Group-IB analyzes the latest trends in cybersecurity: to date, Italy is the fourth country most affected by ransomware in Europe (+28% in 2023).
Lo annual study “Hi-Tech Crime Trends” highlights active cyber threats in the European region for 2023/2024. The report also includes an in-depth analysis of the evolution of cybersecurity challenges in Europe.
Ransomware attacks are increasing in Europe (+52%) against manufacturing, real estate and logistics industries. The United Kingdom, France and Germany maintained their status as the countries most frequently targeted by Ransomware-as-a-service (RaaS) affiliates. In fourth place is Italy.
During 2023, Europe was plagued by 108 cyber attacks conducted by various government-sponsored hacker groups. Government and military institutions were the main targets, with 48 attacks against them. Information stealers represent a significant problem, with 250,000 infected devices (23% more than in 2022) in the European region, whose logs have been made available on the Underground Clouds of Logs (UCL), and another 647,485 hosts, whose logs were put up for sale on the dark web, an increase of 28% compared to the previous year.
Cyber security – Europe under fire
Overall, in 2023 Group-IB attributed 523 attacks to third-state sponsored actors around the world. Attacks on European organizations accounted for 21% of the total. Europe has suffered 108 cyber attacks conducted by various government-funded hacker groups. Among the groups that have operated in Europe they are to be counted Lazarus, Mustang Panda, APT41, and Sandman (all from East Asia), along with APT28, BlackEnergy, Gamaredon, Turla, and Callisto (all from the Commonwealth of Independent States (CIS) region). The attacks were complex and targeted, underscoring the growing trend of using cyberspace to achieve government objectives.
With 31 incidents recorded, Ukraine tops the list of victims of attacks involving third-party-funded threat actors, likely a reflection of ongoing conflicts in the region. The other four European countries most targeted by APT groups were Poland (11 attacks), Germany, France and Italy, with 6 attacks each.
Ransomware: double growth in 2023
Ransomware, which maintained its formidable advantage in both scale and impact, continued to pose a significant threat to the European market. Once again Europe was the second most affected region globally after North America, with 1,186 companies having their information published on Data Leak Sites (DLS) ransomware. This translates into an increase of approximately 52% compared to the previous year, when information belonging to “only” 781 affected European companies appeared on the DLS.
In 2023, the manufacturing sector was the most targeted in the region, accounting for 16% of all affected companies whose data was published on the DLS. The real estate sector ranked second and was involved in 8% of all attacks in the European region. Logistics follows in third place with 5% of attacks.
As for the most active ransomware groups in the region, LockBit is leading with 26% of attacks in Europe, followed by Play with 9% and Black Basta with 7%.
Bear market: broker activity slows
Organizations that encourage the spread of ransomware by selling initial access to corporate networks on the dark web, known as Initial Access Brokers (IAB), are down slightly. They have adapted to the needs of other threat actors in the European region.
In 2023, 628 accesses to compromised corporate networks were marketed in Europe, a decrease of 7% compared to 2022 (674 offers). The 5 European countries most targeted by IABs were the United Kingdom (111), France (83), Spain (70), Germany (63) and Italy (62).
The professional services sector was the hardest hit in 2023, with access offers doubling compared to 2022, for a total of 52 (8% of all offers in the region). Followed by the manufacturing sector with 44 offers (7%) and the trade and shopping sector with 37 offers (6%) published by the IAB.
VPN access bids decreased by 50%, while RDP account bids increased by 34%. Privileged user access offerings increased 35% in 2023. This is indicative of greater differentiation of access by companies or skills shortages among IABs.
Cyber Security: Raccoon & Co. steal things
The logs stolen by infostealers have become one of the main tools for accessing corporate networks because they are simple, but very effective. Infostealers are a type of malware that collects credentials saved in browsers, credit card details, cryptocurrency wallet information, cookies, browsing history, and other information from browsers installed on infected computers.
The free Underground Clouds of Logs (UCL) are a major source of data on infected hosts.
Spain leads the way with a surge in the number of hosts on UCL of 48% (31,665), whereas a year ago it was only third. France follows in second place, leading in 2022, with the number of hosts on UCL decreasing by 3% (25,873). Poland concludes the top three of the most affected countries in Europe with an increase of 6% (23,393). Two other countries recorded significant growth in 2023: Germany (+32%, 22,966) and Italy (+18%, 22,309).
Compared to 2022, the list of the most popular Infostealers used to compromise hosts and whose logs were found on UCL has changed slightly. Vidar, who was in second place last year, has lost ground to stealer META and is now fourth. The three main infostealers attacking users in Europe are therefore RedLine Stealer, META e Raccoon.
A lot of leaks
In 2023, 386 new cases of data leaks were detected in Europe whose contents are publicly accessible. As part of these incidents, over 292,034,484 million user data strings were compromised. France, Spain and Italy were the most affected countries with 64, 62 and 52 cases of data leaks respectively.
Email addresses, phone numbers and passwords pose the highest risk because they can be used by cybercriminals for various types of attacks. Of all the leaked data, 140,642,816 entries contained email addresses (of which 96,590,836 were unique). Furthermore, 9,784,230 passwords were stolen (of which 3,832,504 were unique) and 157,074,355 entries with telephone numbers (of which 95,728,584 were unique).