According to CyberMaxx research, 1,488 attacks were recorded in Q2 (April-June), representing a 40% decrease from the 2,461 attacks in Q1 (January-March). Despite this drop, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 41 minutes during the second quarter.

There were 75 active ransomware groups in Q2, a slight increase from 74 in Q1. However, the number of attacks per group has dropped from 33.2 to 19.8. This could reflect shifts in law enforcement pressure, infrastructure disruptions, or changes in attacker strategy.

With 176 attacks, Qilin has overtaken Cl0p as the most active ransomware group. It is followed by Akira (139 attacks), Play (124 attacks), Safepay (101 attacks), and Dragonforce (73 attacks).

Cl0p has now dropped from the list of most active ransomware groups, following intense activity in early 2025 and a sharp decline since March. This highlights the cyclical and opportunistic nature of ransomware group activity.

Qilin has been steadily growing throughout the first half of 2025, indicating an expansion of operational capacity and increased aggressiveness in target selection. Qilin’s sustained growth demonstrates how some ransomware groups expand their reach even as overall attacks decline, highlighting the group’s rise as a dominant threat actor.

Manufacturing (157 attacks, approximately one every 13.6 hours), technology (136 attacks, approximately one every 16 hours), and healthcare (95 attacks, approximately one every 22.5 hours) were the most targeted industries in Q2.

Although healthcare experiences fewer attacks than some other sectors, each incident can cause significant harm, including care delays, outages, and regulatory issues. Persistent attacks on healthcare highlight its vulnerability stemming from the urgency of its operations, the sensitivity of its data, and the prevalence of outdated systems. Attackers often exploit this vulnerability with double extortion, forcing organizations to pay quickly to avoid disruptions.

While Q2 2025 saw a decrease in overall attacks, it also revealed more complex tactics, tools, and targeting methods employed by attackers. As ransomware continues to evolve, organizations must remain proactive, adaptable, and informed to defend effectively.

CyberMaxx’s cyber research team regularly investigates threats independently. These efforts aim to build shared knowledge across the cybersecurity community.

Access the full Ransomware Research Report here: https://www.cybermaxx.com/q2-2025-ransomware-research-report/

About CyberMaxx

CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company

providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing. For more information, visit: https://www.cybermaxx.com/

CyberMaxx Media Contact

John Pinkham
jpinkham@cybermaxx.com

The post CyberMaxx Q2 2025 Ransomware Research Report shows a 40% drop in attack volume from the previous quarter. appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware

Ransomware activity continues to climb in the first quarter of 2025, with 2461 attacks carried out by 74 active groups. This is a 4% increase over last quarter, which was the previous period with the highest volume of attacks on record.

At the forefront of this quarter is Cl0p, which was responsible for 398 attacks, roughly 16% of the total. Cl0p achieved this by chaining two vulnerabilities together in Cleo Harmoney and VLTrader for a huge impact. These vulnerabilities are listed under

• CVE-2024-50623
• CVE-2024-55956

This campaign peaked in February with 331 attacks, the highest monthly total ever recorded by a single group.

Other top actors included RansomHub, Akira, Babuk2, and Qilin. Surprisingly, Lockbit, once a dominant force, dropped to 24th place with only 23 attacks. Exploitation of unpatched systems continues to be a favored technique for initial access among ransomware groups.

BlackBasta

In February 2025, a major leak of internal chat logs exposed the inner workings of the BlackBasta ransomware group. The leak discusses their target preferences, tactics, and tools.

Target Selection

Black Basta prioritized organizations with low tolerance for downtime, including healthcare, financial services, and critical infrastructure. These sectors were targeted strategically, given the high stakes and pressure to restore operations quickly, factors that increase the chance of ransom payments.

Exploitation Tactics

The group typically exploited known vulnerabilities rather than expensive zero-days. However, they did purchase at least one high-value exploit for use against CVE-2024-26169, used for privilege escalation on Windows systems. Microsoft patched it in March 2024, but evidence suggests Black Basta had access prior to its public disclosure, dating back as early as December 2023.

Tools and Techniques

Two tool variants linked to the group were uncovered by Symantec. One, compiled in December 2023, is publicly available on VirusTotal. The second, from February 2024, appears to have been privately tested. The leak also confirmed extensive credential harvesting operations—key to initial access and lateral movement. A link to the VirusTotal analysis is available in the full report.

