The number of active ransomware threat groups has risen by a third in the past year, according to cyber security firm Secureworks, with 31 new groups having entered the ransomware ecosystem.
In its latest ‘State of The Threat’ report, Secureworks examined cyber risk activity from June 2023 to June 2024, with proof that ransomware risk is still high despite the takedown of large gangs such as LockBit.
Despite its highly publicised takedown, LockBit remains at the top of the list of most active groups. It accounted for 17% of listings this year, down from 8% last year.
The second most active gang is PLAY, which doubled its victim count year-over-year. RansomHub, which emerged a week after the LockBit takedown, takes third place.
“Ransomware is a business that is nothing without its affiliate model. In the last year, law enforcement activity has shattered old allegiances, reshaping the business of cybercrime,” said Don Smith, VP of threat intelligence at Secureworks Counter Threat Unit (CTU).
“Originally chaotic in their response, threat actors have refined their business operations and how they work. The result is a larger number of groups, underpinned by substantial affiliate migration,” Smith added.
The researchers found that the use of AI is increasing and expanding the scope of existing scams like CEO fraud.
There has been a rise in discussions on underground forums about the potential misuse of OpenAI and ChatGPT since mid-February 2023. They mainly focused on low-level activities, such as phishing attacks and basic script creation.
Obituary scams
For example, researchers have observed that AI has been used by malicious actors in a scam known as “obituary pirates.”
In this scam, attackers monitor Google trends after someone’s death to detect interest in obituaries. They then use GenAI to generate long tributes on websites that rank highly in Google search results through the use of “SEO poisoning.”
After that, they redirect users to other sites, where they promote adware or potentially unwanted programs.
Stolen credentials and scan and exploit of vulnerable devices remained the largest initial access vendors in the past year, with a growing use of ‘Adversary in The Middle’ (AiTM) attacks.
An AiTM attack is a type of cyberattack when a threat actor intercepts data from a sender to a recipient and then from the recipient back to the sender.
An attacker may lure a victim into entering sensitive information, such as login credentials or multi-factor authentication codes, onto a site designed to mimic a legitimate website.
“The growing use of AI lends scale to threat actors. However, the increase of AiTM attacks presents a more immediate problem for enterprises, reinforcing that identity is the perimeter and should cause enterprises to take stock and reflect on their defensive posture,” Smith concluded.
