Often, its attacks make the news, impacting well-known companies and directly affecting individuals. It’s important to examine trends and identify lessons that can be applied to our own practices in response to the ransomware threat.

Why the Decline in Q2 Attacks Doesn’t Tell the Whole Story

The first thing that stands out from this quarter’s report is the overall drop in attacks. That’s great at first glance. One thousand fewer attacks, a 40% drop in attacks compared to Q1. However, organizations cannot simply take the top numbers and totals to draw a broad, general conclusion about the threat level decreasing when they see these initial numbers.

High-level trends can give false hope to an organization, which is why it’s important to examine the numbers themselves. As the report demonstrates throughout, a false sense of security would form if we focused just on the total numbers.

Don’t Think in Silos: Risks Cross Every Boundary

One trap we must avoid is thinking in our own silo. The reality is simple: threats are everywhere, and they’re constantly shifting. It’s vast and far-reaching, and much of it affects us directly. Even if we initially downplay the threat from certain risk groups based on perceived attack likelihood, that assumption can be misleading.

The past few years have heightened our collective awareness of third-party and supply-chain risks. These are closely related, and we have seen their impact on organizations, customers, and the general public reach a heightened level of awareness. We need to look beyond the borders of our organization when assessing threats and considering our risk awareness. That includes industry trends that may not be ones we exist within, but are highly impactful to our daily operation as a business.

Move Beyond Prevention: Resilience is the New Goal

This leads us back to the need to elevate our mindset and the lens through which we view our security program. It is no longer enough to think in terms of prevention and recovery. Yes, they are important components, but that can’t be where we focus all of our efforts and resources. Our focus and aim must be resilience.

How do we continue to operate at or near 100% in the event of a security incident? What are our dependencies on supply chains and third parties that, if they were to suffer an incident and be unable to fulfill their obligations, how could that impact our ability to operate normally? We need to look at those considerations.

Healthcare’s Vulnerability and Why It Should Concern You

Healthcare remains one of the most frequent targets for attacks by these threat groups. The report explains the reasoning behind that. What we, as organizations, need to do is account for where the healthcare industry intersects with our business vertical. Remember, healthcare is a broad field; it encompasses more than just hospitals.

It’s all elements of the healthcare system, so hospitals, billing companies, insurance records, and all of it are part of it. There is a potential impact on our organization, even if we’re not in healthcare. Even if healthcare isn’t a part of our supply chain.

The Broader Impacts of Breaches on Your Workforce

Our people likely have healthcare coverage through the organization and certainly maintain some form of medical records. So, when there’s a breach of that information, everyone may feel an impact. There is a mental toll that many individuals go through when they learn that personal information that they expect to maintain their privacy, health, or financial information, gets exposed.

They have no idea how bad the impact will be on them. Can we build any measures to mitigate that risk? Can we incorporate a part of our security program that allows for resilience when a large breach may affect a large swath of our organization’s personnel, causing their focus and performance to be impacted by this new stress?

Think Like a Business Leader: Customer Industry Risk = Your Risk

Now, let’s look at it through more of a business lens. Your organization isn’t in healthcare. However, a significant portion of your customer and client base may be healthcare organizations. We’re using healthcare, but it can be any other industry that you serve or rely on to generate revenue as part of your operations.

Let’s say your organization provides a non-healthcare service to the healthcare industry. It’s one of your largest customer verticals and a focus of your go-to-market strategy. If that industry is experiencing an increase in attacks, they will need to address it with their resources. That means a shift in budget priorities. That may cause you to lose out on deals, have current customers cancel at renewal, and deter prospective clients because the budget dollars are no longer available.

Take a Holistic View of Threats Across Industries

We need to take a holistic approach when evaluating potential threats across the broader ecosystem. That means understanding where our organization overlaps with different business verticals and how attack trends in those sectors could affect us.

There is one other focus from this quarter’s report. We mentioned resilience earlier, and it is also mentioned in the report itself. No longer is security just about prevention and recovery; it’s also about how we set ourselves up to maintain resilience in the face of an attack.

It’s not only about disaster recovery (DR), but also about business continuity (BC), and increasing our focus on maintaining operations in the face of adversity, regardless of the threat. And it’s really about ensuring we’re true to the basics. The old, tried-and-true solutions that we’ve been hearing about for ages.

Security Basics Still Work If You Use Them

Vectors change, industries of focus change, and even what’s being ransomed or threatened changes, but what we can do to help protect ourselves has remained relatively consistent.

Key foundational practices include:

• Implementing multifactor authentication (MFA/2FA) for all accounts, especially those accessible from the internet
• Establishing a strong backup-and-recovery program that includes regular testing and a version of backups isolated from the corporate network
• Developing and regularly testing incident response plans and protocols to ensure staff are prepared for evolving attacker tactics
• Maintaining a disciplined patching and vulnerability management program to reduce exposure from both new and older vulnerabilities

These are just a few of the security basics that have been recommended for years and remain highly effective to this day.

The Quiet Risk: Unpatched Vulnerabilities

Patching and vulnerability management often receive little attention. It isn’t necessarily exciting. It’s usually not the program that gets folks to jump out of bed looking to conquer. The latest and greatest vulnerability, the one that’s large enough to make the news cycle, is the one that gets noticed and prioritized.

It’s the one that everyone’s asking about; how are we with this, are we protected? What do we need to do to be protected right now? Exploit development takes time, and threat groups work under the same ideas as regular businesses. If this still works for us, why should we incur the expense of changing just to chase the latest trend?