Underground Forum

Logs indicate the group actively used platforms like exploit.in to acquire or trade vulnerabilities.

Conclusion

This leak gives us a behind-the-scenes look at a major ransomware group. It highlights the groups clear focus on exploiting vulnerabilities in critical sectors and leveraging credential harvesting to facilitate their attacks. As always, proactive patching, credential protection, and a hardened defense strategy are needed to stay ahead of these tactics, especially for organizations in critical sectors.

Bybit

In February 2025, the Bybit cryptocurrency exchange suffered one of the largest crypto thefts to date—400,000 ETH, worth $1.5 billion. The attack has been attributed to the Lazarus Group, a North Korean state-sponsored threat actor known for targeting digital assets.

Lazarus exploited Safe{Wallet}, a third-party multi-signature wallet platform designed to enhance transaction security. The attackers compromised a developer’s workstation at Safe{Wallet}, injecting malicious JavaScript into its frontend interface.

This clever move allowed them to disguise an unauthorized transfer as a legitimate transaction. Exploiting user behavior—specifically the tendency to rapidly click through approval prompts—they bypassed the multi-signature protection and triggered a massive transfer from Bybit’s cold wallet without raising alarms.

Once the theft was complete, Lazarus laundered the stolen ETH through multiple intermediary wallets, swapping tokens and using cross-network services to obscure the funds’ origins. The stolen assets currently sit dormant across multiple wallets.

The big takeaway here is that even the most secure systems can be undermined by third-party vulnerabilities and user complacency.

Chainalysis

In 2024, ransomware attacks reached record levels, especially in the fourth quarter. But in a surprising twist, ransomware payments actually fell. According to Chainalysis, victims paid $813 million in crypto, down 35% from $1.25 billion in 2023.

This unexpected decline comes as Q4 2024 marked the most active quarter ever for ransomware. The drop in payouts signals a shift in how organizations are responding to these threats.

So, what are the reasons for this decline?

First, companies are improving their cybersecurity, with stronger defenses and better backups, so that many can now recover without paying.

Second, regulatory pressure is rising. Governments are discouraging ransom payments to avoid fueling criminal activity.

And third, there’s greater awareness. Organizations now better understand the long-term consequences of paying ransoms, encouraging repeat attacks.

Add to that a global law enforcement crackdown—seizing crypto, arresting operators, and dismantling gangs—and the result is a ransomware ecosystem that’s getting harder to profit from. However, with ransomware numbers continuing to climb it also suggests that while payment volumes have decreased, the overall threat of ransomware continues to grow.

Oracle Health

In early 2025, Oracle Health, formerly known as Cerner, suffered a major data breach affecting multiple U.S. hospitals and healthcare providers. The breach stemmed from unauthorized access to legacy data migration servers using compromised customer credentials, with activity traced back to late January.

Sensitive patient data from electronic health records was exfiltrated, though the full scope remains unclear. Oracle Health discovered the breach in February and began notifying affected clients in March.

Adding to the complexity, an individual calling themselves “Andrew” has attempted to extort healthcare providers, threatening to release the stolen data. “Andrew” isn’t linked to any known ransomware group, suggesting a possible lone actor or emerging threat.

This breach highlights two critical vulnerabilities: outdated legacy systems and inadequate credential protections.

Q1 Conclusion

Security teams must prioritize patch management and ensure that critical vulnerabilities are addressed promptly. Organizations should also emphasize credential protection, implementing multi-factor authentication (MFA) and monitoring for compromised accounts.

The post Ransomware Research Report | Q1 2025 – Audio Blog Interview appeared first on CyberMaxx.

According to CyberMaxx research, there were 74 active groups responsible for 2,461 recorded incidents in Q1 2025. This figure marks a 4.3% increase over the previous quarter, which saw 66 active groups conduct 2,358 attacks.

In Q1 2025, ransomware groups averaged 33.2 successful attacks each. With 398 attacks, Cl0p was the most active group this quarter, representing approximately 16% of all successful attacks.

