The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q3’s research here.

Video Transcript

Intro

This is the Q3 Ransomware Report for 2024. I’m Connor Jackson, let’s get into it.

Ransomware Activity

The total number of observed ransomware and extortion attacks in Q3 2024 was 1720, compared to Q2’s volume at 1755 – this is a 2% deviation in total volume on one of the quarters with the highest numbers we’ve seen in the past 18 months.

These 1720 attacks were performed by 64 active groups – equating to roughly 27 attacks per group. Looking at the averages for each quarter we are seeing that this is staying steady in the 26-29 range for each quarter, but the total number of attacks is going up across the board. You’re probably asking yourself well… why is that?

The answer to that question is the number of attackers is increasing. Compared to 12 months ago in 2023s Q3 there were 52 observed attack groups, and 6 months before that in Q1 that number was 33 – this number has almost doubled in 18 months.

Branching off from this, IBM have been tracking the average cost of a data breach since 2020 – which has risen from $3.6M to $4.8M in 4 years. Let me get this out of this way first, its hard to quantify this figure due to different industry regulations, size and maturity of the organization, etc. etc. I know – this is just a generic average of the sample group. But it is growing as well.

So what we’re seeing is an increase in attacks every day, the number of groups is increasing, and the cost of at attack is going up. This tells us that ransomware is a continuously growing industry. Grab the full report if you want to review the complete number and trends that we’ve observed.

Top Five

The top five groups this quarter start with Ransomhub at number one with 247 attacks, Lockbit and Play both with 92 in second place, Qilin in number 4 with 80 attacks and Meow with 78. These five groups accounted for 35% of all activity this quarter.

Ransomhub are currently offering between an 80 and 90% profit split with affiliates, which may be what escalated them to the top this quarter. They have also been working with the unpaid AlphV affiliates from the Change healthcare attack earlier this year, and have attempted to get a second payment from the victim. It is unknown at this time if Change paid the second extortion as well, however this display may have lead to the group attracting customers with this show force. Unpaid affiliates has been a growing issue among ransomware gangs lately.

Operation Cronos Update

On October 1st, Law enforcement updated Lockbits original release page on the dark web with a countdown for posts titled “Lockbit linked UK arrests”, and “Arrest of a major Lockbit actor”.

Once the countdown had completed the posts were updated to inform readers that several major arrests had been made across Europe. In the UK, two individuals were arrested in August related to money laundering operations, in Spain the owner of the bullet-proof hosting provider used for Lockbits infrastructure was arrested at an airport in Madrid, and French authorities arrest a suspected lockbit developer which on vacation outside of Russia.

The major affiliate was named and added to justice.gov, and is wanted for their alleged involvement in ransomware attacks and money laundering activities.

Conclusion

This quarter saw no drop in the volume of activity, another increase in the number of threat actor groups, updates to law enforcements takedown of Lockbit, and a timeline of government agencies banning software made by Kaspersky. Full details are available in the full report.

Download the full report

The post Ransomware Research Report | Q3 2024 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Intro

Hi everyone, I’m Connor Jackson, the security research manager at CyberMaxx.

Ransomware Quarterly Review

The number of ransomware and extortion attacks in the second quarter of 2024 continues to grow, up 37% from Q1 and sitting at 1755 attacks between the 1st of April and the end of June. – for context, that’s up from 1283 in the first quarter across all industries.

The top three groups combined accounted for almost 40% of all ransomware attacks this quarter, the full report provides an overview of each group, as two of the three are new to the stage.

Lockbit were surprisingly not the threat group with the highest volume this quarter, having fallen to second place; however they are the only group in the top three that produce their own unique ransomware strain, providing something the others do not.

The top performing group this quarter is Dispossessor, with 329 attacks. Followed by Lockbit with 215 and finally Ransomhub with 148 successful attacks.

Dispossessor

Dispossessor have very recently emerged onto the ransomware landscape and immediately made a name for themselves, beating out Lockbit in the process. However, following the Lockbit crackdown by law enforcement during Operation Cronos; Dispossessor emerged, mimicking Lockbits tradecraft, and offering RaaS with a large payment split.

It has been noted however that this group has allegedly not done the attacks themselves, but rather using data that other groups had originally exfiltrated.