If you look at some of the highlighted vulnerabilities in the report, you’ll notice that they are typically one to two years old. They may not be related to recent headlines, or even garnered headline attention when they were first discovered, but they’re still being exploited today. And the reason they’re still being exploited is that there are still environments where these vulnerabilities remain unpatched. Therefore, threat actors have a sufficient market where what they developed years ago continues to generate a profit.

Why change?

Yes, patching and vulnerability management do have their complications. Timing a patch, potential downtime of a system to apply the patch, and any number of other concerns organizations face when a vulnerability is discovered. However, it remains one of our most effective tools for securing environments and strengthening organizational resilience.

Understand the Story Behind the Numbers

The difference in the numbers between Q2 and Q1 appears to be favorable. You notice a significant decline in attacks at first glance. But that’s why we have to dive deeper than just the initial numbers. We have to see where they’re focused and what that can really tell us. We must seek to understand what all these numbers are telling us and what those implications are for our business.

Review Q2’s Report.

The post Ransomware Trends Beyond the Headlines: A CISO’s Q2 2025 Perspective appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q2’s research here.

Video Transcript

Introduction

Ransomware activity in Q2 of 2025 showed a significant decline compared to the previous quarter. We observed a total of 1488 successful ransomware attacks between April 1st and June 30th, compared to the 2461 we observed in Q1. This represents a 40% decline in activity. Despite the reduction, ransomware remained a persistent threat, with an average of one successful attack occurring approximately every 87 minutes during Q2.

We observed a total of 75 ransomware groups operating within Q2, up from 74 in Q1. There appears to have been a focus on sectors with sensitivity to operational disruption this quarter – healthcare, manufacturing being two of the top three industries hit – along with education, government and energy all showing growth as well, to a smaller degree.

Qilin is the threat actor with the most successful ransomware attacks this quarter – with 176 total, followed by Akira with 139 and Play with 124. Qilin was most active within the healthcare industry and technology sectors.

While Cl0p was extremely active last quarter, they have not been as active recently – this may be due to them still working through the backlog of victims from exploting Cleo Harmony back in February.

Lockbit Updates

In recent months, two major ransomware groups were quietly hacked, and both attacks featured the same message: “Don’t do crime, xoxo from Prague.” No one has come forward to take responsibility.

In April, the Everest groups leak site was defaced, and then in May Lockbits affiliate panel was also updated with the odd message. The lockbit breach also leaked internal data and crypto wallet addresses.

Theories are circulating that it may have been a rival gang or law enforcement, however no one has officially taken credit for either attacks, which are very likely by the same individual (or group!).

HealthCare

Between April 1 and June 30, 2025, the healthcare sector experienced 95 ransomware attacks, making it the third most targeted industry during this period, following Manufacturing and Tech at 157 and 136 respectively.

Across the broader ransomware landscape, a healthcare organization is now hit with a successful attack roughly every 22 hours. Groups like Qilin and others continue to exploit healthcare’s operational urgency pressuring victims to pay quickly to avoid disruptions to patient care or data exposure.

The impact of each incident tends to be disproportionately high compared to other industries; leading to care delays, system outages, and regulatory complications.

Qilin:

Qilin have been the most prolific group this quarter, primarily targeting high-impact and operationally critical industries.

Manufacturing led all sectors, followed by Technology and Healthcare, reflecting Qilin’s focus on data-sensitive and disruption-prone environments. Transportation/Logistics and Education were also notable targets.

A full breakdown of their operational target industries can be seen in the full report.

Qilin have demonstrated consistent growth throughout the first half of 2025, with attack volumes rising steadily each month. Starting with a relatively low number of incidents in January, activity nearly doubled by February and remained stable through March and April. A sharp increase followed in May, and June marked the group’s most active month to date, with over 75 recorded attacks.

The vulnerabilities we have observed the group using are as follows:

• CVE-2023-4966 aka CitrixBleed
• CVE-2023-27532 in Veeam Backup Credential Access
• CVE-2025-31161, an authentication bypass in CrushFTP
• CVE-2025-31324 in SAP NetWeaver (which interestingly was exploited at least 3 weeks before public disclosure – showing that the group had early access to a 0day).
• CVE-2025-32756 which allows unauthenticated RCE in several Fortinet products.

The full list of exploited vulnerabilities is also available in the report, along with a breakdown of their currently active infrastructure.

Q2 Conclusion

The second quarter of 2025 marked a complex and transitional period in the ransomware landscape. While overall attack volume declined significantly, threat activity remained widespread, with critical sectors such as healthcare, government, and education continuing to face sustained pressure. Despite the slowdown in raw

numbers, the frequency of attacks and the strategic focus of top ransomware groups indicate that the threat remains both adaptive and persistent.

Qilin emerged as the most active ransomware group this quarter, steadily increasing its operations and overtaking previously dominant group such as Cl0p. Their consistent targeting of high-impact industries, exploitation of newly disclosed vulnerabilities, and technical adaptability demonstrate a clear evolution in capability and reach. At the same time, the temporary absence of Cl0p from top rankings despite its history of impactful, exploit-driven campaigns highlights the cyclical and opportunistic nature of ransomware group activity.

Sectors like healthcare continue to experience frequent and damaging incidents, underscoring the need for targeted resilience strategies. Meanwhile, the recent breaches of ransomware infrastructure such as the defacements of Everest and LockBit hint that threat actors themselves are not immune to disruption, though the sources of these countermeasures remain unknown.