Other notable ransomware groups in Q1 2025 were RansomHub (234 attacks), Akira (217 attacks), Babuk2 (156 attacks), and Qilin (113 attacks). Notably, Lockbit, one of the most prolific groups throughout 2024, fell to 24th place with only 23 attacks.

February 2025 was a record-breaking month for the Cl0p: the group carried out 331 individual attacks, the highest number ever recorded by a single group in a single month.

Cl0p’s dominance stems from its use of two critical vulnerabilities. These include CVE 2024 50623 and CVE 2025 55956 in Cleo Harmony products.

This surge in ransomware activity during Q1 2025 marks a clear escalation in ransomware threats, and Cl0p has raised the benchmark for attack efficiency and volume.

The group’s successful exploitation of critical vulnerabilities reinforces the urgent need for security teams to prioritize patch management and promptly address critical vulnerabilities in Q2 2025.

Organizations should enhance their monitoring and detection capabilities to catch intrusions before data exfiltration occurs and ensure they implement multi-factor authentication (MFA) while actively monitoring compromised accounts.

CyberMaxx’s cyber research team regularly investigates threats on its own. These efforts aim to build shared knowledge across the cybersecurity community.

Access the full Ransomware Research Report here: Q1 2025 Ransomware Research Report

About CyberMaxx

CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing.

For more information, visit: www.cybermaxx.com

CyberMaxx Media Contact
Clint Poole
cpoole@cybermaxx.com

The post CyberMaxx Q1 2025 Ransomware Research Report shows 4.3% increase in attack volume over the previous quarter, setting new records appeared first on CyberMaxx.

Credible Tenant Compromise

In the first type of attack, an attacker has to compromise a user that has sufficient permissions to create applications within the cloud tenant. This can either be performed directly, as part of lateral movement stages moving from on-prem infrastructure into the cloud, or via compromising multiple users and escalating privileges where possible.

Once the attacker sets up the application, often using a legitimate-sounding name which is covered later in this blog, the threat actor then has to add users to the application to have the specified permissions take effect. This is often done either through Teams with a link or via sending emails from the compromised account.

If a threat actor has sufficient permissions to create OAuth applications in this manner, they may also have permissions to modify the requirement for admin consent. While not directly tied to the same permissions, gaining access to a high-privileged role may provide the necessary path to completing this objective.

Another, albeit less frequent attack within a compromised credible tenant is to modify an existing OAuth application. This is significantly less common than the technique discussed previously, however the steps are largely the same.

Attacker-Owned Infrastructure

With attacker-owned infrastructure, a threat actor purposefully builds a cloud tenant with the sole purpose to host malware and compromise users.

When creating malicious OAuth applications, an option appears to allow for other organizations to interact with the malicious application:

The second option is often chosen for this purpose.

The threat actor then sends a link to users, often via phishing emails, to consent to this application, with the rest of the attack flow following the first technique mentioned above.

The benefit of this latter technique is that it does not first require compromising a user with sufficient permissions to create/modify an application within the tenant. The downside is that it can be more difficult to compromise users, especially those with hardened tenants and user awareness training, and it is also easier to detect than modifying an existing application, provided the right logs are being collected.

Malicious OAuth applications matching compromised usernames, and other suspicious naming conventions

In an attempt to remain undetected in compromised environments, threat actors have been utilizing several naming scheme patterns:

1. The malicious OAuth application is named after the originally compromised user.
2. The application contains the word “Test”.
3. Use of non-alphanumeric characters as the application name.

After a Threat Actor has compromised a user account with sufficient permissions, they will often create a new OAuth2 application within the EntraID tenant that matches the username of the account that they compromised. This is done in an attempt to evade detection by blending in with a legitimate sounding name.

This technique has been observed firsthand via several IR incidents at CyberMaxx, and by the team at ProofPoint with various MACT campaigns, totalling 28% of all applications with MACT campaign 1445. (https://www.proofpoint.com/uk/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants).

Another technique that has been observed in-the-wild is naming the malicious OAuth application “test”, “testapp”, or other similar variants. A short, non-descriptive name in another attempt to not raise suspicion.

The final technique that we have seen is using non-alphanumeric characters for the name of the application, most commonly “…”, while several others exist as well.

All of the above techniques have been observed in-the-wild, with the first being used primarily in compromised tenants and the latter two being used as part of multi-tenant compromise campaigns, often through phishing consent attacks.

