Group-IB Presents Criminal Trends Report

Group-IB, one of the global leaders in cybersecurity, presented its research on global cyber threats in the report High-tech crime trends 2021/2022 at its annual Threat Hunting and Intelligence Conference, CyberCrimeCon’21. In the report, which explores developments in cybercrime from H2 2020 to H1 2021, Groupe-IB researchers analyze the growing complexity of the global threat landscape and highlight the ever-growing role of alliances between threat actors. The trend is manifested in partnerships between ransomware operators and initial access brokers under the Ransomware-as-a-Service model. Crooks also band together in clans to automate and streamline fraudulent transactions. Conversely, individual cybercrimes such as carding have been on the decline for the first time in quite some time.

For the 10th year in a row, the Hi-Tech Crime Trends report analyzes various aspects of cybercrime industry operations, examines attacks and provides forecasts on the threat landscape for various industries. For the first time, the report has been divided into five large volumes, all with a different focus: ransomware, selling access to corporate networks, cyber warfare, threats to the financial sector, phishing and scams. The predictions and recommendations outlined in Hi-Tech Crime Trends 2020-2021 aim to prevent damage and downtime for businesses around the world.

Initial Access Brokers: U.S. Businesses Among Most Frequent Targets

One of the underlying trends in cybercrime is the sharp increase in the number of offers to sell access to compromised corporate networks. Pioneer of the infamous computer hacker Fxmsp, which was indicted by the US Department of Justice in 2020, the initial business access market grew nearly 16% in H2 2020 — S1 2021, from $ 6,189,388 to $ 7,165,387. The number of business access sales offers almost tripled during the period under review: from 362 to 1,099. This proprietary data was obtained by Group-IB’s Threat Intelligence & Attribution system, which even collects information removed from underground cybercriminal forums.

This segment of underground cybercrime has a relatively low barrier to entry. The mismanagement of corporate cyber risk combined with the widely available tools to carry out attacks on corporate networks have both contributed to a record increase in the number of initial access brokers. During H2 2019 to H12020, the Group-IB Threat Intelligence team detected only 86 active brokers. During H2 2020 to H1 2021, however, that number skyrocketed to 262, with 229 new players joining the roster.

Most affected businesses were in manufacturing (9% of all businesses), education (9%), financial services (9%), healthcare (7%) and commerce (7%) . During the period under review, the number of industries operated by initial access brokers increased from 20 to 35, indicating that cybercriminals are becoming aware of the variety of potential victims.

The geography of the initial operations of access brokers has also broadened. In H2 2020 — H1 2021, the number of countries where cybercriminals broke into corporate networks increased from 42 to 68. US-based companies are most popular among network access vendors compromise – they represent 30% of all victimized businesses in H2 2020 — H1 2021, followed by France (5%) and the UK (4%).

One of the main drivers for the growth of the initial access market is the sharp increase in the number of ransomware attacks. Initial Access Brokers prevent ransomware operators from breaking into corporate networks themselves.

Lock, Lock Who’s there? Corporansom

The unholy alliance of early access brokers and ransomware operators under Ransomware-as-as-a-Service (RaaS) affiliate programs led to the rise of the ransomware empire. In total, data relating to 2,371 companies were published on DLS (Data Leak Sites) during H2 2020 to H1 2021. This is an unprecedented increase of 935% compared to the period of previous examination, when data on 229 victims were made public.

Thanks to the Threat Intelligence & Attribution system, Group-IB researchers have been able to trace the evolution of the ransomware empire since its inception. The Group-IB team analyzed private Ransomware affiliate programs, DLSs where they post exfiltrated data belonging to victims who refused to pay the ransom, and the most aggressive strains of ransomware.

During the reporting period, Group-IB analysts identified 21 new Ransomware-as-a-Service (RaaS) affiliate programs, which is an increase of 19% from the previous period. During the reporting period, cybercriminals have mastered the use of DLS, which are used as an additional source of pressure on their victims to pay the ransom by threatening to disclose their data. In practice, however, victims can still find their data on the DLS even if the ransom is paid. The number of new DLS more than doubled during the reporting period and reached 28, compared to 13 in H2 2019-H1 2020.

It is worth noting that in the first three quarters of 2021, ransomware operators released 47% more data on attacked companies compared to the whole of 2020. Considering that cybercriminals do not publish data Regarding that about 10% of their victims, the actual number of victims of ransomware attacks are likely to be dozens more. The share of companies paying the ransom is estimated at 30%.

After analyzing ransomware DLS in 2021, Group-IB analysts concluded that Conti was the most aggressive ransomware group: it disclosed information on 361 victims (16.5% of all victimized businesses whose data have been published on the DLS), followed by Lockbit (251), Avaddon (164), REvil (155) and Pysa (118). The top 5 from last year were: Maze (259), Egregor (204), Conti (173), REvil (141) and Pysa (123).

At the country level, most of the companies with data released on DLS by ransomware operators in 2021 were based in the United States (968), Canada (110), and France (103), while the Most of the organizations involved were from manufacturing (9.6%), real estate (9.5%) and transportation (8.2%).

Carding: The Joker’s Last Laugh

During the period under review, the carding market fell by 26%, from $ 1.9 billion to $ 1.4 billion compared to the previous period. The decrease is explained by the decrease in the number of dumps (data stored on the magnetic strip of bank cards) offered for sale: the number of offers decreased by 17%, from 70 million records to 58 million, due to the infamous Joker’s Stash card shop shutting down. Meanwhile, the average price for a bank card dump fell from $ 21.88 to $ 13.84, while the maximum price rose from $ 500 to $ 750.

A reverse trend was recorded in the market for the sale of textual bank card data (bank card numbers, expiration dates, owner names, addresses, CVVs): their number jumped 36%, from 28 million of registrations to 38 million, of which among others may be explained by the higher number of phishing web resources imitating famous brands during the pandemic. The average price for text data has increased from $ 12.78 to $ 15.2, while the maximum price has been multiplied by 7: from an unprecedented $ 150 to $ 1,000.

The scam

Another cohort of cybercriminals who actively forged partnerships during the review period were the crooks. In recent years, phishing and scam affiliate programs have become very popular. Research by Group-IB revealed that there are over 70 phishing and scam affiliate programs. Participants aim to steal money as well as personal and payment data. During the reporting period, threat actors who participated in such schemes pocketed at least $ 10 million in total. The average amount stolen by a fraudulent affiliate program member is estimated to be $ 83.

Affiliate programs involve a large number of participants, have a strict hierarchy, and use complex technical infrastructures to automate fraudulent activity. Phishing and Scam affiliate programs actively use Telegram bots that provide participants with ready-to-use scam and phishing pages. This allows phishing campaigns to evolve and adapt to banks, popular email services, and other organizations.

The phishing and scam affiliate programs, initially focused on Russia and other CIS countries, have recently started their online migration to Europe, America, Asia and the Middle East. East. This is illustrated by Classiscam: an automated scam as a service designed to steal money and payment data. Group-IB is aware of at least 71 brands from 36 countries imitated by members of the affiliate program. Phishing and scam websites created by affiliate program members most often mimic marketplaces (69.5%), delivery services (17.2%) and rideshare services (12, 8%).