Cybercrime is increasingly flourishing as a business model, ransomware and ransomware-as-a-service are innovation drivers and stolen access data are increasingly acting as a cash cow. According to Sophos, the year 2023 also awaits companies in cyber defense.
Sophos has published its 2023 Threat Report. Among other things, the report describes a new degree of commercialization within cybercrime, as a result of which low-threshold introductory offers are increasingly available for potential attackers: Almost all scenarios can be bought. A booming cybercrime-as-a-service market caters to a criminal audience ranging from the highly tech-savvy to the completely ignorant.
The topics of the current Sophos Threat Report
- The cybercrime-as-a-service industry has reached a new level of commercialization that removes many barriers to entry for cybercrime prospects and, given the liquidity, puts advanced threat tactics in the hands of almost any criminal.
- Ransomware continues to be one of the top threats facing businesses, with cybercriminals focusing on “innovating” their attack tactics and extortion techniques.
- The war in Ukraine has led to a restructuring of criminal alliances and a reshaping of the ransomware landscape.
- Cyber criminals are increasingly using credential theft to infiltrate targeted networks.
Threat actors continue to use legitimate tools and executables to launch attacks, and increasingly introduce their own vulnerabilities. - Mobile devices are at the center of new cybercrime trends - both Android and iOS devices are affected.
- One of the oldest forms of crypto crime - crypto mining - is in decline as Monero (one of the most popular currencies) loses value. Crypto fraud, on the other hand, is already a growing industry in South Asia.
Ransomware as a market driver and blueprint for other types of malware
🔎 The first three groups LockBit, BlackCat and Phobos account for 40 percent of the attacks (Image: Sophos).
Criminal underground marketplaces such as Genesis have long facilitated the purchase of malware and malware-implementation services (“malware-as-a-service”) and the bulk sale of stolen credentials and other data. Over the past decade, an entire “ransomware-as-a-service” economy has emerged as ransomware has grown in popularity. Cyber criminals have taken the success of this infrastructure as an example and are following suit. So now, in 2022, the “as-a-service” model has massively expanded, and almost every aspect of cybercrime — from initial infection to ways to avoid detection — is for sale.
In addition, cybercriminal marketplaces are also working more and more like normal companies. Some marketplaces have set up dedicated pages for job applications and employee recruitment, where job seekers briefly describe their skills and qualifications.
"Cybercriminals are now selling tools and skills that were once only in the hands of some of the most sophisticated attackers as services to other actors," said Sean Gallagher, principal threat researcher at Sophos. “For example, over the past year we've seen ads for OPSEC-as-a-Service, where sellers offered to help attackers hide Cobalt Strike infections, and we've seen Scanning-a-Service, which gives buyers access to legitimate commercial tools like Metasploit so they can find vulnerabilities and then exploit them. The commercialization of almost every component of cybercrime opens up new opportunities for attackers of all types.”
Postponement of cybercriminal partnerships due to Ukraine war
Traditionally, Ukrainians and Russians have long been partners in the cybercrime business, especially when it comes to ransomware. With the outbreak of war, however, some gangs have broken up. Among other things, this led to the Conti Leaks – the publication of the chat logs of this ransomware group. Another Twitter account also claimed to have spied on the alleged members of Trickbot, Conti, Mazo, Diavol, Ryuk, and Wizard Spiders. All in all, however, international work against ransomware has not become any easier. This is how ransomware groups have regrouped, and it seems, among other things, that a new “REvil” has emerged.
Ransomware remains popular and innovative
Despite the expansion of cybercrime infrastructure, ransomware remains very popular and highly profitable. Over the past year, ransomware operators have been working to expand their potential attack service, targeting platforms other than Windows and introducing new languages like Rust and Go to avoid detection. Some groups, most notably Lockbit 3.0, have diversified their operations and developed more “innovative” methods of extorting victims.
“If we talk about the increasing sophistication of the criminal underground, so does the world of ransomware. Lockbit 3.0, for example, now offers bug bounty programs for its malware and seeks ideas from the criminal community to improve its operations. Other groups have moved to a "subscription model" for accessing their looted data, and still others are auctioning it off. Ransomware has become a business first and foremost,” Gallagher said.
🔎 Quasar, Redline and Agent Tesla are the leading info-stealers but the competition is catching up (Image: Sophos).
Hot goods access data
The evolving underground economy has not only spurred the growth of ransomware and the “as-a-service” industry, but also increased the demand for stolen credentials. With the proliferation of web services, different types of credentials, particularly cookies, can be used in a variety of ways to gain a deeper foothold in networks and even bypass multi-factor authentication. Credential stealing is also one of the easiest ways for criminals to gain access to underground markets and start their “career”.
About the Sophos Threats Report 2023
The Sophos Threat Report 2023 is powered by research and insights from Sophos X-Ops, a new cross-functional entity that brings together three established teams of cybersecurity experts at Sophos (SophosLabs, Sophos SecOps and Sophos AI). Sophos X-Ops comprises more than 500 cybersecurity experts worldwide who are able to paint a complete, multidisciplinary picture of an increasingly complex threat landscape. To learn more about daily cyberattacks and TTPs, follow Sophos X-Ops on Twitter and subscribe for the latest articles and reports on threat research and security operations from the frontlines of cybersecurity.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.