Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,467
- Points
- 113
Who do corporate executives have nightmares about?
Cybersecurity specialists from Arete have published a detailed report on various trends and changes in the ransomware landscape this year.
According to researchers, the average value of the cash ransom that extortionists now demand is 600 thousand dollars. It is noteworthy that at the end of last year, this value was about two times less.
However, while the appetites of cybercriminals continue to grow, the percentage of incidents that resulted in ransom payments declined to 19% in the first half of 2023, compared to 29% in the second half of last year.
The decrease in the number of payouts is partly due to an increase in the number of attacks in which only data theft is carried out, without encryption (everyone remembers the incident with MOVEit Transfer?).
In addition, even if data is encrypted, companies are gradually expanding their ability to restore normal operation without paying a ransom. Thanks in large part to backup.
Arete also named the TOP 5 ransomware groups by the number and quality of attacks, and then we'll talk about them.
LockBit — 18.7% of observed cases
LockBit hackers have held the lead in the field of cyber extortion for several years, largely due to the constant improvement of their own software tools for data encryption, as well as a large network of affiliated partners.
The group usually uses the technique of double and sometimes triple extortion, launching DDoS attacks on the victim's network. Of course, darknet leak sites are also used as additional leverage.
In addition, LockBit participants often resort to the services of Initial access Brokers (IAB) to speed up attacks and hit as many companies as possible.
ALPHV / Blackcat — 18.7% of observed cases
This grouping was created at the end of 2021 and is aimed at organizations from various sectors and regions. Blackcat hackers also independently develop and maintain their malware, demonstrating constant innovation in the field of payload variability and evasion of detection.
ALPHV / Blackcat uses various entry points to infect the victim's network, including phishing emails, compromised credentials, and remote desktop brute-force attacks (RDP).
Blackcat hackers target both Windows and Linux machines, as well as NAS devices that are often used to store backups and sensitive data.
Black Basta — 12.9% of observed cases
This cybercrime organization emerged at the end of 2021. It offers third-party hackers proprietary ransomware based on the RaaS model, which means that anyone can use the Black Basta infrastructure to launch their own attacks. The tactic of double extortion is often used by operators of this software.
The malware is delivered mainly through sending out phishing emails with malicious attachments or links.
Royal – 12.9% of observed cases
Researchers believe that the Royal ransomware, which has been active since September 2021, acts as a closed group, and not as a RaaS provider. Before developing its own cryptographer, Royal used ready-made versions.
The group does not have any explicit preferences for the sector or size of the attacked organization. These hackers do not hesitate to encrypt the data of any organizations (and even entire cities), delete credentials, distribute them across the entire system domain, and encrypt end devices.
The group's toolset consists of phishing emails with malicious attachments or links, stolen passwords, hacking tools to access victims 'networks, malicious advertising, etc.The group also often uses the Cobalt Strike tool to maintain its consistency in the victims' system.
Akira – 12.26% of observed cases
This is a relatively new gang, whose first ransomware attack occurred in early April 2023. However, many experts believe that the group was formed by immigrants from the famous Conti.
The group rapidly accumulated casualties during the first half of 2023. Akira targets primarily the education sector, professional services, retail, hospitality, healthcare, and manufacturing organizations, primarily in Canada and the United States.
The group is distinguished by its flexibility in conducting negotiations, usually offering its victims several options for resolving the issue at once. And the site in the grouping is made in an interesting retro style .
The Akira decoder is not very reliable, and researchers from Avast even released a decoder at the end of June . However, the group is definitely only at the beginning of its journey, and sooner or later it will finalize its software.
What's in the bottom line?
Whatever hacker group is leading the ransomware industry, extortion itself continues to be one of the most dangerous and lucrative forms of cybercrime.
Despite the improvement of security methods and data recovery capabilities, the damage from such attacks is still enormous. To effectively counter such threats, organizations must implement a comprehensive approach to ensuring cybersecurity, including regular backups, network segmentation, staff training, and the use of modern security and monitoring tools.
This is the only way to minimize risks and protect your business from the devastating consequences of ransomware attacks.
