After the LockBit blow: What about ransomware attacks?

16 April 2024
| No comments

Share post

In a current report, Trend Micro analyzes the ransomware landscape and provides an outlook on the impact the interruption of LockBit activities has on it. LockBit was not completely broken up, but its activity was severely suppressed and new malicious code developments were discovered and thus rendered unusable.

In collaboration with the British National Crime Agency (NCA), Trend Micro was able to provide detailed analyzes of the ransomware group's activities and permanently disrupt the entire functionality of the malware. Since 2022, LockBit and BlackCat have consistently been among the Ransomware-as-a-Service (RaaS) providers with the most discoveries. Globally, an increase in active RaaS groups can be observed parallel to the growing number of victims.

🔎 The leak pages under several LockBit Tor addresses have been taken over by the authorities. However, the APT group has returned under new addresses (Image: Trend Micro).

Security experts' research shows that many ransomware-as-a-service threat actors are particularly focused on smaller organizations, which they believe have fewer resources for IT security. In the second half of 2023, companies with fewer than 200 employees accounted for the majority of LockBit victims (61 percent) and a significant share of BlackCat victims (50 percent) worldwide. In the case of the Clop ransomware group, over half of the attacks in the study period (62 percent) were against such SMEs.

Q4/2023: Attack numbers continue to rise

The report reveals that Trend Micro detected and blocked a total of nearly 2023 million ransomware threats worldwide at the email, URL and file levels in the second half of 7,5. This represents an increase of more than 11 percent compared to the first six months of the year. Ransomware actors published on their leak sites the data of a total of around 2.500 companies that allegedly refused to pay the ransom after a successful attack .

This corresponds to an increase of more than 26 percent of alleged ransomware victims worldwide compared to the first half of 2023. The number of active RaaS groups also increased by more than 15 percent in the second half of the year.

LockBit was the leading ransomware family worldwide, accounting for 18 percent of the total number of victims in the third quarter and 22 percent in the fourth quarter. Their focus throughout 2023 was on North America. In the second half of 2023, 45 percent of their attacks targeted this region, followed by Europe (26 percent) and the Asia-Pacific region (12 percent).

The ransomware group BlackCat also targeted North America with 58 percent of its attacks in the second half of 2023. Followed again by Europe (17 percent) and the Asia-Pacific region (14 percent). The Clop actors show similar geographical preferences. With almost 70 percent, North America was the focus in the third quarter of 2023. In the fourth quarter, incidents were concentrated exclusively in this region. Germany ranks first in ransomware attacks in Europe, although the numbers fell slightly in the last quarter.

Operation Cronos against LockBit

LockBit was involved in a quarter of all ransomware leaks in 2023 and has continued to evolve its ransomware to remain at the forefront of technology. Working closely with the UK's National Crime Agency (NCA), Trend Micro was able to provide threat intelligence for a detailed analysis of LockBit-NG-Dev, the next version of LockBit ransomware still in development. The analysis rendered the entire LockBit product line unsuitable for criminal purposes. This collective disruption of one of the major players in ransomware called “Operation Cronos”, marks a significant step in the global fight against cyber threats.

The main results of the Cronos operation against LockBit

  • Damage to the reputation of core actors: Given its tarnished reputation, LockBit faces significant challenges in rebuilding its operations and affiliate networks.
  • Strategic infrastructure disruption: The operation's in-depth approach has made it extremely difficult and time-consuming for actors to rebuild their systems and regroup.
  • Effective deterrent: The insights into affiliates' criminal activities and subsequent warnings likely dismantled all of LockBit's affiliate programs and further weakened the group's operational capacity.
  • Increased security for companies: Companies benefit from the insights the operation provided and the reduced risk of being attacked by a major player in the ransomware market.

“We are very pleased that we were able to successfully support international law enforcement authorities in their work against the LockBit group with our analyzes of their planned new version,” explains Robert McArdle, Director of the Forward Looking Threat Research Team at Trend Micro. “By staying one step ahead of these threat actors with our analysis, we were able to not only share information with law enforcement, but also strengthen the protection of our global customer base. An evaluation of the disruption operation shows that global threat intelligence makes a valuable contribution to increasing the level of security.”

BlackCat also massively disrupted

Similar to LockBit, an international law enforcement operation led by the FBI also managed to infiltrate and disrupt BlackCat's infrastructure. In December, the operation penetrated BlackCat's servers and shut down the leak site after successfully seizing hundreds of key pairs for BlackCat's Tor sites.

More at TrendMicro.com

 

About Trend Micro

As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.

 

Matching articles on the topic

After the LockBit blow: What about ransomware attacks?

In a current report, Trend Micro analyzes the ransomware landscape and provides an outlook on the impact of the interruption of LockBit activities ➡ Read more

Impact of NIS2 on cybersecurity in healthcare

The revision of the EU directive to increase cybersecurity for critical infrastructures (NIS2) still has the issue of cybersecurity in many healthcare facilities ➡ Read more

Cyberattacks via API

In the first month of 2024, the frequency of API attacks has increased, affecting an average of 1 in 4,6 companies per ➡ Read more

The underestimated threat BEC

Business Email Compromise (BEC) is a type of email phishing scam in which an attacker attempts to impersonate members of an organization ➡ Read more

Security Operations Platform with Threat Center and Copilot

Exabeam's Security Operations Platform gets two new key cybersecurity features: Threat Center and Copilot. The solution combines threat management and investigation tools ➡ Read more

Hackers paralyze the Genios economic database

Libraries, universities and companies currently do not have access to the economic database of the provider Genios - a subsidiary of the FAZ ➡ Read more

Why cybercriminals specifically target backups

There are two main ways to recover encrypted data after a ransomware attack: restoring from backups and paying the ➡ Read more

IT security: Workstations are unoccupied for months  

Skills shortage as a cybersecurity vulnerability? According to a study by Kaspersky, half (49 percent) of the companies surveyed in Europe require over one ➡ Read more

PR News, TrendMicro
, , , , ,