In summary, Q2 2025 presented fewer attacks overall, but increased complexity in attacker behavior, tooling, and targeting. Organizations must remain proactive, adaptable, and intelligence-driven in their defensive strategies as ransomware continues to evolve.

Read the full report.

The post Ransomware Research Report | Q2 2025 – Audio Blog Interview appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conducts routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q1’s research here.

Video Transcript

Ransomware

Ransomware activity continues to climb in the first quarter of 2025, with 2461 attacks carried out by 74 active groups. This is a 4% increase over last quarter, which was the previous period with the highest volume of attacks on record.

At the forefront of this quarter is Cl0p, which was responsible for 398 attacks, roughly 16% of the total. Cl0p achieved this by chaining two vulnerabilities together in Cleo Harmoney and VLTrader for a huge impact. These vulnerabilities are listed under

• CVE-2024-50623
• CVE-2024-55956

This campaign peaked in February with 331 attacks, the highest monthly total ever recorded by a single group.

Other top actors included RansomHub, Akira, Babuk2, and Qilin. Surprisingly, Lockbit, once a dominant force, dropped to 24th place with only 23 attacks. Exploitation of unpatched systems continues to be a favored technique for initial access among ransomware groups.

BlackBasta

In February 2025, a major leak of internal chat logs exposed the inner workings of the BlackBasta ransomware group. The leak discusses their target preferences, tactics, and tools.

Target Selection

Black Basta prioritized organizations with low tolerance for downtime, including healthcare, financial services, and critical infrastructure. These sectors were targeted strategically, given the high stakes and pressure to restore operations quickly, factors that increase the chance of ransom payments.

Exploitation Tactics

The group typically exploited known vulnerabilities rather than expensive zero-days. However, they did purchase at least one high-value exploit for use against CVE-2024-26169, used for privilege escalation on Windows systems. Microsoft patched it in March 2024, but evidence suggests Black Basta had access prior to its public disclosure, dating back as early as December 2023.

Tools and Techniques

Two tool variants linked to the group were uncovered by Symantec. One, compiled in December 2023, is publicly available on VirusTotal. The second, from February 2024, appears to have been privately tested. The leak also confirmed extensive credential harvesting operations—key to initial access and lateral movement. A link to the VirusTotal analysis is available in the full report.

Underground Forum

Logs indicate the group actively used platforms like exploit.in to acquire or trade vulnerabilities.

Conclusion

This leak gives us a behind-the-scenes look at a major ransomware group. It highlights the groups clear focus on exploiting vulnerabilities in critical sectors and leveraging credential harvesting to facilitate their attacks. As always, proactive patching, credential protection, and a hardened defense strategy are needed to stay ahead of these tactics, especially for organizations in critical sectors.

Bybit

In February 2025, the Bybit cryptocurrency exchange suffered one of the largest crypto thefts to date—400,000 ETH, worth $1.5 billion. The attack has been attributed to the Lazarus Group, a North Korean state-sponsored threat actor known for targeting digital assets.

Lazarus exploited Safe{Wallet}, a third-party multi-signature wallet platform designed to enhance transaction security. The attackers compromised a developer’s workstation at Safe{Wallet}, injecting malicious JavaScript into its frontend interface.

This clever move allowed them to disguise an unauthorized transfer as a legitimate transaction. Exploiting user behavior—specifically the tendency to rapidly click through approval prompts—they bypassed the multi-signature protection and triggered a massive transfer from Bybit’s cold wallet without raising alarms.

Once the theft was complete, Lazarus laundered the stolen ETH through multiple intermediary wallets, swapping tokens and using cross-network services to obscure the funds’ origins. The stolen assets currently sit dormant across multiple wallets.

The big takeaway here is that even the most secure systems can be undermined by third-party vulnerabilities and user complacency.

Chainalysis

In 2024, ransomware attacks reached record levels, especially in the fourth quarter. But in a surprising twist, ransomware payments actually fell. According to Chainalysis, victims paid $813 million in crypto, down 35% from $1.25 billion in 2023.

This unexpected decline comes as Q4 2024 marked the most active quarter ever for ransomware. The drop in payouts signals a shift in how organizations are responding to these threats.

So, what are the reasons for this decline?

First, companies are improving their cybersecurity, with stronger defenses and better backups, so that many can now recover without paying.

Second, regulatory pressure is rising. Governments are discouraging ransom payments to avoid fueling criminal activity.

And third, there’s greater awareness. Organizations now better understand the long-term consequences of paying ransoms, encouraging repeat attacks.

Add to that a global law enforcement crackdown—seizing crypto, arresting operators, and dismantling gangs—and the result is a ransomware ecosystem that’s getting harder to profit from. However, with ransomware numbers continuing to climb it also suggests that while payment volumes have decreased, the overall threat of ransomware continues to grow.

Oracle Health

In early 2025, Oracle Health, formerly known as Cerner, suffered a major data breach affecting multiple U.S. hospitals and healthcare providers. The breach stemmed from unauthorized access to legacy data migration servers using compromised customer credentials, with activity traced back to late January.

Sensitive patient data from electronic health records was exfiltrated, though the full scope remains unclear. Oracle Health discovered the breach in February and began notifying affected clients in March.

Adding to the complexity, an individual calling themselves “Andrew” has attempted to extort healthcare providers, threatening to release the stolen data. “Andrew” isn’t linked to any known ransomware group, suggesting a possible lone actor or emerging threat.

