These observations were made by analyzing numerous 2023 threat findings and discoveries, and include references to case studies that were reported on by RedSense throughout the year.
Trend Analysis Ghost Group Operations:
A notable increase in covert ‘ghost groups’ like Zeon/Ryuk/Conti1, providing backend support to groups such as BlackCat, Akira, and LockBit 3.0. These groups, while maintaining anonymity, offer capabilities like negotiation support, phishing campaigns, and initial access brokerage.
Double Jeopardy in Post-breach Exploitation:
Cybercriminals are leveraging ‘Double Jeopardy’ tactics, weaponizing a single attack multiple times. This is achieved through the reuse of publicly available data and the sharing of stolen data across various threat groups, complicating attribution and response efforts.
Future Victimology Techniques:
Utilization of data from previous breaches to streamline future target identification, as seen with BlackBasta and BlackSuit groups. This approach not only increases efficiency but also compounds the long-term impacts of data breaches.
Diversification of Ransomware Actors:
The emergence of non-Eastern European ransomware methodologies, marked by groups like Scattered Spider. New malware types such as DarkGate and BlackNET demonstrate a broadening of the ransomware actor profile.
AI Exploitation in Cyberattacks:
Increased attempts to exploit AI technologies for malicious purposes. Development of AI-powered tools like WormGPT and FraudGPT, and AI-driven vishing attacks indicate a significant shift in attack methodologies.
Black SEO Malware Distribution Techniques:
Rise in black hat SEO tactics, including malvertising and SEO poisoning. These methods, used to disseminate malware like AuroraStealer, IcedID, and RedLine Stealer, highlight the exploitation of online platforms for malware distribution.
Intensification of Public Shaming in Ransomware:
Escalation in public shaming tactics by ransomware groups to pressure victims into paying. Tactics include explicit data publication and aggressive online shaming campaigns, adding a psychological dimension to the extortion process.
Increased Law Enforcement Actions and Takedowns:
The year witnessed a rise in law enforcement activities targeting ransomware groups, reflecting improved digital forensic techniques and international cooperation in cybercrime response.
Conti’s Persistent Influence:
Despite its dismantlement, Conti’s operational methodologies continue to influence current ransomware activities. The adaptation and use of Conti’s source code by groups like BlackSuit and BlackBasta demonstrate the enduring impact of this group.
Experimentations in Malware Locker/Loader Technology:
Ransomware groups are experimenting with various malware lockers and loaders to enhance operational efficacy and evade detection. The transition of the Royal group to BlackSuit and BlackBasta’s use of Pikabot and DarkGate exemplify this trend.
Exploitation of the Citrix Bleed Vulnerability (CVE 2023-4966):
The widespread exploitation of the Citrix Bleed vulnerability by groups like BlackSuit, BlackBasta, ALPHV, and LockBit 3.0, particularly targeting government and defense sectors, underscores the trend of exploiting critical software vulnerabilities.
Conclusion
The 2023 trends noted by RedSense indicate a complex, chaotic and highly entangled year for ransomware. What we have found indicates that the threat ecosystem is experiencing massive internal shifts which may be sign that it will be unrecognizable by year’s end.
Author Bio: Marley Smith currently works on the Intelligence Team of the cybersecurity and threat prevention firm RedSense. As Principal Threat Researcher, Smith conducts in-depth investigations of ransomware syndicates, novel malware, state-affiliated threat groups, as well as the dynamics with which today’s cybercrime ecosystem evolves. Research Review: Yelisey Bohuslavskiy, partner & Chief Research Officer at RedSense; co-founder of Advanced Intelligence, LLC.
More details are included in the original report available at:
https://redsense.com/publications/yearly-intel-trend-review-2023/
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, 2023 RedSense report)