Ransomhub

Allegedly, the ALPHV group following the attack on Change Healthcare failed to pay their affiliates and instead took down much of their infrastructure. Change paid the initial ransom of $22million, however the unpaid affiliates then worked with RansomHub and extorted Change a second. It is currently unknown if a second payment was made, however, the data that was previously listed has been taken down recently.

A copy of the second extortion note is available in this quarters report.

Lockbit

In spite of Operation Cronos that took place on February 19th, 2024 – Lockbit appear to still be maintaining operations. Several of their release pages and mirrors are also still live and being updated with new victims almost daily, however the majority of sites have been seized by law enforcement and have been updated to reflect this.

Lockbit later claimed to have exfiltrated 33TB of data related to the Federal Reserve, threatening to release the data in late June. Upon release, it appears that this claim was, in fact, false – with the data being related to an Arkanas-based bank instead.

Interestingly, the Federal Reserve have issued an enforcement action again the victim, citing deficiencies in “risk management” and “consumer compliance” as grounds for the action. The full action is available on the Federal Reserves Press release page

Wrapping up

The takeaway here is the prevalence of repeat extortions for data has increased. This tactic appears to be related to unpaid affiliates going after the victim organization to get their share rather than through the original threat actor, however this will lower confidence that the threat actor will actually purge the stolen data and will likely result in organizations not paying at all.

Understanding your organizations threat landscape, reducing your attack surface and ensuring patches are applied are all crucial steps to ensuring you do not fall victim to the increasing number of ransomware and data extortion attacks.

Download the full report

The post Ransomware Research Report | Q2 2024 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware Activity

Hey everyone, Connor here. Security Research Manager here at CyberMaxx.

During the first quarter of 2024 we observed 1283 successful ransomware attacks against organizations, up 29% over the same period last year in Q1 2023 with 909 observed attacks.

2024 is already shaping up to see more activity than last year.

Lockbit again were the most prolific group at 368 successful attacks or 30% of the total threat landscape for the quarter. This spike may be related to the attempted law enforcement take down, as a show of strength – or it could have simply been a very successful quarter for the group.

Lockbit have continuously expanded their operations week to week, and have shown that their model is extremely successful. When reviewing the past 18 months of data, we can see a very steady increase in activity attributed to the group quarter over quarter.

Which begs the question; Why is this group so successful?

The answer to that is complicated, but is largely tied to their affiliate program built on the reputation the group has accumulated over the years of operation. By working with other groups who focus on initial access and the first stages of intrusion who then hand over for post-compromise activity like staging the environment for ransomware and exfiltrating company data. This means that any group can use any technique to gain access – and then work with lockbit to deploy ransomware.

So what are these affiliates doing to gain access is the next reasonable question.

They typically exploit poor security hygiene, improper configuration of external facing assets, traditional phishing, and exploiting unpatched vulnerabilities. Reducing attack surfaces, performing system hardening and proper architecture of networks to reduce possible impact, and ensuring a patch management program are crucial to respond to todays threat landscape.

Xz Utils

On March 29th, 2024 malicious code was identified in the upstream tarballs of xz in versions 5.6.0 and 5.6.1. This has since been marked and tracked as CVE-2024-3094.

Analysis today shows that the backdoor enabled remote code execution (RCE), and was committed by the user JiaT75, as part of a two plus year operation in the making. Originally reported as an SSH authentication bypass, further research now shows that there is far more to this than initially identified. Researchers at the time of publishing this report are still digging through and identifying new features due to the complex obfuscation involved with the attack.

No specific attribution has been assigned for whoever was behind this attack at this time.

Lockbit Takedown

On February 29th, 2024 an international operation by law enforcement attempted to take down the servers in use by the Lockbit Ransomware gang. The Law Enforcement teams identified two servers with unpatched vulnerabilities which were exploited to gain access to the servers and ultimately wipe the data. This does ironically highlight the importance of patching your infrastructure regardless of who you are.

Lockbit responded to the incident, owning up and stating that they didn’t patch their servers because they got lazy with the success from the past few years.

This operation led to a 3 day drop in activity for the group, but they quickly ramped their operations back up to normal volume directly after recovering, and still managed to be the most active group in spite of this.

The post Ransomware Research Report | Q1 2024 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q4’s research here.

Video Transcript

Intro

2023 has been a busy year for threat actors. We’ve seen a sharp increase in supply chain attacks, over 4000 successful ransomware attacks, and large-scale exploitation of vulnerabilities in increasingly smaller timeframes.