This breach highlights two critical vulnerabilities: outdated legacy systems and inadequate credential protections.

Q1 Conclusion

Security teams must prioritize patch management and ensure that critical vulnerabilities are addressed promptly. Organizations should also emphasize credential protection, implementing multi-factor authentication (MFA) and monitoring for compromised accounts.

The post Ransomware Research Report | Q1 2025 – Audio Blog Interview appeared first on CyberMaxx.

Credible Tenant Compromise

In the first type of attack, an attacker has to compromise a user that has sufficient permissions to create applications within the cloud tenant. This can either be performed directly, as part of lateral movement stages moving from on-prem infrastructure into the cloud, or via compromising multiple users and escalating privileges where possible.

Once the attacker sets up the application, often using a legitimate-sounding name which is covered later in this blog, the threat actor then has to add users to the application to have the specified permissions take effect. This is often done either through Teams with a link or via sending emails from the compromised account.

If a threat actor has sufficient permissions to create OAuth applications in this manner, they may also have permissions to modify the requirement for admin consent. While not directly tied to the same permissions, gaining access to a high-privileged role may provide the necessary path to completing this objective.

Another, albeit less frequent attack within a compromised credible tenant is to modify an existing OAuth application. This is significantly less common than the technique discussed previously, however the steps are largely the same.

Attacker-Owned Infrastructure

With attacker-owned infrastructure, a threat actor purposefully builds a cloud tenant with the sole purpose to host malware and compromise users.

When creating malicious OAuth applications, an option appears to allow for other organizations to interact with the malicious application:

The second option is often chosen for this purpose.

The threat actor then sends a link to users, often via phishing emails, to consent to this application, with the rest of the attack flow following the first technique mentioned above.

The benefit of this latter technique is that it does not first require compromising a user with sufficient permissions to create/modify an application within the tenant. The downside is that it can be more difficult to compromise users, especially those with hardened tenants and user awareness training, and it is also easier to detect than modifying an existing application, provided the right logs are being collected.

Malicious OAuth applications matching compromised usernames, and other suspicious naming conventions

In an attempt to remain undetected in compromised environments, threat actors have been utilizing several naming scheme patterns:

1. The malicious OAuth application is named after the originally compromised user.
2. The application contains the word “Test”.
3. Use of non-alphanumeric characters as the application name.

After a Threat Actor has compromised a user account with sufficient permissions, they will often create a new OAuth2 application within the EntraID tenant that matches the username of the account that they compromised. This is done in an attempt to evade detection by blending in with a legitimate sounding name.

This technique has been observed firsthand via several IR incidents at CyberMaxx, and by the team at ProofPoint with various MACT campaigns, totalling 28% of all applications with MACT campaign 1445. (https://www.proofpoint.com/uk/blog/cloud-security/revisiting-mact-malicious-applications-credible-cloud-tenants).

Another technique that has been observed in-the-wild is naming the malicious OAuth application “test”, “testapp”, or other similar variants. A short, non-descriptive name in another attempt to not raise suspicion.

The final technique that we have seen is using non-alphanumeric characters for the name of the application, most commonly “…”, while several others exist as well.

All of the above techniques have been observed in-the-wild, with the first being used primarily in compromised tenants and the latter two being used as part of multi-tenant compromise campaigns, often through phishing consent attacks.

OAuth2 Backdoored Accounts

When a user authenticates to EntraID, an entry is made in the Sign-In logs that contain details such as a unique ID for that event, the username and display name, the application used, the time, error codes (0 if successful), and many other fields. If a user successfully logs in then there are no error codes associated with the event, which is a good indication of successful login.

Using Microsoft Graph API, we can programmatically retrieve these logs without the need to log in to the Azure portal and manually retrieve them. This is accomplished by querying the https://graph.microsoft.com/v1.0/auditLogs/signIns endpoint, alternatively you can use the beta version of this: https://graph.microsoft.com/beta/auditLogs/signIns.

The benefit of using the alternate beta version of this log is that there are some additional fields that can be correlated together. Drilling down into this raw event log; there is a field called “appliedConditionalAccessPolicies”. Within this field is a list of all conditional access policies that are applied to that specific user for that specific logon event. By iterating through each of these CAP IDs and looking for the “enforcedGrantControls” field, it is possible to determine if a) MFA is being applied for this user and b) what specific CAP is responsible for the

MFA enforcement. The field looks like the below:

There are multiple other fields contained within each policy, such as the display name from the Azure portal and the “result” field which determines if the policy is being enforced or just reported on (enforced MFA policies require disabling the SecurityDefaults policy).

Going back to the root of the Sign-in log, there are several other items that are relevant here. First, the “resourceDisplayName” will show what resource was used for this logon event – in the case of a GraphAPI request, it will show as “Microsoft Graph”. However, this display name can be spoofed so making detections based on this is not a good indicator of usage. Directly below the “resourceDisplayName” is the “resourceId”, which will always show as “00000003-0000-0000-c000-000000000000” when using a PowerShell application.

The third and final field to take note of is the “authenticationRequirement”. This field for OAuth2 applications will show as “singleFactorAuthentication”, as the MFA request will need to have already been approved for the application to have completed the consent workflow.

Combining the above fields, we now have excellent indication if an account has previously consented to an OAuth application, which is now actively connected to it.