OAuth2 Backdoored Accounts

When a user authenticates to EntraID, an entry is made in the Sign-In logs that contain details such as a unique ID for that event, the username and display name, the application used, the time, error codes (0 if successful), and many other fields. If a user successfully logs in then there are no error codes associated with the event, which is a good indication of successful login.

Using Microsoft Graph API, we can programmatically retrieve these logs without the need to log in to the Azure portal and manually retrieve them. This is accomplished by querying the https://graph.microsoft.com/v1.0/auditLogs/signIns endpoint, alternatively you can use the beta version of this: https://graph.microsoft.com/beta/auditLogs/signIns.

The benefit of using the alternate beta version of this log is that there are some additional fields that can be correlated together. Drilling down into this raw event log; there is a field called “appliedConditionalAccessPolicies”. Within this field is a list of all conditional access policies that are applied to that specific user for that specific logon event. By iterating through each of these CAP IDs and looking for the “enforcedGrantControls” field, it is possible to determine if a) MFA is being applied for this user and b) what specific CAP is responsible for the

MFA enforcement. The field looks like the below:

There are multiple other fields contained within each policy, such as the display name from the Azure portal and the “result” field which determines if the policy is being enforced or just reported on (enforced MFA policies require disabling the SecurityDefaults policy).

Going back to the root of the Sign-in log, there are several other items that are relevant here. First, the “resourceDisplayName” will show what resource was used for this logon event – in the case of a GraphAPI request, it will show as “Microsoft Graph”. However, this display name can be spoofed so making detections based on this is not a good indicator of usage. Directly below the “resourceDisplayName” is the “resourceId”, which will always show as “00000003-0000-0000-c000-000000000000” when using a PowerShell application.

The third and final field to take note of is the “authenticationRequirement”. This field for OAuth2 applications will show as “singleFactorAuthentication”, as the MFA request will need to have already been approved for the application to have completed the consent workflow.

Combining the above fields, we now have excellent indication if an account has previously consented to an OAuth application, which is now actively connected to it.

CloudSweep makes a GraphAPI request to the Audit Logs beta API to retrieve sign-in events and review captured logons for all users, looking for these matching entries. Log-on events that match these attributes will be flagged and it is recommended that they are reviewed to determine if the events are known. If they are not, this may be an indication that a threat actor has successfully gained access to a user account through a consent attack.

As a reminder, OAuth2 applications, once given consent to connect to an account, do not require MFA and will persist through password resets – making them an excellent persistence choice for threat actors.

Recommendations for attack surface reduction, and how to prevent these types of attacks

Summary Checklist:

• Enable MFA, this will help with logging purposes
• Enforce conditional access policies, this will help set a baseline for IR
• Require administrative approval to consent to OAuth2 applications

There are a number of things we can do to defend and harden our tenant against this type of attack. First, enable MFA on all user accounts in enterprise environments. This will also help with detection strategies as you will have a history of where the user normally accepts the MFA push from and when the malicious request was accepted. The exception here is if you’re working IT in a K12 environment and where having kids perform MFA requests isn’t really an option.

Next, require administrators to grant approval for users consenting to applications. This can be done under EntraID > Enterprise Applications > Consent and Permissions:

If you want to reduce the workload of your IT team, you can disable this via EntraID > Enterprise Applications > User Settings, and stop users from being able to ask administrators for approval. If you do this, consider allowing users to consent to applications from verified publishers for selected permissions.

• It is important to note that some malicious applications can come from “verified” publishers. Verification requires a developer has an MPN ID (Microsoft Partner Network) account and has completed the verification process. However, if an attacker compromises a tenant and launches a multi-tenant compromise campaign, although rare – this may slip through.

Detection

If a user has MFA enabled, under the sign-in logs “Authentication Requirement” you will see “Single-Factor Authentication”. This is a clear sign of token-based authentication and potentially a backdoored account.

Alternatively, you can use the CyberMaxx tool CloudSweep to detect malicious OAuth usage in your environment, which is regularly updated to reflect the latest attack techniques. Find it here: https://github.com/theresafewconors/cloudsweep

The post How does a Malicious OAuth Application Attack work? – Oauth2 Research appeared first on CyberMaxx.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q4’s research here.

