Connect with us

Market Research

Ransomware, Initial Access Brokers, Carding – Group-IB Presents Report on Trending Crimes

Published

on

Group-IB has presented its research into global cyber threats in the report Hi-Tech Crime Trends 2021/2022 at its annual threat hunting and intelligence conference, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020–H1 2021, Group-IB researchers analyze the increasing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend manifests itself in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Scammers also band together in clans to automate and streamline fraudulent operations. Conversely, individual cybercrimes such as carding are in decline for the first time in a while.

For the 10th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors. For the first time, the report was divided into five major volumes, all with a different focus: ransomware, the sale of access to corporate networks, cyber warfare, threats to the financial sector, and phishing and scams. The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 seek to prevent damage and downtime for companies worldwide.

Unwanted guests: over 1,000 accesses to corporate networks were offered for sale in the darknet
One of the underlying trends in the cybercrime arena is a sharp increase in the number of offers to sell access to compromised corporate networks. The market of corporate initial access grew by almost 16% in H2 2020–H1 2021, from $6,189,388 to $7,165,387. The number of offers to sell access to companies almost tripled over the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which gathers even deleted information from cybercriminal underground forums.

This segment of the cybercriminal underground has a relatively low entry barrier. Poor corporate cyber risk management combined with the fact that tools for conducting attacks against corporate networks are widely available both contributed to a record-breaking rise in the number of initial access brokers. In H2 2019–H1 2020, the Group-IB Threat Intelligence team detected only 86 active brokers. In H2 2020–H1 2021, however, this number skyrocketed to 262, with 229 new players joining the roster.

Most companies affected belonged to manufacturing (9% of all companies), education (9%), financial services (9%), healthcare (7%), and commerce (7%). In the review period, the number of industries exploited by initial access brokers surged from 20 to 35, which indicates that cybercriminals are becoming aware of the variety of potential victims.

The geography of initial access brokers’ operations has also expanded. In H2 2020–H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to compromised networks — they account for 30% of all victim companies in H2 2020–H1 2021, followed by France (5%), and the UK (4%).

In the Middle East alone, the total cost of all the accesses to the region’s companies available in the underground rose by 37% in the review period and totaled $247,836. Most of the accesses on the sale belonged to organizations from the United Arab Emirates (24%), which was followed by Israel (13%) and Turkey (13%), and Saudi Arabia (12%), and Iran (12%).

One of the main driving forces for initial access market growth is the steep increase in the number of ransomware attacks. Initial access brokers remove the need for ransomware operators to break into corporate networks on their own.

Lock, Lock Who’s There? Corporansom
The unholy alliance of initial access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were released on DLSs (Data Leak Sites) over H2 2020–H1 2021. This is an increase of an unprecedented 935% compared to the previous review period when data relating to 229 victims was made public.

Thanks to the Threat Intelligence & Attribution system, Group-IB researchers were able to trace how the ransomware empire has evolved since it appeared. Group-IB’s team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive ransomware strains.

Over the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is a 19% increase compared to the previous period. During the review period, the cybercriminals mastered the use of DLSs, which are used as an additional source of pressure on their victims to make them pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLSs more than doubled during the review period and reached 28, compared to 13 in H2 2019–H1 2020.

It is noteworthy that in the first three quarters of this year, ransomware operators released 47-percent more data on the attacked companies than in the entire 2020. Taking into account that cybercriminals release the data on only about 10 percent of their victims, the actual number of ransomware attack victims is dozens more. The number of companies that opt for paying the ransom is estimated at 30%.

Having analyzed ransomware DLS in 2021, Group-IB analysts concluded that Conti became the most aggressive ransomware group, which made public information about 361 victims (16.5% of all victim companies whose data was released on DLS), followed by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Last year’s Top 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).

Country-wise, most companies whose data was posted on DLSs by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while most organizations affected belonged to the manufacturing (9.6%), real estate (9.5%), and transportation industries (8.2%).

In the Middle Eastern region at least 50 organizations fell prey to ransomware attacks so far in 2021. To compare, in 2020, the data on 27 companies in the Middle Easter region was released on DLS, which is an increase of 85%. In the current year, the majority of publicly known ransomware attack victims in the Middle East originated from Turkey (20%), the United Arab Emirates (18%), Saudi Arabia (18%), Israel (10%), and Iran (6%).