CloudSweep makes a GraphAPI request to the Audit Logs beta API to retrieve sign-in events and review captured logons for all users, looking for these matching entries. Log-on events that match these attributes will be flagged and it is recommended that they are reviewed to determine if the events are known. If they are not, this may be an indication that a threat actor has successfully gained access to a user account through a consent attack.

As a reminder, OAuth2 applications, once given consent to connect to an account, do not require MFA and will persist through password resets – making them an excellent persistence choice for threat actors.

Recommendations for attack surface reduction, and how to prevent these types of attacks

Summary Checklist:

• Enable MFA, this will help with logging purposes
• Enforce conditional access policies, this will help set a baseline for IR
• Require administrative approval to consent to OAuth2 applications

There are a number of things we can do to defend and harden our tenant against this type of attack. First, enable MFA on all user accounts in enterprise environments. This will also help with detection strategies as you will have a history of where the user normally accepts the MFA push from and when the malicious request was accepted. The exception here is if you’re working IT in a K12 environment and where having kids perform MFA requests isn’t really an option.

Next, require administrators to grant approval for users consenting to applications. This can be done under EntraID > Enterprise Applications > Consent and Permissions:

If you want to reduce the workload of your IT team, you can disable this via EntraID > Enterprise Applications > User Settings, and stop users from being able to ask administrators for approval. If you do this, consider allowing users to consent to applications from verified publishers for selected permissions.

• It is important to note that some malicious applications can come from “verified” publishers. Verification requires a developer has an MPN ID (Microsoft Partner Network) account and has completed the verification process. However, if an attacker compromises a tenant and launches a multi-tenant compromise campaign, although rare – this may slip through.

Detection

If a user has MFA enabled, under the sign-in logs “Authentication Requirement” you will see “Single-Factor Authentication”. This is a clear sign of token-based authentication and potentially a backdoored account.

Alternatively, you can use the CyberMaxx tool CloudSweep to detect malicious OAuth usage in your environment, which is regularly updated to reflect the latest attack techniques. Find it here: https://github.com/theresafewconors/cloudsweep

The post How does a Malicious OAuth Application Attack work? – Oauth2 Research appeared first on CyberMaxx.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q4’s research here.

Video Transcript

Intro

This is the ransomware report for Q4 2024. I’m Connor Jackson, Security Research Manager at CyberMaxx. Let’s get into it.

Ransomware

Ransomware and data extortion attacks continue to rise month over month. This quarter saw the highest spike in attacks that we have observed on record. Q4 had 4568 successful attacks, which means that there were almost as many attacks in the final 90 days of Q4 as there were in all of 2023 at 95% volume.

For comparison, this same timeframe in 2023 (October 1st to December 31st) had 1218 attacks. Making this a 275% increase over the same 90-day timeframe in 12 months.
2024 finished the year with 7041 attacks – the highest on record.
The highest number of successful attacks occurred in November, with the highest spike on November 18th. Leading up to this date we observed five CVEs being actively exploited in the wild, which may have contributed to this figure. The full details are in the downloadable report.

Another notable spike was on December 24th, when 80 successful attacks were witnessed. Threat actors know that security teams are finishing up for the year, taking unused PTO, and generally being slower to respond than other times in the year, and they capitalize on this, giving them an improved success rate of actions on objectives.
The most prominent group of the year was Ransomhub with 612 attacks, followed by Lockbit with 538, despite the continued takedowns. Ransomhub offer a 90% split with affiliates, making their ransomware as a service platform attractive for groups to work with.

Cloud

Threat actors continue to follow the industry adoption of cloud. We observed a 39% increase of attacks against cloud infrastructure over 2023, making this a growing initial access vector. Attacks were mainly targeted against identity management and exploiting misconfigurations in cloud infrastructure.

Notable Events

Other notable events this year include the Crowdstrike Outage, Operation Cronos takedown of Lockbit, OpenAI released report on how threat actors are using ChatGPT, and the Health Infrastructure Security and Accountability act was proposed in the US. Several of these are detailed in this quarters report.

Conclusion

2024 has been the both the year with the most attacks overall, as well as the year with the largest number of attacks in one quarter, rivalling the previous years in just 90 days. The spike in November can be attributed to several zero-days that were exploited in-the-wild, showing the need for a responsive patching process to avoid exploitation by opportunistic threat actors.

Attackers continue to follow the industry into the cloud, making this a common attack vector. Q4 saw a total of 66 active groups, 2 more than Q3s 64 and 20 more than Q4 in 2023. A growing number of attacks combined with an increased number of groups typically indicates increased success rates of successful exploitation. IBMs “cost of a data breach” shows that the average cost is now 4.8 million dollars US, making successful attacks both more common and more expensive than previous years.

Download the full report

The post Ransomware Research Report | Q4 2024 – Audio Blog Interview appeared first on CyberMaxx.

According to CyberMaxx research, Q4 2024 saw 2,358 ransomware attacks, making it the highest number recorded in a single quarter. This marks a 137% increase compared to the attacks observed in Q3 2024.

“There were almost double the number of successful attacks in the final 90 days of 2024 as there were in all of Q3 2024,” says Connor Jackson, Security Research Manager at CyberMaxx. “Q3 saw 1,218 attacks vs Q4s 2,358, at 193%.”

Threat actors followed mainstream cloud adoption in 2024, and it became a popular target. Identity attacks and exploiting misconfigurations were the main attack vectors utilized.

“We saw a 39% increase in attacks against cloud environments over 2023, making this a common initial access vector for threat actors,” says Jackson.