Cybersecurity specialists from Arete have published a detailed report on various trends and changes in the ransomware landscape this year.
According to researchers, the average value of the cash ransom that extortionists now demand is 600 thousand dollars. It is noteworthy that at the end of last year, this value was about two times less.
However, while the appetites of cybercriminals continue to grow, the percentage of incidents that resulted in ransom payments declined to 19% in the first half of 2023, compared to 29% in the second half of last year.
The decrease in the number of payouts is partly due to an increase in the number of attacks in which only data theft is carried out, without encryption (everyone remembers the incident with MOVEit Transfer?).
In addition, even if data is encrypted, companies are gradually expanding their ability to restore normal operation without paying a ransom. Thanks in large part to backup.
Arete also named the TOP 5 ransomware groups by the number and quality of attacks, and then we'll talk about them.
LockBit — 18.7% of observed cases
LockBit hackers have held the lead in the field of cyber extortion for several years, largely due to the constant improvement of their own software tools for data encryption, as well as a large network of affiliated partners.
The group usually uses the technique of double and sometimes triple extortion, launching DDoS attacks on the victim's network. Of course, darknet leak sites are also used as additional leverage.
In addition, LockBit participants often resort to the services of Initial access Brokers (IAB) to speed up attacks and hit as many companies as possible.
ALPHV / Blackcat — 18.7% of observed cases
This grouping was created at the end of 2021 and is aimed at organizations from various sectors and regions. Blackcat hackers also independently develop and maintain their malware, demonstrating constant innovation in the field of payload variability and evasion of detection.
ALPHV / Blackcat uses various entry points to infect the victim's network, including phishing emails, compromised credentials, and remote desktop brute-force attacks (RDP).
Blackcat hackers target both Windows and Linux machines, as well as NAS devices that are often used to store backups and sensitive data.
Black Basta — 12.9% of observed cases
This cybercrime organization emerged at the end of 2021. It offers third-party hackers proprietary ransomware based on the RaaS model, which means that anyone can use the Black Basta infrastructure to launch their own attacks. The tactic of double extortion is often used by operators of this software.
The malware is delivered mainly through sending out phishing emails with malicious attachments or links.
Royal – 12.9% of observed cases
Researchers believe that the Royal ransomware, which has been active since September 2021, acts as a closed group, and not as a RaaS provider. Before developing its own cryptographer, Royal used ready-made versions.
The group does not have any explicit preferences for the sector or size of the attacked organization. These hackers do not hesitate to encrypt the data of any organizations (and even entire cities), delete credentials, distribute them across the entire system domain, and encrypt end devices.
The group's toolset consists of phishing emails with malicious attachments or links, stolen passwords, hacking tools to access victims 'networks, malicious advertising, etc.The group also often uses the Cobalt Strike tool to maintain its consistency in the victims' system.
Akira – 12.26% of observed cases
This is a relatively new gang, whose first ransomware attack occurred in early April 2023. However, many experts believe that the group was formed by immigrants from the famous Conti.
The group rapidly accumulated casualties during the first half of 2023. Akira targets primarily the education sector, professional services, retail, hospitality, healthcare, and manufacturing organizations, primarily in Canada and the United States.
The group is distinguished by its flexibility in conducting negotiations, usually offering its victims several options for resolving the issue at once. And the site in the grouping is made in an interesting retro style .
The Akira decoder is not very reliable, and researchers from Avast even released a decoder at the end of June . However, the group is definitely only at the beginning of its journey, and sooner or later it will finalize its software.
What's in the bottom line?
Whatever hacker group is leading the ransomware industry, extortion itself continues to be one of the most dangerous and lucrative forms of cybercrime.
Despite the improvement of security methods and data recovery capabilities, the damage from such attacks is still enormous. To effectively counter such threats, organizations must implement a comprehensive approach to ensuring cybersecurity, including regular backups, network segmentation, staff training, and the use of modern security and monitoring tools.
This is the only way to minimize risks and protect your business from the devastating consequences of ransomware attacks.