2023 Overview

Q1 saw CVE-2023-29059 – commonly known as the 3CX application vulnerability. This was the first major supply chain attack of the year.

In Q2 the vulnerability in Progress softwares MoveIt application set the internet on fire, listed as CVE-2023-34362. The Cl0p ransomware group took responsibility for the mass exploitation that we observed over the initial weekend – which led to approximately 200 organizations being compromised. Today, that number is over 2000 with 60 million affected users.

This led into major supply chain compromises further downstream for affected organizations and should serve as an early indicator of what to expect for 2024. Other common trends include exploitation of unpatched systems, which has been a mainstay for many years creating easy wins for initial access teams. Organizations should make efforts this year to audit their third party vendors to minimize their exposure and risk to supply chain attacks.

Q3 saw the major ransomware attack on the MGM group, which was curiously claimed by two separate threat actors; AlphV and the Scattered Spider groups. It is unclear if they were working together at different stages of the operation. AlphV did increase their operational output by 400% during this same timeframe – which likely was the catalyst for the FBIs involvement in Q4.

In Q4 the FBI seized AlphVs PR site, which was promptly taken back by the threat group. This cycle repeated four times before concluding. During the seizures Lockbit allegedly reached out to several high ranking developers affiliates. We will see if Lockbits Modus Operandi changes in 2024 as a result of these strategic acquisitions.

Ransomware Activity

The final quarter of the year saw 1218 successful ransomware attacks against organizations, in comparison to Q3 with 1495 attacks – a 22% decrease quarter over quarter. This brings the total ransomware incidents in 2023 to 4769 attacks, compared to 2022 which had 2870. This is significantly higher at a 66% increase over last year, and shows how threat actors and the ransomware industry is currently growing and becoming more profitable as time goes on.

We began monitoring a new group in June called NoEscape, who run a Ransomware as a Service model – offering to split profits 90/10 for affiliates if the ransom is over $3M USD. NoEscape also do not target countries in the Commonwealth of Independent States, which is likely indicative of where their operations are based from. On average they are conducting 17 attacks per month, and we have classified them as opportunistic as they target orgs from various countries regardless of industry vertical.

Comparing these figures to Lockbit, who were the top performer again this quarter, who completed 87 attacks per month on average this year, and 263 attacks for the quarter between October 1st and December 31st.

Looking ahead into 2024

A common theme across the major incidents of this year is an assault on the supply chain, affecting customers downstream. These types of attacks are proving to be more and more lucrative for threat actors, as one successful compromise can grant them access to dozens or even hundreds of customer environments.

CISOs should be mindful of who has access to their network and ensure that their vendor’s security posture is to an acceptable standard that aligns with internal efforts being made to reduce the likelihood of falling victim to such attacks. Focus on NAC, tooling, and ensure that devices joining the network match said standard. Work with your security partners to perform risk assessment and make a note of the tooling they use to help reduce the attack surface and improve your posture.

CISOs should also make endeavors to update and maintain accurate inventory and SBOM within their environment. Shepherding the technologies that are active in your network will help your security team identify abnormal activity, as well as provide you with the means to filter your intelligence to just the items that affect your teams, coordinating patch management, and any needed architectural changes.

Download the full report below:

The post Ransomware Research Report | Q4 2023 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q3’s research here.

Video Transcript

I’m Connor Jackson, Manager of Security Research here at Cybermaxx.

Q3 of 2023 has been a big one. The MGM attack, ALFI, the number of spike and threat actor activity, CLOP, DarkGate, a lot has happened this quarter.

The Recent Attacks

The recent MGM attack has been claimed by two separate threat actors. It’s still unclear if they were working together to coordinate this attack or operating individually.

CLOP are still working through the backlog of victims from the mass exploitation of progress software’s movement vulnerability, which occurred earlier this year.

The number of orgs hit has now risen over 2000 and approximately 62 million individuals have been affected due to leaked data as a result of this. Ransomware attacks for Q3, which is July first to September 30th, are now up 59% over Q2, which is double what we saw in Q1.

This brings the total number of successful attacks this quarter to 1826 with 28% of these attacks all stemming from the same group, ALFI.

An existing Malware strain has adopted a Malware as a service model. This has resolved in its use skyrocketing in recent weeks.

