After the LockBit blow: What about ransomware attacks?

Share post

In a current report, Trend Micro analyzes the ransomware landscape and provides an outlook on the impact the interruption of LockBit activities has on it. LockBit was not completely broken up, but its activity was severely suppressed and new malicious code developments were discovered and thus rendered unusable.

In collaboration with the British National Crime Agency (NCA), Trend Micro was able to provide detailed analyzes of the ransomware group's activities and permanently disrupt the entire functionality of the malware. Since 2022, LockBit and BlackCat have consistently been among the Ransomware-as-a-Service (RaaS) providers with the most discoveries. Globally, an increase in active RaaS groups can be observed parallel to the growing number of victims.

🔎 The leak pages under several LockBit Tor addresses have been taken over by the authorities. However, the APT group has returned under new addresses (Image: Trend Micro).

Security experts' research shows that many ransomware-as-a-service threat actors are particularly focused on smaller organizations, which they believe have fewer resources for IT security. In the second half of 2023, companies with fewer than 200 employees accounted for the majority of LockBit victims (61 percent) and a significant share of BlackCat victims (50 percent) worldwide. In the case of the Clop ransomware group, over half of the attacks in the study period (62 percent) were against such SMEs.

Q4/2023: Attack numbers continue to rise

The report reveals that Trend Micro detected and blocked a total of nearly 2023 million ransomware threats worldwide at the email, URL and file levels in the second half of 7,5. This represents an increase of more than 11 percent compared to the first six months of the year. Ransomware actors published on their leak sites the data of a total of around 2.500 companies that allegedly refused to pay the ransom after a successful attack .

This corresponds to an increase of more than 26 percent of alleged ransomware victims worldwide compared to the first half of 2023. The number of active RaaS groups also increased by more than 15 percent in the second half of the year.

LockBit was the leading ransomware family worldwide, accounting for 18 percent of the total number of victims in the third quarter and 22 percent in the fourth quarter. Their focus throughout 2023 was on North America. In the second half of 2023, 45 percent of their attacks targeted this region, followed by Europe (26 percent) and the Asia-Pacific region (12 percent).

The ransomware group BlackCat also targeted North America with 58 percent of its attacks in the second half of 2023. Followed again by Europe (17 percent) and the Asia-Pacific region (14 percent). The Clop actors show similar geographical preferences. With almost 70 percent, North America was the focus in the third quarter of 2023. In the fourth quarter, incidents were concentrated exclusively in this region. Germany ranks first in ransomware attacks in Europe, although the numbers fell slightly in the last quarter.

Operation Cronos against LockBit

LockBit was involved in a quarter of all ransomware leaks in 2023 and has continued to evolve its ransomware to remain at the forefront of technology. Working closely with the UK's National Crime Agency (NCA), Trend Micro was able to provide threat intelligence for a detailed analysis of LockBit-NG-Dev, the next version of LockBit ransomware still in development. The analysis rendered the entire LockBit product line unsuitable for criminal purposes. This collective disruption of one of the major players in ransomware called “Operation Cronos”, marks a significant step in the global fight against cyber threats.

The main results of the Cronos operation against LockBit

  • Damage to the reputation of core actors: Given its tarnished reputation, LockBit faces significant challenges in rebuilding its operations and affiliate networks.
  • Strategic infrastructure disruption: The operation's in-depth approach has made it extremely difficult and time-consuming for actors to rebuild their systems and regroup.
  • Effective deterrent: The insights into affiliates' criminal activities and subsequent warnings likely dismantled all of LockBit's affiliate programs and further weakened the group's operational capacity.
  • Increased security for companies: Companies benefit from the insights the operation provided and the reduced risk of being attacked by a major player in the ransomware market.

“We are very pleased that we were able to successfully support international law enforcement authorities in their work against the LockBit group with our analyzes of their planned new version,” explains Robert McArdle, Director of the Forward Looking Threat Research Team at Trend Micro. “By staying one step ahead of these threat actors with our analysis, we were able to not only share information with law enforcement, but also strengthen the protection of our global customer base. An evaluation of the disruption operation shows that global threat intelligence makes a valuable contribution to increasing the level of security.”

BlackCat also massively disrupted

Similar to LockBit, an international law enforcement operation led by the FBI also managed to infiltrate and disrupt BlackCat's infrastructure. In December, the operation penetrated BlackCat's servers and shut down the leak site after successfully seizing hundreds of key pairs for BlackCat's Tor sites.

More at TrendMicro.com

 


About Trend Micro

As one of the world's leading providers of IT security, Trend Micro helps create a secure world for digital data exchange. With over 30 years of security expertise, global threat research, and constant innovation, Trend Micro offers protection for businesses, government agencies, and consumers. Thanks to our XGen™ security strategy, our solutions benefit from a cross-generational combination of defense techniques optimized for leading-edge environments. Networked threat information enables better and faster protection. Optimized for cloud workloads, endpoints, email, the IIoT and networks, our connected solutions provide centralized visibility across the entire enterprise for faster threat detection and response.


 

Matching articles on the topic

Microsoft 365 Backup Storage optimizes data security

Another cybersecurity provider is integrating Microsoft 365 Backup Storage into its cloud platform. This enables cost-effective monitoring and management of backups and ➡ Read more

Ransomware attacks: 6 out of 10 companies attacked

Bitkom has surveyed more than 1.000 companies in Germany: More than half of the companies are victims of ransomware attacks ➡ Read more

Cyber ​​insurance: Advice helps you become insurable

In order to take out cyber insurance, companies must prove that they have taken appropriate security precautions. For many, this is a challenge. Adlon ➡ Read more

30 percent more ransomware attacks in Germany

In this year’s State of Ransomware report “ThreatDown 2024 State of Ransomware”, Malwarebytes shows an alarming increase in ransomware attacks in the past ➡ Read more

Hackers disguise malware as AI tools

AI tools like ChatGPT, Bard or Suno are booming because they offer so many possibilities. Hackers are taking advantage of this and spreading fake ➡ Read more

Cybersecurity Awareness: Education for more security

October has been the international Cybersecurity Awareness Month since 2004. The initiative provides information about security on the Internet and how to ➡ Read more

Container Security: Detect and resolve threats

A new container security solution helps companies identify vulnerabilities faster and proactively reduce them by combining static analysis with analytics ➡ Read more

Detect and stop compromised identities immediately

Human and machine identities are constantly increasing in companies. This makes it difficult to find out whether and which identities have been compromised. ➡ Read more