Video Transcript

Intro

This is the ransomware report for Q4 2024. I’m Connor Jackson, Security Research Manager at CyberMaxx. Let’s get into it.

Ransomware

Ransomware and data extortion attacks continue to rise month over month. This quarter saw the highest spike in attacks that we have observed on record. Q4 had 4568 successful attacks, which means that there were almost as many attacks in the final 90 days of Q4 as there were in all of 2023 at 95% volume.

For comparison, this same timeframe in 2023 (October 1st to December 31st) had 1218 attacks. Making this a 275% increase over the same 90-day timeframe in 12 months.
2024 finished the year with 7041 attacks – the highest on record.
The highest number of successful attacks occurred in November, with the highest spike on November 18th. Leading up to this date we observed five CVEs being actively exploited in the wild, which may have contributed to this figure. The full details are in the downloadable report.

Another notable spike was on December 24th, when 80 successful attacks were witnessed. Threat actors know that security teams are finishing up for the year, taking unused PTO, and generally being slower to respond than other times in the year, and they capitalize on this, giving them an improved success rate of actions on objectives.
The most prominent group of the year was Ransomhub with 612 attacks, followed by Lockbit with 538, despite the continued takedowns. Ransomhub offer a 90% split with affiliates, making their ransomware as a service platform attractive for groups to work with.

Cloud

Threat actors continue to follow the industry adoption of cloud. We observed a 39% increase of attacks against cloud infrastructure over 2023, making this a growing initial access vector. Attacks were mainly targeted against identity management and exploiting misconfigurations in cloud infrastructure.

Notable Events

Other notable events this year include the Crowdstrike Outage, Operation Cronos takedown of Lockbit, OpenAI released report on how threat actors are using ChatGPT, and the Health Infrastructure Security and Accountability act was proposed in the US. Several of these are detailed in this quarters report.

Conclusion

2024 has been the both the year with the most attacks overall, as well as the year with the largest number of attacks in one quarter, rivalling the previous years in just 90 days. The spike in November can be attributed to several zero-days that were exploited in-the-wild, showing the need for a responsive patching process to avoid exploitation by opportunistic threat actors.

Attackers continue to follow the industry into the cloud, making this a common attack vector. Q4 saw a total of 66 active groups, 2 more than Q3s 64 and 20 more than Q4 in 2023. A growing number of attacks combined with an increased number of groups typically indicates increased success rates of successful exploitation. IBMs “cost of a data breach” shows that the average cost is now 4.8 million dollars US, making successful attacks both more common and more expensive than previous years.

Download the full report

The post Ransomware Research Report | Q4 2024 – Audio Blog Interview appeared first on CyberMaxx.

According to CyberMaxx research, Q4 2024 saw 2,358 ransomware attacks, making it the highest number recorded in a single quarter. This marks a 137% increase compared to the attacks observed in Q3 2024.

“There were almost double the number of successful attacks in the final 90 days of 2024 as there were in all of Q3 2024,” says Connor Jackson, Security Research Manager at CyberMaxx. “Q3 saw 1,218 attacks vs Q4s 2,358, at 193%.”

Threat actors followed mainstream cloud adoption in 2024, and it became a popular target. Identity attacks and exploiting misconfigurations were the main attack vectors utilized.

“We saw a 39% increase in attacks against cloud environments over 2023, making this a common initial access vector for threat actors,” says Jackson.

There has been a continued rise in new threat actors, with Q4 witnessing 66 active groups involved in successful ransomware and data extortion attacks. This compares to 39 active ransomware groups in Q4 2022 and 46 active groups in Q4 2023, showing a steady upward trend in the number of threat actors entering the space.

The average cost of a data breach for an organization continues to grow year over year. Between 2020 and 2024, the cost has risen from $3.86M to $4.88M. This shows that incidents are becoming more frequent and more expensive.

The cyber research team at CyberMaxx conducts routine threat research independent of client engagements in order to help foster collective intelligence among the cybersecurity community.

