Group-IB, a global cybersecurity leader headquartered in Singapore that specializes in the investigation and prevention of cybercrimes, has today published its new report Hi-Tech Crime Trends 2022/2023, the latest edition of the company’s annual round-up of the most pertinent global cyber threats. In the report, Group-IB Threat Intelligence analysts reveal how ransomware operations remained the top cyber threat to companies and organizations across the world between H2 2021 and H1 2022. According to Group-IB’s research, the number of companies that had their information uploaded onto dedicated leak sites (DLS) between H2 2021 and H1 2022 was up 22% year-on-year to 2,886, which corresponds to eight companies having their data leaked online every single day. One of the driving factors of this trend is the ever-increasing impact of affiliate programs, also known as the ransomware-as-a-service (RaaS) model. Over the past year, we have seen the ransom demands from cybercriminals operating according to the RaaS framework rise significantly.
For the second consecutive year, Group-IB researchers observed the increasing impact of initial access brokers (IABs) on the ransomware market. Group-IB researchers detected 2,348 instances of corporate access being sold on dark web forums or privately by IABs, twice as much compared to the preceding period. The number of brokers also grew from 262 to 380 over this period, leading to a drop in prices. The average price for one access fell by around 50% to $2,800 making the attacks of ransomware gangs and other threat actors more affordable. The increased number of offers coupled with the reduced average price slightly brought the size of the initial access market down by 8.5% to $6,555,332. US networks and manufacturing companies became the most sought-after lots. Compromised RDP (36%) and VPN (37%) accounts became the types of access most frequently offered for sale, according to the latest edition of Group-IB’s annual Hi-Tech Crime Trends report.
For the 11th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors such as the financial industry, telecommunications, manufacturing and energy. Group-IB presents a comprehensive overview of the global threat landscape and our researchers share their predictions for what lies ahead. Group-IB’s hands-on experience in investigating cybercrime as well as its innovative suite of products and services help to describe all underground trends and activities that are worth watching and even make long-term predictions that help cybersecurity teams around the world to tailor their cyber defense.
InsatIABle appetite
During the period from H2 2021 to H1 2022, Group-IB’s Threat Intelligence unit analyzed underground advertisements describing compromised networks and detected 2,348 instances of corporate access being offered for sale — twice as much as during the previous period (1,099 access offers). Among these, 2,111 offers contained information about the country, and 1,532 specified the victim’s industry.
Initial access brokers have significantly expanded their presence worldwide. The number of countries where they broke into corporate networks increased by 41%: from 68 to 96 during H2 2021 – H1 2022. Just like last year, US-based companies were the most popular commodity among the initial access brokers, with almost a quarter of all discovered access offers related to US companies (558). Similarly to last year, the industries most affected by IABs were manufacturing (5.8% of all companies), financial services (5.1%), real estate (4.6%), and education (4.2%).
Figure 1: Overview of IAB trends (H2 2021 – H1 2022)
“Initial access brokers play the role of oil producers for the whole underground economy. They fuel and facilitate the operations of other criminals, such as ransomware gangs and nation-state adversaries. As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023. Private and public companies should consider setting up a threat intelligence program to monitor for compromised credentials of their workforce.”
CEO of Group-IB
For the first time, Group-IB researchers collected information on the types and rights of access offered on dark web forums. They identified a total of 1,757 offers containing information about the access type and 1,329 ads with information relating to privileges. Overall, 70% of the access types put up for sale were RDP and VPN accounts, which underlines the importance of having an up-to-date digital asset inventory. Access with administrator rights (local administrators in the case of Active Directory) was the most commonly offered, accounting for 47% of all ads. In 0.5% of cases analyzed, cybercriminals were able to obtain all-powerful Enterprise admin rights.