The Scamdemic
Another cohort of cybercriminals actively forging partnerships over the review period were scammers. In recent years, phishing and scam affiliate programs have become highly popular. The research conducted by Group-IB revealed that there are more than 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. In the reporting period, the threat actors who took part in such schemes pocketed at least $10 million in total. The average amount stolen by a scam affiliate program member is estimated at $83.

Affiliate programs involve large numbers of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activities. Phishing and scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This helps scale phishing campaigns and tailor them to banks, popular email services, and other organizations.

Phishing and scam affiliate programs, initially focused on Russia and other CIS countries, recently started their online migration to Europe, America, Asia, and the Middle East. This is exemplified by Classiscam: an automated scam-as-a-service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries impersonated by affiliate program members. Phishing and scam websites create by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%), and carpooling services (12.8%).

Carding: The Joker’s Last Laugh
Over the review period, the carding market dropped by 26%, from $1.9 billion to $1.4 billion compared to the previous period. The decrease can be explained by the lower number of dumps (data stored on the magnetic stripe on bank cards) offered for sale: the number of offers shrank by 17%, from 70 million records to 58 million, due to the infamous card shop Joker’s Stash shutting down. Meanwhile, the average price of a bank card dump fell from $21.88 to $13.84, while the maximum price surged from $500 to $750.

An opposite trend was recorded on the market for the sale of bank card text data (bank card numbers, expiration dates, names of owners, addresses, CVVs): their number soared by 36%, from 28 million records to 38 million, which amongst others can be explained by the higher number of phishing web resources mimicking famous brands during the pandemic. The average price for text data climbed from $12.78 to $15.2, while the maximum price skyrocketed 7-fold: from $150 to an unprecedented $1,000.

The Middle East stuck to the global trend and showed the carding market drop of 49% in the review period: it decreased from $47.6 million in H2 2019 – H1 2020 to $24.4 million in H2 2020 – H1 2021. The total number of bank cards belonging to the bank customers in the Middle East offered for sale over the examined period totaled 1,546,842, which is a 34-percent decline compared to the previous review period, when 2,353,854 bank card records were offered.

This was accompanied by the increase in the average price of text card data from $8.95 to $14.09 and a dramatic drop in the price of a dump from $69.82 to $22.91.

Cyber Security

The Rising Risk of Ransomware Attacks on Organisations and How to Mitigate it

Published

on

According to the 2022 SonicWall Cyber Threat Report, “ransomware volume increased 105% year over year and is up 232% since 2019.” With the risk of ransomware attacks continuing to rise, it’s crucial to shield your organization from these attacks to avoid unwanted financial fallout.

Ransomware attacks commonly target an organization’s file servers and databases using malicious code to encrypt files such as documents, images, and videos on the system. Ransomware can also be programmed to find vulnerabilities on the network and use these to spread to other systems in an organization. Ransomware attacks are typically executed through social engineering like widespread phishing attacks, but cybercriminals can also specifically target a certain entity, sometimes a popular one. These attacks have the potential to cripple an entire organization’s database.

Once encrypted by ransomware, files are almost impossible to retrieve without the decryption key. To get this key, the victim is demanded to pay a ransom—often millions of dollars—within a short timeframe, usually 24 to 48 hours. If the victim organization keeps a backup of its files, then it’ll be able to restore those files and avoid paying the ransom. If not, the organization often has no option but to pay the ransom.

However, if you fall victim to a ransomware attack, it’s strongly recommended that you don’t pay the ransom to regain access to your encrypted files. This is because you are relying on the integrity of a cybercriminal. The cybercriminal may not give you the decryption key after the transaction or, even worse, they may continue to target your organization and repeatedly demand higher ransoms now that they know you’re willing to pay.

In recent years, it has become much easier to develop ransomware, resulting in the continued rise in ransomware attacks. Cybercriminals can develop and execute a ransomware attack with readily available open-source code and with easy-to-use drag-and-drop platforms. It is also hard to track these cybercriminals because transactions involving ransomware are commonly made using cryptocurrency.