Access the full Ransomware Research Report here: https://cybermaxx.com/q4-2024-ransomware-research-report/

About CyberMaxx

CyberMaxx provides comprehensive managed detection and response (MDR) services that protect organizations from today’s complex cyber threats. With a focus on proactive security measures, CyberMaxx delivers industry-leading technology combined with expert human oversight, offering robust protection and peace of mind to clients across various industries.

For more information about CyberMaxx’s Modern Managed Detection & Response (MDR), visit www.cybermaxx.com

Media Contact

Clint Poole
E: cpoole@cybermaxx.com
M: 857-540-2331

The post CyberMaxx Q4 2024 Ransomware Research Report reveals Q4 witnessed the most attacks in any single quarter to date appeared first on CyberMaxx.

Something I’ve seen more and more recently is the use of deception (or anti-deception?) in an attempt to mitigate these defensive operations in the attacker’s space.

These differ from traditional honeypots and deception ops. With a device configured for traditional deception, you would try to emulate a real system, configuring it to be as close to the real thing as possible. Sometimes even just using a real, vulnerable system with the goal of getting an attacker to exploit it. This is so you can monitor their techniques and add these to your defensive capabilities or use them as early warning signs that you’re being monitored/looked at / already popped. (Sticking some false entries in your robots.txt file and monitoring those sites is a good starting point).

But what I’ve seen is different.

My first thought was that these are just poorly designed honeypots. However, I found something interesting, which leads me to believe this is incorrect. These tools are designed to pollute results with false information.

Don’t believe me? Well, take a look at this file in one directory that makes it pretty obvious what its intended goals are.

As my Chinese speaking ability is what some would describe as “terrible”, it’s important to double-check that this wasn’t a translation error. The same string was passed into different translation tools, including ChatGPT; all of which returned the same results:

Taking a closer look into the code directly, it was evident that this is exactly what the intended purpose was. Several files contain multiple keywords that trigger various types of scanners, ranging from weak passwords and /etc/passwd being open, to false service names in the response received. This is likely to fire on both attackers knocking and search engines like Shodan and Censys. Based on the translated text from earlier it seems like this is part of the design.

Finding these types of systems is not overly difficult. They always contain some unique marker that you can hunt for. In this specific instance I was hunting for a unique csrf-token in the headers. You can find a lot of interesting indicators from analyzing malware and looking at its certificates. Extra points if you set everything up in a lab and analyze the self-signed certs, this will help you achieve production scale quickly.

What is even more interesting though is what they are doing. Take a look at one such host I found on Shodan:

Many of these are hosting MiniUPnPd for port redirection, most likely to redirect to the second frequent item; a huge number of false services:

For scanners this is annoying at best, as it messes with results that often need to be adjusted to accommodate. For search engines, it can wrongfully show vulnerability metrics if the honeypot isn’t identified and excluded from search results.
Having done some more digging I found this article from Censys published last September that goes into great detail on this specific threat: https://censys.com/red-herrings-and-honeypots/, they also linked the files I came across to a repo on Github.

Many of these devices have an unusual marker in the server header. If you want to take a look yourself at many of these types of devices, here’s a simple Shodan query to reveal the hosts using that specific project: https://www.shodan.io/search?query=Rm9yIGludGVnZXJzLCB0aGVyZSBpcyB1bmlmb3JtIHNlbGVjdGlvbiBmcm9tIGEgcmFuZ2UuIEZvciBzZXF1ZQ%3D%3D.

If you have an enterprise account add -tag:honeypot to filter out the known honeypots and see the ones that slipped through. The purpose of poisoning search results is interesting. It clearly shows a greater operation in mind, and likely is intended not to be annoying for an analyst to fix, but rather to create a smokescreen that an attacker can then operate from. Using projects like this at scale, and having a true C2 hidden within the noise is an excellent use of deception to hide in plain sight, and have their infrastructure misclassified by scanners – allowing a threat actor to operate from the same infrastructure for longer, bringing down their operational costs.

Or it could just be a poorly designed honeypot.

Links:
• Repo: https://github.com/fuckhoneypot/fuckhoneypot/tree/main
• Shodan search: https://www.shodan.io/search?query=Rm9yIGludGVnZXJzLCB0aGVyZSBpcyB1bmlmb3JtIHNlbGVjdGlvbiBmcm9tIGEgcmFuZ2UuIEZvciBzZXF1ZQ%3D%3D.
• Censys report: https://censys.com/red-herrings-and-honeypots/

The post Malicious Honeypots Polluting Internet Scanner Results appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q3’s research here.