In addition to dark web forums, IABs also buy and sell access on underground markets, which are automated platforms for trading any type of data, including bank card details, access to personal and corporate accounts, RDP, access to servers and website administrator panels. During the review period, Group-IB detected over 290,000 web shells and 65,000 instances of RDP access being sold on cybercriminal markets. Web shells are malicious scripts that allow cybercriminals to maintain persistent access on compromised web servers. One of the most popular underground platforms for selling web shells had more than 6,000 web shells related to Spanish companies put up for sale between H2 2021 – H1 2022, followed by Russia (2,670), Germany (2,290), India (1,823), and France (1,239). In 2021, 47% of all ransomware attacks investigated by the Group-IB Digital Forensics and Incident Response team started with the exploitation of public-facing Remote Desktop Protocol (a protocol for using a computer remotely) servers. The company’s Threat Intelligence unit detected more than 65,000 instances of RDP access put up for sale on underground markets.
Stealing the limelight
One of the most notable changes to the IAB market is the increasing popularity of logs obtained with the use of information stealers — malware that gathers personal details from the victim’s browser metadata. These stealers can obtain credentials, bank cards, cookies, browser fingerprints, etc. Group-IB found that between July 1, 2021 and June 30, 2022, over 96 million logs were offered for sale, with most of the compromised data coming from US users (80%), with the UK (5.4%), India (4.6%), Indonesia (2.4%), and Brazil (2.0%) trailing behind.
Group-IB experts discovered over 400,000 Single Sign-On logs among these 96 million. SSO is a widely used corporate authentication method that uses a single pair of credentials to access multiple services, making them highly sought after by cybercriminals as they allow them to get into several systems at a time with little effort. As discovered by Group-IB researchers, the threat actor behind the recent attack on Uber purchased stealer logs on one of the underground marketplaces for $20. These logs contained SSO credentials of at least two Uber employees.
“It is quite concerning what a cybercriminal with $20 and modest technical skills is capable of these days. With remote work and SSO services becoming more prevalent, instances of access to corporate networks started appearing in stealer logs more often. Attacks on companies through their employees will become one of the main infection vectors. A silver bullet against such attacks doesn’t exist. The trend highlights the need for companies to improve their cybersecurity across all layers, including training employees to respond to social engineering, enhancing detection and response capabilities, and of course, monitoring the cybercriminal underground for compromised employee records and offers to sell access to their networks.”
CEO of Group-IB
A devil’s ransom
Across the globe, 2,886 companies had their information, files, and data published on ransomware DLS between H2 2021 – H1 2022, a 22% increase compared to the 2,371 companies affected during the previous period (H2 2020 – H1 2021). It’s worth noting that the actual number of ransomware attacks is believed to be significantly higher as many victims chose to pay the ransom and some ransomware gangs do not use DLS. As with the preceding year, the number of ransomware-related data leaks peaked in the final quarter of 2021, when the data of 881 companies was shared on dedicated leak sites.
Figure 2: Number of ransomware-related data leaks per quarter (Q1 2020 — Q2 2022)
“It is worth noting that the number of victims whose data was published in the wake of ransomware attacks in H2 2020 – H1 2021 was 935% up from the preceding year. As a result, the 22% year-on-year growth seen in the observed period suggests that the Ransomware-as-a-Service market has passed the phase of rapid growth and is now beginning to stabilize.”
CEO of Group-IB
Group-IB analysts were also able to discover that companies based in North America (54.5% of companies whose data was leaked by ransomware gangs) and Europe (29.7%) were the most affected. When data from companies in individual countries is taken into account, it appears that ransomware gangs were particularly fond of targeting companies in the United States. A total of 1,237 US-based companies (43% of the global total), had their data published on DLS in H2 2021 – H1 2022. Rounding out the top five most affected countries are Germany (147 companies), United Kingdom (138), Canada (128), and Italy (124). Group-IB’s analysis of the threat posed by ransomware gangs also revealed that globally, the largest number of ransomware-related data leak victims were found in the following sectors: manufacturing (295 companies), real estate (291), professional services (226), and transportation industries (224).
