Group-IB, certainly one of the worldwide cybersecurity leaders, has offered its analysis into world cyberthreats in the report Hello-Tech Crime Tendencies 2021/2022 at its annual risk searching and intelligence convention, CyberCrimeCon’21. In the report, which explores cybercrime developments in H2 2020—H1 2021, Group-IB researchers analyze the rising complexity of the worldwide risk panorama and spotlight the ever-growing position of alliances between risk actors. The pattern manifests itself in partnerships between ransomware operators and preliminary entry brokers below the Ransomware-as-a-Service mannequin. Scammers additionally band collectively in clans to automate and streamline fraudulent operations. Conversely, particular person cybercrimes equivalent to carding are in decline for the primary time in a whereas.
For the tenth consecutive 12 months, the Hello-Tech Crime Tendencies report analyzes the varied features of the cybercriminal trade’s operations, examines assaults, and supplies forecasts for the risk panorama for numerous sectors. For the primary time, the report was divided into 5 main volumes, all with a completely different focus: ransomware, the sale of entry to company networks, cyberwarfare, threats to the monetary sector, and phishing and scams. The forecasts and proposals outlined in Hello-Tech Crime Tendencies 2020-2021 search to stop injury and downtime for corporations worldwide.
Preliminary Entry Brokers: US Firms Among the many Most Frequent Targets
Considered one of the underlying traits on the cybercrime enviornment is a sharp improve in the variety of gives to promote entry to compromised company networks. Pioneered by the notorious hacker Fxmsp, who was charged by the US Division of Justice in 2020, the market of company preliminary entry grew by virtually 16% in H2 2020—H1 2021, from $6,189,388 to $7,165,387. The variety of gives to promote entry to corporations virtually tripled over the evaluation interval: from 362 to 1,099. This unique knowledge was obtained by Group-IB’s Menace Intelligence & Attribution system, which gathers even deleted data from cybercriminal underground boards.
This section of the cybercriminal underground has a comparatively low entry barrier. Poor company cyber threat administration mixed with the truth that instruments for conducting assaults towards company networks are extensively obtainable each contributed to a record-breaking rise in the variety of preliminary entry brokers. In H2 2019—H12020, the Group-IB Menace Intelligence crew detected solely 86 lively brokers. In H2 2020—H1 2021, nonetheless, this quantity skyrocketed to 262, with 229 new gamers becoming a member of the roster.
Most corporations affected belonged to the manufacturing (9% of all corporations), training (9%), monetary companies (9%), healthcare (7%), and commerce (7%). In the evaluation interval, the variety of industries exploited by preliminary entry brokers surged from 20 to 35, which signifies that cybercriminals have gotten conscious of the number of potential victims.
The geography of preliminary entry brokers’ operations has additionally expanded. In H2 2020—H1 2021, the variety of international locations the place cybercriminals broke into company networks elevated from 42 to 68. US-based corporations are the preferred amongst sellers of entry to compromised networks — they account for 30% of all victim-companies in H2 2020—H1 2021, adopted by France (5%), and the UK (4%).
Considered one of the primary driving forces for preliminary entry market development is the steep improve in the variety of ransomware assaults. Preliminary entry brokers take away the necessity for ransomware operators to break into company networks on their very own.
Lock, Lock Who’s There? Corporansom
The unholy alliance of preliminary entry brokers and ransomware operators as a part of Ransomware-as-as-a-Service (RaaS) affiliate applications has led to the rise of the ransomware empire. In complete, knowledge referring to 2,371 corporations had been launched on DLSs (Information Leak Websites) over H2 2020—H1 2021. That is an improve of an unprecedented 935% in comparison with the earlier evaluation interval, when knowledge referring to 229 victims was made public.
Because of the Menace Intelligence & Attribution system, Group-IB researchers had been capable of hint how the ransomware empire has developed because it appeared. Group-IB’s crew analyzed personal Ransomware affiliate applications, DLSs the place they publish exfiltrated knowledge belonging to victims who refused to pay the ransom, and essentially the most aggressive ransomware strains.
