Not a day goes by without news of a new ransomware attack on companies around the world, including those in the new country. We have learned the hard way how devastating extortion can be on victims and their customers, especially when critical infrastructure operators are affected. To take the necessary countermeasures, it is crucial to monitor the evolution of the criminal ecosystem, in particular the activity of the main ransomware gangs.
Lockbit 3.0, cybercrime is evolving faster than our companies
by Pierluigi Paganini
A report released recently by threat intelligence firm KELA sheds light on ransomware activity observed in the third quarter of 2022. KELA identified around 600 victims by analyzing multiple sources, including gang ransomware trading blogs and portals, disclosure of stolen data (leak site) and public relations. Compared to the second quarter of 2022, activity decreased by 8%, falling from July to August but increasing from August to September. An average of 200 attacks were observed each month in the third quarter compared with 216 victims in the second quarter.
What have been the most active criminal groups?
In the third quarter of 2022, the most prolific actors were LockBit, Black Basta, Hive, Alphv (aka BlackCat). There is also a new entry, the BianLian group born from poso immediately distinguished itself for its activity in the last quarter. According to the report, the extortion activity associated with the spread of ransomware observed in the third quarter remained broadly stable, at least as far as sales of initial accesses to previously compromised companies are concerned.
War is not that far off, and cybercrime could benefit from it
by Pierluigi Paganini
“In the third quarter, actors offered more expensive listings as the total number of listings remained nearly the same. On average, there were about 190 access lists in each month of the third quarter, slightly higher than in the second quarter. ”Reads the report published by KELA.
The country with the largest number of organizations affected by ransomware attacks is the United States, with around 40% of the attacks, followed by France, Germany and Spain. Italy is also among the most affected countries, especially in the first half of the year.
The most affected sector was that of professional services, other very exposed sectors are industrial production, the technological sector and health care.
Also interesting is the analysis of the activity of the so-called Initial Access Brokers (IAB), or malicious actors in the criminal ecosystem that offer ransomware groups access to networks of previously compromised organizations. The ransomware groups for their part are interested in buying access to spread their malicious codes and speed up their extortion activity.
In the third quarter of 2022, KELA experts identified about 110 malicious actors involved in the sale of accesses to compromised networks, a stable figure compared to that of the previous quarter. Each of the top three access brokers (IABs) offered between 40 and 100 accesses to compromised companies. The average price for access to a compromised network is approximately $ 2,800, compared to approximately $ 1,500 in the second quarter of 2022. USD.
One of the report’s most alarming findings is the number of compromised network access announcements on sale in the third quarter. KELA experts tracked over 570 bids, with a cumulative asking price of approximately $ 4 million.
“In the third quarter of 2022, KELA tracked more than 570 network access listings for sale, with a cumulative asking price of approximately $ 4 million; access was offered for $ 3 million. This is a significant increase over the total amount of approximately US $ 660,000 required in the second quarter. ”The report continues.
The report demonstrates how profitable the extortion activity associated with ransomware that attracts new criminal gangs. In the third quarter, new leak sites emerged on which the names of the victims of the attacks were published, among the new services are BianLian, 0mega, Daixin Team and Donut Leaks.
“Ransomware and data leak actors continue to operate vigorously as new bands emerged in the third quarter of 2022. IAB offers continued to be in demand and to increase in quantity and price.” concludes the report.