There has been a continued rise in new threat actors, with Q4 witnessing 66 active groups involved in successful ransomware and data extortion attacks. This compares to 39 active ransomware groups in Q4 2022 and 46 active groups in Q4 2023, showing a steady upward trend in the number of threat actors entering the space.

The average cost of a data breach for an organization continues to grow year over year. Between 2020 and 2024, the cost has risen from $3.86M to $4.88M. This shows that incidents are becoming more frequent and more expensive.

The cyber research team at CyberMaxx conducts routine threat research independent of client engagements in order to help foster collective intelligence among the cybersecurity community.

Access the full Ransomware Research Report here: https://cybermaxx.com/q4-2024-ransomware-research-report/

About CyberMaxx

CyberMaxx provides comprehensive managed detection and response (MDR) services that protect organizations from today’s complex cyber threats. With a focus on proactive security measures, CyberMaxx delivers industry-leading technology combined with expert human oversight, offering robust protection and peace of mind to clients across various industries.

For more information about CyberMaxx’s Modern Managed Detection & Response (MDR), visit www.cybermaxx.com

Media Contact

Clint Poole
E: cpoole@cybermaxx.com
M: 857-540-2331

The post CyberMaxx Q4 2024 Ransomware Research Report reveals Q4 witnessed the most attacks in any single quarter to date appeared first on CyberMaxx.

ORIGINALLY POSTED 12/4/24: 9:15 AM ET

The Solana NPM package has been compromised.

GitHub have published a malware notice under their Advisory Database to inform users of this compromise. How long this package has been compromised for is still unknown, and current impact is still to be assessed. However, due to the popularity of this package it is likely that the impact will be high.

Treat any systems that use this package as fully compromised. All secrets, keys and sensitive information should be considered as such and rotated immediately.

According to security researcher Christophe Tafani-Dereeper on BlueSky: “The backdoor inserted in v1.95.7 adds an “addToQueue” function which exfiltrates the private key through seemingly-legitimate CloudFlare headers. Calls to this function are then inserted in various places that (legitimately) access the private key.” 

Steven Luscher, one of the maintainers for the project said in the newest release notes “a publish-access account was compromised for @solana/web3.js, a JavaScript library that is commonly used by Solana dapps. This allowed an attacker to publish unauthorized and malicious packages that were modified, allowing them to steal private key material and drain funds from dapps, like bots, that handle private keys directly.” as the source of the compromise. 

It is currently recommended to update to version 1.95.8 and rotate keys as a precautionary measure. 

Source: 

https://github.com/advisories/GHSA-fhm6-mqmw-2cf5  

https://bsky.app/profile/did:plc:zwlpsxw2udovqf4mbfi4ibqf/post/3lcgt6l7s4c2a 

https://github.com/solana-labs/solana-web3.js/releases/tag/v1.95.8 

The post Solana NPM package has been compromised appeared first on CyberMaxx.

Understanding the Basics: What Are Honeypots in Cybersecurity?

Traditional honeypots are frequently used to gather threat intelligence. They allow security teams to lure cyber attackers into exploiting a vulnerability and delivering an attack, providing insights into the methods and tactics used. Here’s how:

The Role of Traditional Honeypots

Honeypots are decoys. Their systems are intentionally sent out to provide information on a vulnerability or attack opportunity. The goal: Attract adversaries to exploit that vulnerability and monitor tactics, techniques, and procedures (TTPs).

For example, let’s say a financial services business found a rise in attacks targeting online banking apps / self-service portals. A security team, hoping to understand potential methods and beef up security accordingly, could set up a fake banking site. It could be intentionally weak in security and appealing to cybercriminals. From there, the team can advertise the honeypot on various dark web forums and monitor TTPs.

How Honeypots Aid in Threat Detection

Imagine you can see precisely how a cyber attack will get carried out. Wouldn’t that be pretty useful for preparing defenses? Well, that’s what a honeypot does. By sending one out and letting attackers come to you (in a secure, irrelevant environment), you can collect data on TTPs and attack indicators.

Analyzing interactions with these decoy systems lets you gather intel. With that intel, your threat detection systems know exactly what to look for while monitoring user behaviors, system changes, network processes, etc. And because honeypots replicate real systems, you get far more accurate TTP insights that you can apply to your security defenses.

Enter the Malicious Honeypot: A Threat Actor’s New Tool

Honeypots have traditionally been used by the “good guys.” That is, until recently. Per our report on malicious honeypots, threat actors have adapted the technology for their own gain.

What Is a Malicious Honeypot?

A malicious honeypot does the opposite of a traditional one. Rather than a deceptive trap set by security teams for cybercriminals, the “bad guys” set these traps to mislead security teams. These honeypots feed false (or misleading) data to security teams and ultimately pollute internet scanner results.

How Malicious Honeypots Disrupt Security Efforts

Malicious honeypots, fully owned and controlled by threat actors, send security operations in the wrong direction. It lures unsuspecting threat intelligence teams into false assumptions about an attacker’s TTPs and possible motives. So if you’re chasing a threat that either doesn’t exist or isn’t as prominent as you thought, you’ll find yourself on a “wild goose chase.”

For example, you might waste resources on unnecessary controls or delay investigating an anomaly because you didn’t think it was relevant.

The other challenge is when threat actors exploit honeypots to covertly carry out malicious operations. An attacker might identify and use IP addresses that are known as honeypots and, therefore, ignored by most security teams. Meanwhile, they can repurpose these into command and control (C2) servers. Because they’re masked as benign honeypots, attackers can operate undetected within the network.