Ransomware attacks can result in exploitation and loss of your organization’s critical and confidential data. But there are steps you can take to prevent and mitigate these attacks.

Back-Up Your Data
Take regular backups of all your files and data; this way, even if your system is infected, you can erase the infected files and recover them using your backups. This cannot prevent a ransomware attack, but it can mitigate the risk of losing all your data.

Keep Your System and Software Up-to-Date
Maintain a healthy patching routine. This includes updating your software as soon as possible when patches for security vulnerabilities are released by vendors. To keep your device secure from ransomware attacks, use a security solution that can identify these attacks at their earliest stages and mitigate their impact.

Be Careful Where You Click
Beware of social engineering attacks and email scams, and avoid downloading files from untrusted sources as these can result in your system being exploited by malicious software like ransomware. What makes social engineering attacks so dangerous is that they take advantage of human error rather than system vulnerabilities.

Create Awareness Among Employees About Ransomware Attacks
Since human error is a major vector cybercriminal manipulate to carry out ransomware attacks, it is essential to educate and train employees on social engineering and email phishing attacks to effectively secure your organization against them.

ManageEngine’s security information and event management (SIEM) solutions protect your enterprise network from cyberattacks and insider threats. SIEM solutions collect and analyze the security data generated by your devices in real-time, alerting you about vulnerabilities, indicators of compromise, and any suspicious activity to help you mitigate the risk of ransomware attacks.

Continue Reading

Cyber Security

Ransomware Hit 59% of UAE Organizations Surveyed for Sophos’ Annual “State of Ransomware 2022”

Published

on

Sophos has released its annual international survey and review of real-world ransomware experiences in the State of Ransomware 2022. The report shows that 59% of UAE organizations surveyed were hit with ransomware in 2021, up from 38% in 2020.

The report summarizes the impact of ransomware on 5,600 mid-sized organizations in 31 countries across Europe, the Americas, Asia-Pacific, and Central Asia, the Middle East, and Africa. The main findings for the UAE in the State of Ransomware 2022 global survey, which covers ransomware incidents experienced during 2021, as well as related cyber insurance issues, include:

  • Many organizations rely on cyber insurance to help them recover from a ransomware attack – 85% of mid-sized organizations had cyber insurance that covers them in the event of a ransomware attack – and, in 100% of incidents, the insurer paid some or all the costs incurred.
  • Ninety-eight percent of those with cyber insurance said that their experience of getting it has changed over the last 12 months, with higher demands for cybersecurity measures, more complex or expensive policies, and fewer organizations offering insurance protection.

“The findings suggest we may have reached a peak in the evolutionary journey of ransomware, where attackers’ greed for ever higher ransom payments is colliding head-on with a hardening of the cyber insurance market as insurers increasingly seek to reduce their ransomware risk and exposure,” said Wisniewski. “In recent years, it has become increasingly easy for cybercriminals to deploy ransomware, with almost everything available as-a-service. Second, many cyber insurance providers have covered a wide range of ransomware recovery costs, including the ransom, likely contributing to ever higher ransom demands. However, the results indicate that cyber insurance is getting tougher and in the future ransomware victims may become less willing or less able to pay sky-high ransoms. Sadly, this is unlikely to reduce the overall risk of a ransomware attack. Ransomware attacks are not as resource intensive as some other, more hand-crafted cyberattacks, so any return is a return worth grabbing and cybercriminals will continue to go after the low hanging fruit.”

Sophos recommends the following best practices to help defend against ransomware and related cyberattacks:

  1. Install and maintain high-quality defenses across all points in the organization’s environment. Review security controls regularly and make sure they continue to meet the organization’s needs.
  2. Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in house, outsource to a Managed Detection and Response (MDR) specialist.
  3. Harden the IT environment by searching for and closing key security gaps: unpatched devices, unprotected machines, open RDP ports, etc. Extended Detection and Response (XDR) solutions are ideal for this purpose.
  4. Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated.
  5. Make backups, and practice restoring from them so that the organization can get back up and running as soon as possible, with minimum disruption.
Continue Reading

Cyber Security

Cybersecurity Skills Gap Contributed to 80 Percent of Breaches: Fortinet Report

Published

on

Fortinet has released its 2022 Cybersecurity Skills Gap Report. The new global report reveals that the cybersecurity skills shortage continues to have multiple challenges and repercussions for organizations, including the occurrence of security breaches and subsequently loss of money. As a result, the skills gap remains a top concern for C-level executives and is increasingly becoming a board-level priority. The report also suggests ways the skills gap can be addressed, such as through training and certifications to increase employees’ education.

