while the primary roadblocks to Agentic AI adoption in the UAE involve security concerns around external manipulation and sensitive access, signposting the emergence of a new and potent identity security challenge.
“The race to embed AI into environments has inadvertently created a new set of identity security risks centered around the access of unmanaged and unsecured machine identities – and the privileged access of AI agents will represent an entirely new threat vector,” said Craig Harwood, Area VP for Africa and the Middle East at CyberArk. “For UAE organizations to stay resilient, CISOs and security leaders must modernize their identity security strategies to contend with a new and expanding attack surface characterized by the proliferation of identities with privileged access and made worse by damaging identity silos.”
‘Rise of the machines’ contributes to unsecured privilege sprawl: Machine identities, driven primarily by cloud and AI, now vastly outnumber human identities within organizations and nearly half have sensitive or privileged access. However, many enterprises leave both human and machine access to critical systems under-secured. There are 82 machine identities for every human in organizations worldwide.
In 92% of UAE organizations, the definition of a ‘privileged user’ applies solely to human identities – but 42% of machine identities have privileged or sensitive access. Fifty two percent do not have identity security controls in place to secure cloud infrastructure and workloads. Fifty four percent of UAE organizations experienced at least two successful identity-centric breaches in the past 12 months, ranging from supply chain attacks and compromised privileged access to identity and credential theft.
AI is everywhere and identity-centric agentic AI risk looms: Sanctioned and unsanctioned adoption of AI and large language models (LLMs) is simultaneously transforming organizations while amplifying cybersecurity risks. Concerns around the emergence of AI agents in the UAE and their privileged access underscores the urgency for targeted identity security investment. AI will drive the creation of the greatest number of new identities with privileged and sensitive access in 2025.
Only eighteen percent of UAE organizations have identity security controls for AI in place. Sixty percent cannot secure shadow AI usage in their organization. AI agent adoption roadblocks include manipulation and sensitive access concerns. Complexity and identity silos are overwhelming security leaders and undermining business resilience: Fragmented identity security programs and poor environmental visibility are diminishing resilience in the face of evolving cybersecurity threats. Most organizations face increased privilege-related compliance pressure.
Seventy percent of UAE respondents say identity silos are a root cause of organizational cybersecurity risk. Sixty eight percent of security professionals in the UAE agree that their organizations prioritize business efficiencies over robust cybersecurity. Human and machine identities – many of them with privileged access – are expected to double in 2025. Ninety percent of UAE organizations are under increased pressure from insurers mandating enhanced privilege controls.
CyberArk is also participating at GISEC Global 2025, taking place from 6–8 May at the Dubai World Trade Centre. The company will be present at the HELP AG stand, where it will host a dedicated pod showcasing its latest cybersecurity solutions and discuss the Identity Security Landscape report. Attendees will have the opportunity to engage directly with CyberArk’s leadership, including Craig Harwood, Vice President for Middle East and Africa, and Laurence Elbana, Director of Sales, who will be available throughout the event.
-
Artificial Intelligence1 week ago
Help AG and F5 Collaborate on Managed App and API Security
-
News1 week ago
Reolink Launches Smart Security Solutions in Middle East
-
Cyber Security2 days ago
Beyond Blocklists: How Behavioural Intent Analysis Can Safeguard Middle East Businesses from Rising AI-Driven Bot Threats
-
Artificial Intelligence1 week ago
As Adversarial GenAI Takes Off, Threat Intel Must Modernize
-
Channel Talk1 week ago
Dynatrace Names DXC Global Partner of the Year
-
Events7 days ago
Matrix to Exhibit NDAA Compliant Surveillance at ESX North America 2025
-
Cyber Security2 days ago
Honeywell Report Reveals 46% Quarterly Spike in Industrial Ransomware
-
News6 days ago
BlueCat to Show Off Next-Gen Network Operations at Cisco Live