Video Transcript

Intro

This is the Q3 Ransomware Report for 2024. I’m Connor Jackson, let’s get into it.

Ransomware Activity

The total number of observed ransomware and extortion attacks in Q3 2024 was 1720, compared to Q2’s volume at 1755 – this is a 2% deviation in total volume on one of the quarters with the highest numbers we’ve seen in the past 18 months.

These 1720 attacks were performed by 64 active groups – equating to roughly 27 attacks per group. Looking at the averages for each quarter we are seeing that this is staying steady in the 26-29 range for each quarter, but the total number of attacks is going up across the board. You’re probably asking yourself well… why is that?

The answer to that question is the number of attackers is increasing. Compared to 12 months ago in 2023s Q3 there were 52 observed attack groups, and 6 months before that in Q1 that number was 33 – this number has almost doubled in 18 months.

Branching off from this, IBM have been tracking the average cost of a data breach since 2020 – which has risen from $3.6M to $4.8M in 4 years. Let me get this out of this way first, its hard to quantify this figure due to different industry regulations, size and maturity of the organization, etc. etc. I know – this is just a generic average of the sample group. But it is growing as well.

So what we’re seeing is an increase in attacks every day, the number of groups is increasing, and the cost of at attack is going up. This tells us that ransomware is a continuously growing industry. Grab the full report if you want to review the complete number and trends that we’ve observed.

Top Five

The top five groups this quarter start with Ransomhub at number one with 247 attacks, Lockbit and Play both with 92 in second place, Qilin in number 4 with 80 attacks and Meow with 78. These five groups accounted for 35% of all activity this quarter.

Ransomhub are currently offering between an 80 and 90% profit split with affiliates, which may be what escalated them to the top this quarter. They have also been working with the unpaid AlphV affiliates from the Change healthcare attack earlier this year, and have attempted to get a second payment from the victim. It is unknown at this time if Change paid the second extortion as well, however this display may have lead to the group attracting customers with this show force. Unpaid affiliates has been a growing issue among ransomware gangs lately.

Operation Cronos Update

On October 1st, Law enforcement updated Lockbits original release page on the dark web with a countdown for posts titled “Lockbit linked UK arrests”, and “Arrest of a major Lockbit actor”.

Once the countdown had completed the posts were updated to inform readers that several major arrests had been made across Europe. In the UK, two individuals were arrested in August related to money laundering operations, in Spain the owner of the bullet-proof hosting provider used for Lockbits infrastructure was arrested at an airport in Madrid, and French authorities arrest a suspected lockbit developer which on vacation outside of Russia.

The major affiliate was named and added to justice.gov, and is wanted for their alleged involvement in ransomware attacks and money laundering activities.

Conclusion

This quarter saw no drop in the volume of activity, another increase in the number of threat actor groups, updates to law enforcements takedown of Lockbit, and a timeline of government agencies banning software made by Kaspersky. Full details are available in the full report.

Download the full report

The post Ransomware Research Report | Q3 2024 – Audio Blog Interview appeared first on CyberMaxx.

CHICAGO, IL – October 17th, 2024– CyberMaxx, the leading managed detection and response (MDR) provider, today released its Quarterly Ransomware Research Report, which revealed a 2% deviation in the volume of ransomware attacks and an 8.5% increase in active ransomware groups compared to Q2.

According to CyberMaxx research, there were 1,720 observed attacks in Q3. This data shows that attackers have not lost any momentum from Q2, one of the busiest quarters in the past 18 months, which observed 1,755 attacks.

In addition, the number of active ransomware groups is increasing. There were 64 active ransomware and extortion groups in Q3, an increase from 59 in Q2 2024 and 52 in Q3 2023.

While the average number of attacks per group was 27, a small number of groups have significantly skewed this figure.

With 247 attacks, Ransomhub was the top active group for this quarter. Its Ransom-as-a-Service (RaaS) affiliate model allows affiliates to control their own payments.

Lockbit remains in second place despite disruptions by law enforcement in its operations. Play, Qilin, and Meow were also among the top active groups for Q3 2024.