Darkgate is a Malware that can be used to infect the system with various utilities, info stealers, follow on payloads, etc.

We have a Breakdown and Analysis

We have a breakdown and analysis of this strain with the multiple ways that we’ve seen infections for our sand.

Also included with the ransomware report for Q3 is a series of Sensor one and Crowdstrike EDR queries, and these can be used to help detect this threat early on in the attack chain, which you can use in your own environments.

The Sharp Rise activity appears to be stemming from four main groups. Those groups are ALFI, CLOP, Locket, and 8base.

All of these threat groups can be classified as opportunistic and have been observed rapidly weaponized and vulnerabilities to complete their objectives.

We mentioned last quarter that we expected to see 8base continue to be a threat within the industry. Q2 saw 107 successful attacks, and in Q3 we saw 92, placing them in at number four when ranked by a volume of activity.

The Key Takeaways

The key takeaways this quarter are that supply chain attacks continue to be a lucrative attack factor, and they’re still being used to target large organizations as we saw with MGM.

Malware as a service is continuing to rise in popularity, leading to things like Darkgate, and activity in line with this should be monitored for over the coming weeks and months.

You can use our EDR queries to help detect this.

The post Ransomware Research Report | Q3 2023 – Audio Blog Interview appeared first on CyberMaxx.

Video Transcript

Hi, I’m Darren. I’m a penetration tester at Cybermaxx.

BSides Event: Basingstoke, UK

So earlier this month I went to a BSides event in a city called Basingstoke in the United Kingdom it’s in the South of England, sort of nearish London. There was quite a variety of talks on during the day, one of which was me presenting about vulnerabilities in the Cisco ATA devices, the SPA series.

There was also talks about the Cl0P ransomware gang and about using convolutional neural networks for detecting network traffic of malware. There was also other things, for example the ministry defenses DSTL brought with them an original Enigma machine from World War Two, which was pretty cool to look at.

Another company had brought a basically the internals of a cockpit of an airplane that you could use as a flight simulator.

And of course there was the lock picking village and other hacker things going on.

Cisco APA/ATA Device Vulnerabilities Discussion

So I was giving a presentation on some unpatchable vulnerabilities in end of life Cisco products, the Cisco ATA devices, the specifically the SPA series and some other series of devices. These are a small unit that live on your desk and they allow you to connect an old school analog phone and use it as a soft phone like a VoIP phone for modern Teleconferencing.

What I was talking about was Cisco had released an advisory with some vulnerabilities have been discovered in these devices and because these devices were out of support they would not be patched.

Cisco’s solution was to tell you to buy a newer device and throw out the old ones. There was no public exploit at the time of the advisory. So, I spent some time reverse engineering the firmware, writing my own exploit for it to see what the risk of this you know what this advisory resulted in and I found that the risks were pretty severe the outcome the utility to an attacker was quite high.

So I presented on how I rediscovered the vulnerability, how like, how bad the impact is, what I could do with it and also found that other devices not mentioned in the original advisory were also impacted.

Cisco Vulnerabilities: What risks does this pose?

So, the risk here is that for companies, these devices, they’re somewhat inexpensive, like they’re about 150 bucks each, but you’ve got one on like every user’s desk and some offices have been in and each one of those devices you can persistently install malware on it using this vulnerability that allows remote access to the network.

So, the risk for companies is unless they got rid of these devices or somehow mitigated the issue by other means, they have all these potential entry points just there on everyone’s desk that would allow a hacker to effectively live forever inside the company’s network, and without replacing these devices that risk doesn’t go away. There’s no patch, you know you have to replace it.

So it’s quite an expensive problem for a company to solve. They would have to do like wholesale replacing of these devices with newer models which may also go out of support in the future

Other Cool Exhibits: Original Enigma Machine and More!

So one of the coolest things I saw was the DSTL, they’re a branch of the Ministry of Defense, they brought one of the Original 4 rotor Enigma cipher machines that the Germans used during the Second World War to encrypt their messages that they’d send out to submarines, etcetera.

So they had this thing that they had seized, you know back at the end of World War Two from the Germans and they kept it for research and whatnot and they brought it with them and it was really cool to see they had like schematics of it. They even let it, you know, they even took off the lid of it, let us look inside. You could basically play with it a little bit, within reason. It is a historical artifact after all.

