Group-IB, one of the global cyber security leaders, presented its research on global cyber threats in the report High-tech crime trends 2021/2022 At its annual hunting and intelligence conference, CyberCrimeCon’21. In the report, which examines developments in cybercrime in H2 2020-H1 2021, Group-IB researchers analyze the growing complexity of the global threat landscape and highlight the growing role of alliances between threat factors. The trend is reflected in partnerships between ransomware operators and intermediaries in an initial approach in the Ransomware-as-a-Service model. Scammers also band together in tribes to automate and streamline fraudulent operations. In contrast, individual cybercrimes such as cards have been on the decline for the first time in some time.
For the tenth year in a row, the High-Tech Crime Trends report analyzes the various aspects of cybercrime industry activity, examines attacks and provides forecasts for the threat landscape for different sectors. For the first time, the report is divided into five main volumes, all with different focus: ransomware, access selling For corporate networks, cyber warfare, threats to the financial sector and phishing and fraud.The forecasts and recommendations outlined in Hi-Tech Crime Trends 2020-2021 strive to prevent damage and downtime to companies around the world.
Brokers Preliminary Approach: American companies are among the most common targets
One of the basic trends in the cybercrime scene is a sharp increase in the number of offers to sell access to damaged corporate networks. Pioneered by the infamous hacker Fxmsp, Charged by the U.S. Department of Justice in 2020, the initial access market for plant companies increased by nearly 16% in H2 2020 — H1 2021, from $ 6,189,388 to $ 7,165,387. The number of offers to sell access to companies almost tripled during the review period: from 362 to 1,099. This exclusive data was obtained by Group-IB’s Threat Intelligence & Attribution system, which even collects information deleted from underground cybercrime forums.
This segment of the cybercrime underground has a relatively low barrier to entry. Poor corporate cyber risk management combined with the fact that tools for carrying out attacks against corporate networks are widely available, both of which have contributed to a record-breaking increase in the number of intermediaries in an initial approach. In H2 2019 — H12020, the Group-IB Threat Intelligence team identified only 86 active intermediaries. However, in H2 2020 — H1 2021, that number jumped to 262, with 229 new players joining the roster.
Most of the companies affected belonged to industry (9% of all companies), education (9%), financial services (9%), health services (7%) and trade (7%). During the review period, the number of industries exploited by intermediaries in an initial approach jumped from 20 to 35, indicating that cybercriminals are becoming aware of the variety of potential victims.
The geography of the activity of intermediaries in the initial approach has also expanded. In H2 2020 — H1 2021, the number of countries where cybercriminals hacked into corporate networks increased from 42 to 68. US-based companies are the most popular among sellers of access to affected networks – they make up 30% of all victim companies in H2 2020 — H1 2021, followed by France (5%) and the United Kingdom (4%).
One of the main driving forces for the growth of the primary access market is the steep rise in the number of ransomware attacks. Preliminary intermediaries remove the need for ransomware operators to hack into enterprise networks themselves.
Shoe, shoe Who’s there? Corporansum
The unholy alliance of primary access brokers and ransomware operators as part of Ransomware-as-as-a-Service (RaaS) affiliate programs has led to the rise of the ransomware empire. In total, data relating to 2,371 companies were published on DLSs (Data Leak Sites) during H2 2020 — H1 2021. This is an unprecedented increase of 935% compared to the previous review period, in which data relating to 229 victims were published.
Thanks to the Threat Intelligence & Attribution system, Group-IB researchers have been able to locate how the ransomware empire has evolved since its inception. Group-IB’s team has analyzed Ransomware’s private partner programs, DLSs in which they publish extroverted data belonging to victims who have refused to pay the ransom, and the most aggressive ransomware software strains.
During the review period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, a 19% increase over the previous period. During the review period, cybercriminals controlled the use of DLS, which serves as an additional source of pressure on their victims to get them to pay the ransom by threatening to leak their data. In practice, however, victims can still find their data on DLS even if the ransom is paid. The number of newer DLSs doubled during the review period and reached 28, compared to 13 in H2 2019-H1 2020.
It is worth noting that in the first three quarters of 2021, ransomware operators released 47% more data on assault companies than in all of 2020. Considering that cybercriminals publish data referring to only about 10% of their victims, the true number of ransomware victims is likely to be dozens More. The share of companies that pay the ransom is estimated at 30%.
Following the DLS analysis of ransomware in 2021, Group-IB analysts concluded that Conti is the most aggressive ransomware group: it revealed information on 361 victims (16.5% of all victims-companies whose data was published on DLSs), followed by Lockbit (251) , Doom (164), REvil (155) and Piece (118). Last year’s Top 5 was as follows: Maze (259), Aggregor (204), Conti (173), REvil (141) and Pisa (123).
By state, most of the companies whose data was published on DLS by ransomware operators in 2021 were based in the United States (968), Canada (110) and France (103), while most of the affected organizations belonged to manufacturing (9.6%), real estate ( 9.5%) and transportation industries (8.2%).
Carding: The Joker’s Last Laugh
During the period under review, the crepe market fell by 26%, from $ 1.9 billion to $ 1.4 billion compared to the previous period. The decline in the lower number of implications (data stored on the magnetic stripe on bank cards) offered for sale can be explained: the number of bids has dropped by 17%, from 70 million records to 58 million, due to the infamous Joker’s Stash ticket shop closing. Meanwhile, the average price of a bank card dropped from $ 21.88 to $ 13.84, while the maximum price jumped from $ 500 to $ 750.
The opposite trend was recorded in the market for the sale of text cards of bank cards (bank card numbers, expiration dates, owner names, addresses, CVVs): their number jumped by 36%, from 28 million records to 38 million, which among others can be explained by The higher number of phishing internet resources that mimic famous brands during the epidemic. The average price for text data climbed from $ 12.78 to $ 15.2, while the maximum price jumped 7 times: from $ 150 to $ 1,000 unprecedented.
The scam
Another group of cybercriminals who actively formed partnerships during the review period were fraudsters. In recent years, phishing and scam affiliate programs have become extremely popular. The study by Group-IB found that there are more than 70 phishing and fraud programs. Participants strive to steal money as well as personal data and payments. During the reporting period, the threatening actors who participated in such programs pocketed at least $ 10 million in total. The average amount stolen by a member of an affiliate program is estimated at $ 83.
Affiliate programs involve a large number of participants, have a strict hierarchy and use complex technical infrastructures to automate fraudulent activities. Phishing and fraud affiliate programs actively use Telegram bots that provide participants with ready-to-use fraud and phishing pages. This helps increase phishing campaigns and tailor them to banks, popular email services and other organizations.
Phishing and fraud affiliate programs, initially focused on Russia and other CIS countries, have recently begun online migration to Europe, America, Asia and the Middle East. It is exemplified by Classiscam: Automatic fraud as a service designed to steal money and payment data. Group-IB is aware of 71 brands in at least 36 countries impersonated by affiliate program members. Phishing and scam sites created by affiliate program members mostly mimic marketplaces (69.5%), delivery services (17.2%) and travel services in Carpool (12.8%).