Despite being the most prolific group in the previous quarter, Disposessor has fallen from the list of top contenders.

The group carried out only 40 attacks in Q3, compared to 329 in Q2. Some have speculated that the group is taking credit for the work of others rather than carrying out attacks directly.

The cyber research team at CyberMaxx conducts routine threat research independent of client engagements in order to help foster collective intelligence among the cybersecurity community.

Access the full Ransomware Research Report here: Q3 2024 Ransomware Research Report

About CyberMaxx

CyberMaxx, LLC., founded in 2002, is the leading provider of managed detection and response (MDR), headquartered in Chicago, IL. CyberMaxx’s managed detection and response solution (MaxxMDR) is designed to be scalable for clients of all sizes, providing protection and improving the organization’s security posture, ultimately giving customers peace of mind that their systems and data are secure. CyberMaxx expanded its capabilities through the 2022 acquisition of CipherTechs, an international cybersecurity company providing a complete cybersecurity portfolio across MDR Services, Offensive Security, Governance, Risk & Compliance, DFIR, and 3rd party security product sourcing.

For more information visit: www.cybermaxx.com

CyberMaxx Media Contact

Clint Poole
cpoole@cybermaxx.com

The post CyberMaxx Q3 2024 Ransomware Research Report Shows 2% deviation in the volume of attacks, and an 8.5% increase in active groups compared to Q2 appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Intro

Hi everyone, I’m Connor Jackson, the security research manager at CyberMaxx.

Ransomware Quarterly Review

The number of ransomware and extortion attacks in the second quarter of 2024 continues to grow, up 37% from Q1 and sitting at 1755 attacks between the 1st of April and the end of June. – for context, that’s up from 1283 in the first quarter across all industries.

The top three groups combined accounted for almost 40% of all ransomware attacks this quarter, the full report provides an overview of each group, as two of the three are new to the stage.

Lockbit were surprisingly not the threat group with the highest volume this quarter, having fallen to second place; however they are the only group in the top three that produce their own unique ransomware strain, providing something the others do not.

The top performing group this quarter is Dispossessor, with 329 attacks. Followed by Lockbit with 215 and finally Ransomhub with 148 successful attacks.

Dispossessor

Dispossessor have very recently emerged onto the ransomware landscape and immediately made a name for themselves, beating out Lockbit in the process. However, following the Lockbit crackdown by law enforcement during Operation Cronos; Dispossessor emerged, mimicking Lockbits tradecraft, and offering RaaS with a large payment split.

It has been noted however that this group has allegedly not done the attacks themselves, but rather using data that other groups had originally exfiltrated.

Ransomhub

Allegedly, the ALPHV group following the attack on Change Healthcare failed to pay their affiliates and instead took down much of their infrastructure. Change paid the initial ransom of $22million, however the unpaid affiliates then worked with RansomHub and extorted Change a second. It is currently unknown if a second payment was made, however, the data that was previously listed has been taken down recently.

A copy of the second extortion note is available in this quarters report.

Lockbit

In spite of Operation Cronos that took place on February 19th, 2024 – Lockbit appear to still be maintaining operations. Several of their release pages and mirrors are also still live and being updated with new victims almost daily, however the majority of sites have been seized by law enforcement and have been updated to reflect this.

Lockbit later claimed to have exfiltrated 33TB of data related to the Federal Reserve, threatening to release the data in late June. Upon release, it appears that this claim was, in fact, false – with the data being related to an Arkanas-based bank instead.

Interestingly, the Federal Reserve have issued an enforcement action again the victim, citing deficiencies in “risk management” and “consumer compliance” as grounds for the action. The full action is available on the Federal Reserves Press release page

Wrapping up

The takeaway here is the prevalence of repeat extortions for data has increased. This tactic appears to be related to unpaid affiliates going after the victim organization to get their share rather than through the original threat actor, however this will lower confidence that the threat actor will actually purge the stolen data and will likely result in organizations not paying at all.

Understanding your organizations threat landscape, reducing your attack surface and ensuring patches are applied are all crucial steps to ensuring you do not fall victim to the increasing number of ransomware and data extortion attacks.

Download the full report

The post Ransomware Research Report | Q2 2024 – Audio Blog Interview appeared first on CyberMaxx.