But it was cool because relatively nearby, like maybe a couple of hours drive away, is Bletchley Park, where they famously did the industrial scale decryption of the Enigma machine and some of the first computers effectively were invented. This is a really neat piece of you know Security history.

The post BSides Event Featuring APA/ATA Vulnerabilities – Audio Blog appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Welcome to the second installment of the quarterly Ransomware report from CyberMaxx. This time we’re looking at data from April 1st and June 30th, 2023.

Here’s What We’re Seeing

Ransomware attacks are up significantly this quarter, up a total of 26% in volume over Q1, totaling in at 1147 attacks in Q2. Lockbit again our number one threat group with 246 of these attacks, or a little bit over 21% of the total volume.

Cl0p have weaponized the latest vulnerability in MOVEit, deploying ransomware on mass. They exploited hundreds of vulnerable machines running the affected versions, which ultimately affected over 200 individual organizations. The volume of affected organizations was so great, in fact, that the group actually had to stop reaching out to individuals and instead direct everyone to the release page for further instructions.

Cl0p is still working through this backlog of their affected orgs, so not all attacks have been taken credit for which are included in this report. Although it does appear to be widespread, affecting organizations like the BBC, the Discovery Channel and the US Department of Energy.

Predictions

We are seeing groups continue to be opportunistic and make use of vulnerabilities to scale their operations. Ransomware activity is often closely aligned with vulnerability discovery, whether publicly disclosed or purchased on markets. This then has a direct correlation with the number of attacks that we observe in the wild, which affects organizations either directly or further downstream in the event of an attack on their supply chain.

Based on this, we do expect to see a similar number of attacks in Q3, somewhere around 1000 successful attacks again. Although this may increase if additional critical vulnerabilities in popular software are also brought to light, similar to MOVEit.

Cl0p is still working through their backlog, so they will likely have a large number of attacks attributed to them, again potentially larger than they have had this quarter.

To get the full depth of insights, download the Q2 Ransomware Research Report today.

The post Ransomware Research Report | Q2 2023 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Video Transcript

Hi, everyone. I’m Connor. I’m the security research manager here at CyberMaxx and the author of this quarterly report.

We believe that by sharing the intelligence available to us within the broader community, other organizations can also stay ahead of the same threats that we’re all facing.

Why We’re Doing This

This report is a summary of all the activity within the ransomware industry over the past quarter. It also provides trend analysis on a regular frequency, which allows us to identify changes within the ransomware vertical.

For example, the numbers we observed last quarter 1,030 successful attacks, and in this quarter 909. So that’s less total activity, but the big names have had a noticeable increase in their efforts.

What We Do at CyberMaxx

We track multiple ransomware groups, and we log all their activity, their attacks, and the organizations they’ve successfully attacked when they did it, and then we provide that data for you every quarter in this report.

We Aren’t Making This Up

The raw data that we use for these reports will also be released alongside the report itself. The purpose of that is basically just to allow other teams to do their own work using the same data set that we use. That way, we can see what conclusions they can come up with on their own, or they can identify.

How is this Data Useful?

Looking at this data, we can identify new trends that start to emerge. For example, we might see new groups emerge onto the scene. Take Royal, who made headlines last year. They’re largely rumored to have several members from the now-absolved Conte Group. And that would also explain how they were able to make such a big impact out of seemingly nowhere, which also, in turn, shed some light on what tactics they’re using, particularly for such a new group.

Identifying inactive groups and their TTPs also helps us to ensure that we have appropriate coverage against their operations. We’re being proactive instead of reactive here. This feeds into our threat hunt program as well, so that we can start to our client base for any indicators found for this intelligence.

Summary

We see Lockbit take the top position yet again. We talk about the 3CX supply chain attacks. And we provide a sample SentinelOne EDR detection for that. We also discuss a common evasion tactic that we’re seeing across all groups, whereby they’re evading existing security measures. In this case, we’re talking about measures to bypass Mark of the Web protections within their initial access efforts.

There’s a link to a full technical breakdown in the report if anyone is interested, and we do a deep dive into how that works.

Plans for the Future

This report will be released every quarter along with the accompanying data set showing trends compared to previous quarters. We’re also providing measures and information to help defend against these real-world threats that we’re seeing.

The post Ransomware Research Report | Q1 2023 – Audio Blog Interview appeared first on CyberMaxx.