Over the evaluation interval, Group-IB analysts recognized 21 new Ransomware-as-a-Service (RaaS) affiliate applications, which is a 19% improve in comparison with the earlier interval. Throughout the evaluation interval, the cybercriminals mastered the usage of DLSs, that are used as an extra supply of stress on their victims to make them pay the ransom by threatening to leak their knowledge. In follow, nonetheless, victims can nonetheless discover their knowledge on the DLS even when the ransom is paid. The variety of new DLSs greater than doubled throughout the evaluation interval and reached 28, in comparison with 13 in H2 2019—H1 2020.
It is noteworthy that in the primary three quarters of 2021, ransomware operators launched 47% extra knowledge on attacked corporations than in the entire of 2020. Making an allowance for that cybercriminals launch knowledge referring to solely about 10% of their victims, the precise variety of ransomware assault victims is more likely to be dozens extra. The share of corporations that pay the ransom is estimated at 30%.
Having analyzed ransomware DLSs in 2021, Group-IB analysts concluded that Conti was essentially the most aggressive ransomware group: it disclosed details about 361 victims (16.5% of all victim-companies whose knowledge was launched on DLSs), adopted by Lockbit (251), Avaddon (164), REvil (155), and Pysa (118). Final 12 months’s high 5 was as follows: Maze (259), Egregor (204), Conti (173), REvil (141), and Pysa (123).
Nation-wise, most corporations whose knowledge was posted on DLSs by ransomware operators in 2021 had been based mostly in america (968), Canada (110), and France (103), whereas most organizations affected belonged to the manufacturing (9.6%), actual property (9.5%), and transportation industries (8.2%).
Carding: The Joker’s Final Chuckle
Over the evaluation interval, the carding market dropped by 26%, from $1.9 billion to $1.4 billion in comparison with the earlier interval. The lower will be defined by the decrease variety of dumps (knowledge saved on the magnetic stripe on financial institution playing cards) provided on the market: the variety of gives shrank by 17%, from 70 million data to 58 million, resulting from the notorious card store Joker’s Stash shutting down. In the meantime, the common value of a financial institution card dump fell from $21.88 to $13.84, whereas the utmost value surged from $500 to $750.
An reverse pattern was recorded on the marketplace for the sale of financial institution card textual content knowledge (financial institution card numbers, expiration dates, names of homeowners, addresses, CVVs): their quantity soared by 36%, from 28 million data to 38 million, which amongst others will be defined by the upper variety of phishing net assets mimicking well-known manufacturers throughout the pandemic. The common value for textual content knowledge climbed from $12.78 to $15.2, whereas the utmost value skyrocketed 7-fold: from $150 to an unprecedented $1,000.
One other cohort of cybercriminals actively forging partnerships over the evaluation interval had been scammers. In latest years, phishing and rip-off affiliate applications have develop into extremely widespread. The analysis carried out by Group-IB revealed that there are greater than 70 phishing and rip-off affiliate applications. Contributors purpose to steal cash as nicely as private and fee knowledge. In the reporting interval, the risk actors who took half in such schemes pocketed at least $10 million in complete. The common quantity stolen by a rip-off associates program member is estimated at $83.
Affiliate applications contain massive numbers of members, have a strict hierarchy, and use advanced technical infrastructures to automate fraudulent actions. Phishing and rip-off affiliate applications actively use Telegram bots that present members with ready-to-use rip-off and phishing pages. This helps scale phishing campaigns and tailor them to banks, widespread e-mail companies, and different organizations.
Phishing and rip-off affiliate applications, initially centered on Russia and different CIS international locations, lately began their on-line migration to Europe, America, Asia, and the Center East. That is exemplified by Classiscam: an automated scam-as-a-service designed tosteal cash and fee knowledge. Group-IB is conscious of at least 71 manufacturers from 36 international locations impersonated by associates program members. Phishing and rip-off web sites created by associates program members most frequently mimic marketplaces (69.5%), supply companies (17.2%), and carpooling companies (12.8%).