The Impact of Malicious Honeypots on Cybersecurity

While they don’t directly harm your network, malicious honeypots can drastically impact data reliability and incident response from misrepresented threat insights:

Polluting Threat Intelligence

Having data on your attackers lets you prepare for what they might throw at you. But what if that data is skewed or inaccurate? Malicious honeypots can drastically misguide security teams. For example, if you were scanning the internet for information on known vulnerabilities, honeypots would cause your scanners to flag non-existent vulnerabilities or inflated numbers on potential threats.

Similarly, if you were documenting interactions with attackers to spot TTPs, they may intentionally share data that misrepresents how they deliver attacks and which tools are used. These false reports could send you in the wrong direction while threat profiling or when crafting a cybersecurity strategy.

Wasting Resources From Bad Threat Intelligence

The latter challenge that comes with polluted threat intelligence is how you allocate resources after the fact.

Imagine you’re scanning the web to identify TTPs your company should be most concerned about. Unaware of malicious honeypots, your threat intelligence came in that the biggest concern to your industry was a list of particular malware signatures. Therefore, you spend tons of money upgrading antivirus solutions and enhancing intrusion detection/prevention systems (IDPS) to account for these signatures.

Little did you know that man-in-the-middle (MitM) attacks are actually the most prevalent. But rather than invest in stronger encryption and robust network security protocols that could mitigate MitM risks, you spent most of the budget on defending against threats that were not as crucial to your business.

How CyberMaxx Mitigates the Risks of Malicious Honeypots

CyberMaxx is on the case! Through our resilient threat intelligence and research teams, we’re able to identify and neutralize the impact of malicious honeypots — demonstrating our proactive approach to emerging cyber threats.

Advanced Threat Filtering Techniques

When our threat research team scans the web for attack data and methods, we don’t just assume every data point is valid. We use filtering tools to spot and disregard any data originating from known malicious honeypots. This prevents us from misrepresenting threats or TTPs from inflated (or deflated) data.

It ultimately lets us improve our detection systems by only focusing on legitimate vulnerability and threat insights.

Enhanced Threat Intelligence Validation

To further our commitment to accurate threat intelligence, we ensure only legitimate honeypots (used by actual security teams) are used for insights. When a honeypot is detected, our team manually investigates whether it’s for research purposes or acting maliciously. If it’s determined to be a “good” honeypot, we’ll include it in our models.

These techniques further reduce the risk of malicious honeypots influencing cybersecurity decisions.

The Future of Honeypots and Deception in Cybersecurity

Threat actors thrive on deception. And we don’t expect them to stop innovating and adapting their methods anytime soon. But CyberMaxx is committed to staying prepared for the challenges malicious honeypots present.

The Need for Continued Innovation in Deception Tactics

While ordinarily used to sharpen cyber defenses, cybercriminals have exploited honeypots for their malicious intent. It’s what makes staying ahead of these threats so vital. And it all starts with advancing detection technology.

By keeping up with emerging trends and nuanced tactics via honeypots, we can out-innovate and outmaneuver adversaries.

CyberMaxx’s Commitment to Adaptive Defense

We serve clients on the motto: “Think like an Adversary. Defend like a Guardian.” With that comes a commitment to staying proactive against evolving threats by understanding how they operate.

And ensuring reliable threat intelligence through adaptive security practices and continuous monitoring is how we’ll prevent malicious honeypots from impacting your security posture.

Defense Against the New Wave of Cyber Deception Tactics

Malicious honeypots may be more prominent, but that doesn’t mean you can’t stay vigilant. CyberMaxx is taking a proactive stance against these deceptive tactics through its advanced threat data filtering and validation. The result: Our clients always have access to trustworthy threat intelligence at their fingertips.

The post The Rise of Malicious Honeypots: A New Threat in Cyber Deception Tactics appeared first on CyberMaxx.

Something I’ve seen more and more recently is the use of deception (or anti-deception?) in an attempt to mitigate these defensive operations in the attacker’s space.

These differ from traditional honeypots and deception ops. With a device configured for traditional deception, you would try to emulate a real system, configuring it to be as close to the real thing as possible. Sometimes even just using a real, vulnerable system with the goal of getting an attacker to exploit it. This is so you can monitor their techniques and add these to your defensive capabilities or use them as early warning signs that you’re being monitored/looked at / already popped. (Sticking some false entries in your robots.txt file and monitoring those sites is a good starting point).

But what I’ve seen is different.

My first thought was that these are just poorly designed honeypots. However, I found something interesting, which leads me to believe this is incorrect. These tools are designed to pollute results with false information.

Don’t believe me? Well, take a look at this file in one directory that makes it pretty obvious what its intended goals are.

As my Chinese speaking ability is what some would describe as “terrible”, it’s important to double-check that this wasn’t a translation error. The same string was passed into different translation tools, including ChatGPT; all of which returned the same results:

Taking a closer look into the code directly, it was evident that this is exactly what the intended purpose was. Several files contain multiple keywords that trigger various types of scanners, ranging from weak passwords and /etc/passwd being open, to false service names in the response received. This is likely to fire on both attackers knocking and search engines like Shodan and Censys. Based on the translated text from earlier it seems like this is part of the design.

Finding these types of systems is not overly difficult. They always contain some unique marker that you can hunt for. In this specific instance I was hunting for a unique csrf-token in the headers. You can find a lot of interesting indicators from analyzing malware and looking at its certificates. Extra points if you set everything up in a lab and analyze the self-signed certs, this will help you achieve production scale quickly.