Figure 3: Global ransomware-related data leaks by region (H2 2021 — H1 2022)
In the reporting period, the number of ransomware attacks on companies in the manufacturing sector worldwide increased by 19% compared to the previous period (H2 2020-H1 2021) to 295. Similar increases were observed in the energy industry (up 43% to 80), financial organizations (up 43% to 181), and the IT sector (up 18% to 120). Interestingly, attacks on telecommunications companies dropped 15% year-on-year to 29.
When it comes to the cybercriminal groups carrying out ransomware attacks, there were some familiar names attributed to data leaks registered in H2 2021 – H1 2022. Top of the table was Lockbit, who ramped up their activity during this period. Group-IB was able to attribute 889 ransomware attacks to this group, making them responsible for 30.8% of all recorded attacks. In doing so, they took Conti’s place as the most active ransomware group. Conti, a now-disbanded Russian-speaking ransomware group that launched the devastating ARMattack campaign at the end of 2021, was linked to 420, or 14.6% of ransomware attacks registered in H2 2021 – H1 2022. Third on this list is Hive. As reported by Group-IB in December 2021, Hive operates under the RaaS model and has grown incredibly after bursting onto the scene earlier that year. In total, Hive was linked to 146, or 5.1% of ransomware attacks across the globe.
Figure 4: Ransomware-related data leaks H2 2021 – H1 2022 by threat actor
Alongside IABs, many ransomware gangs are still using malware, such as the bots Emotet, Qakbot, and IcedID to gain initial access. From there, Cobalt Strike remains a key tool in the toolbox of cybercriminals. According to Group-IB’s analysis, Cobalt Strike was utilized in nearly 60% of attacks analyzed between H2 2021 and H1 2022. This trend could change in the next reporting period, as Group-IB analysts noted that attackers have begun using a new post-exploitation framework, named Brute Ratel, since March 2022.
Throughout the reporting period, Group-IB experts detected 20 new ransomware affiliate programs being discussed on dark web forums, one less than the preceding year, including Hive, ALPHV, and Avos. After dark web forums Exploit and XSS banned the advertisement of affiliate programs, many cybercriminal gangs now recruit on RAMP, and Group-IB discovered 12 new RaaS advertisements on this forum in the period studied. In addition, Group-IB found more than 20 covert advertisements in which ransomware gangs mentioned that they were only looking for pentesters with knowledge of Cobalt Strike and Metasploit, highlighting a significant intensification of recruitment among RaaS groups.
“Ransomware is likely to remain the major threat for businesses and governments across the globe in 2023. Ransomware gangs have been able to craft a stable market for their criminal enterprises, and the ransom demands issued to companies once they have been attacked are continuing to rise rapidly. Many of the most prominent ransomware gangs have turned into criminal start-ups. They have a rigid hierarchy and bonuses for overachievement. While the growth trends might slow down, it is likely that the ransomware market could consolidate further, continuing a trend seen in H2 2021 – H1 2022.”
CEO of Group-IB
Optimize strategic, operational and tactical decision-making with best-in-class cyber threat analytics
About Hi-Tech Crime Trends report
Group-IB has been presenting its annual reports since 2012, integrating data gathered as a result of the company’s own investigations with incident response findings worldwide. Serving as a practical guide for a wide range of experts — in risk management, digital business transformation, strategic planning in the cybersecurity field and investing in information system protection — the report provides annual forecasts that have always proved to be accurate. For technical specialists, including СISOs, SOC and DFIR teams, researchers and malware analysts, as well as Threat Hunting experts, Group-IB’s report provides an opportunity to analyze the relevance of cybersecurity policies, adjust security settings for their systems and strengthen their expertise in countering cyberthreats relevant to their industry. Thanks to the use of unique tools for tracking the infrastructure of cybercriminals, as well as a thorough study of research by various cybersecurity teams worldwide, Group-IB experts annually identify and confirm common patterns that form a full picture of the development of cyberthreats in the world. This forms the basis of future forecasts set out in the report that help companies around the world build effective cybersecurity strategies based on relevant threats.
More analytics on Group-IB’s research hub.