Sandra Wheatley, SVP Marketing, Threat Intelligence, and Influencer Communications at Fortinet says, “According to the Fortinet report released today, the skills gap isn’t just a talent shortage challenge, but it’s also severely impacting business, making it a top concern for executive leaders worldwide. Through Fortinet’s Training Advancement Agenda (TAA) and Training Institute programs, we are committed to tackling the challenges revealed in the report through various initiatives, including programs focused on cybersecurity certifications and recruiting more women into cyber. As part of this commitment, Fortinet has pledged to train 1 million professionals to increase cyber skills and awareness and make a dent in the skills gap by 2026.”

The Widespread Global Impact of the Cybersecurity Skills Shortage
According to (ISC)2’s 2021 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65 percent to effectively defend organizations’ critical assets. While the number of professionals needed to fill the gap has decreased from 3.12 million down to 2.72 million in the past year, this is still a significant void that leaves organizations vulnerable.

Fortinet’s report demonstrates multiple risks resulting from the cybersecurity skills gap. Most notably, 8 in 10 organizations surveyed have suffered at least one breach they could attribute to a lack of cybersecurity skills or awareness. The survey also showed that globally 64 percent of organizations experienced breaches that resulted in the loss of revenue, recovery costs and/or fines.

Given the increasing costs of breaches on organizations’ profits and reputation, cybersecurity is becoming more of a board-level priority. Globally, 88 percent of organizations that have a board of directors reported that their board asks questions specifically about cybersecurity. And 76 percent of organizations have a board of directors who has recommended increases in IT and cybersecurity headcount.

Advancing Cybersecurity Skills Through Training and Certifications
Fortinet’s skills gap report demonstrated that training and certifications are critical ways organizations seek to further tackle the skills gap. The report revealed that 95 percent of leaders believe technology-focused certifications positively impact their role and their team, while 81 percent of leaders prefer to hire people with certifications. Additionally, 91 percent of respondents shared they are willing to pay for an employee to achieve cyber certifications. One major reason for certifications being highly regarded is due to their validation of increased cybersecurity knowledge and awareness.

In addition to valuing certifications, 87 percent of organizations have implemented a training program to increase cyber awareness. However, 52 percent of leaders believe their employees still lack the necessary knowledge, which raises questions about how effective their current security awareness programs are. For organizations looking for security awareness training, Fortinet offers a Security Awareness and Training service through the award-winning Fortinet Training Institute. The service further protects organizations’ critical digital assets from cyber threats by building employee cybersecurity awareness. This service receives updates from Fortinet’s FortiGuard Labs threat intelligence so that employees are learning and keeping up with the latest evolving cyberattack methods to prevent company breaches and risks from being introduced.

Addressing Recruitment and Retention Challenges with Diversity Commitments
A significant challenge for organizations has been finding and retaining the right people to fill critical security roles ranging from cloud security specialists to SOC analysts. The report found that 60 percent of leaders admit their organization struggles with recruitment and 52 percent struggle to retain talent.

Among hiring challenges is the recruitment of women, new college graduates, and minorities. Globally, 7 out of 10 leaders see the recruitment of women and new graduates as a top hiring hurdle and 61 percent said hiring minorities has been challenging. As organizations look to build more capable and more diverse teams, 89 percent of global companies have explicit diversity goals as part of their hiring strategy according to the report. The report also demonstrated that 75 percent of organizations have formal structures to specifically recruit more women and 59 percent have strategies in place to hire minorities. Additionally, 51 percent of organizations have efforts in place to hire more veterans.

Continue Reading
Advertisement


Follow Us

Trending

Copyright © 2021 Security Review Magazine. Rysha Media LLC. All Rights Reserved.