What is even more interesting though is what they are doing. Take a look at one such host I found on Shodan:

Many of these are hosting MiniUPnPd for port redirection, most likely to redirect to the second frequent item; a huge number of false services:

For scanners this is annoying at best, as it messes with results that often need to be adjusted to accommodate. For search engines, it can wrongfully show vulnerability metrics if the honeypot isn’t identified and excluded from search results.
Having done some more digging I found this article from Censys published last September that goes into great detail on this specific threat: https://censys.com/red-herrings-and-honeypots/, they also linked the files I came across to a repo on Github.

Many of these devices have an unusual marker in the server header. If you want to take a look yourself at many of these types of devices, here’s a simple Shodan query to reveal the hosts using that specific project: https://www.shodan.io/search?query=Rm9yIGludGVnZXJzLCB0aGVyZSBpcyB1bmlmb3JtIHNlbGVjdGlvbiBmcm9tIGEgcmFuZ2UuIEZvciBzZXF1ZQ%3D%3D.

If you have an enterprise account add -tag:honeypot to filter out the known honeypots and see the ones that slipped through. The purpose of poisoning search results is interesting. It clearly shows a greater operation in mind, and likely is intended not to be annoying for an analyst to fix, but rather to create a smokescreen that an attacker can then operate from. Using projects like this at scale, and having a true C2 hidden within the noise is an excellent use of deception to hide in plain sight, and have their infrastructure misclassified by scanners – allowing a threat actor to operate from the same infrastructure for longer, bringing down their operational costs.

Or it could just be a poorly designed honeypot.

Links:
• Repo: https://github.com/fuckhoneypot/fuckhoneypot/tree/main
• Shodan search: https://www.shodan.io/search?query=Rm9yIGludGVnZXJzLCB0aGVyZSBpcyB1bmlmb3JtIHNlbGVjdGlvbiBmcm9tIGEgcmFuZ2UuIEZvciBzZXF1ZQ%3D%3D.
• Censys report: https://censys.com/red-herrings-and-honeypots/

The post Malicious Honeypots Polluting Internet Scanner Results appeared first on CyberMaxx.

The CyberMaxx team of cyber researchers conduct routine threat research independent of client engagements. The purpose of our research is to help foster collective intelligence among the cybersecurity community.

While conducting their research, the team discovers and analyzes ongoing ransomware attacks occurring in the wild.

Review Q3’s research here.

Video Transcript

Intro

This is the Q3 Ransomware Report for 2024. I’m Connor Jackson, let’s get into it.

Ransomware Activity

The total number of observed ransomware and extortion attacks in Q3 2024 was 1720, compared to Q2’s volume at 1755 – this is a 2% deviation in total volume on one of the quarters with the highest numbers we’ve seen in the past 18 months.

These 1720 attacks were performed by 64 active groups – equating to roughly 27 attacks per group. Looking at the averages for each quarter we are seeing that this is staying steady in the 26-29 range for each quarter, but the total number of attacks is going up across the board. You’re probably asking yourself well… why is that?

The answer to that question is the number of attackers is increasing. Compared to 12 months ago in 2023s Q3 there were 52 observed attack groups, and 6 months before that in Q1 that number was 33 – this number has almost doubled in 18 months.

Branching off from this, IBM have been tracking the average cost of a data breach since 2020 – which has risen from $3.6M to $4.8M in 4 years. Let me get this out of this way first, its hard to quantify this figure due to different industry regulations, size and maturity of the organization, etc. etc. I know – this is just a generic average of the sample group. But it is growing as well.

So what we’re seeing is an increase in attacks every day, the number of groups is increasing, and the cost of at attack is going up. This tells us that ransomware is a continuously growing industry. Grab the full report if you want to review the complete number and trends that we’ve observed.

Top Five

The top five groups this quarter start with Ransomhub at number one with 247 attacks, Lockbit and Play both with 92 in second place, Qilin in number 4 with 80 attacks and Meow with 78. These five groups accounted for 35% of all activity this quarter.

Ransomhub are currently offering between an 80 and 90% profit split with affiliates, which may be what escalated them to the top this quarter. They have also been working with the unpaid AlphV affiliates from the Change healthcare attack earlier this year, and have attempted to get a second payment from the victim. It is unknown at this time if Change paid the second extortion as well, however this display may have lead to the group attracting customers with this show force. Unpaid affiliates has been a growing issue among ransomware gangs lately.

Operation Cronos Update

On October 1st, Law enforcement updated Lockbits original release page on the dark web with a countdown for posts titled “Lockbit linked UK arrests”, and “Arrest of a major Lockbit actor”.

Once the countdown had completed the posts were updated to inform readers that several major arrests had been made across Europe. In the UK, two individuals were arrested in August related to money laundering operations, in Spain the owner of the bullet-proof hosting provider used for Lockbits infrastructure was arrested at an airport in Madrid, and French authorities arrest a suspected lockbit developer which on vacation outside of Russia.

The major affiliate was named and added to justice.gov, and is wanted for their alleged involvement in ransomware attacks and money laundering activities.

Conclusion

This quarter saw no drop in the volume of activity, another increase in the number of threat actor groups, updates to law enforcements takedown of Lockbit, and a timeline of government agencies banning software made by Kaspersky. Full details are available in the full report.

Download the full report

The post Ransomware Research Report | Q3 2024 – Audio Blog Interview appeared first on CyberMaxx.