Secureworks: Ransomware takedowns have not deterred cybercriminals

But despite this growth, the number of victims has not yet increased at the same pace, perhaps reflecting gangs trying to find their place in a more fragmented landscape.

The CTU team also observed a lot of affiliate movement in the ransomware ecosystem, which may be partially driving this trend. In many cases, researchers observed a series of ransomware attacks over the past 12 months in which victims were listed on more than one website, perhaps reflecting partners seeking new outlets for their work in the increasingly chaotic ecosystem .

And the last 12 months have certainly been chaotic; According to analysts at Secureworks, the trend is clearly one of expanding the ransomware landscape, so that a landscape previously dominated by a smaller number of large companies is now home to a more diverse group of cyber predators.

However, this could lead to a more dangerous “Wild West”-style threat landscape, where smaller groups have less responsibility and structure in how they operate. For example, the decline in average time spent this year appears to be due to criminals moving quickly and destroying things through lightning-fast smash-and-grab attacks.

As the new ecosystem evolves and coalesces over the coming months, Secureworks says defenders can expect to see significantly more variation and changes in attack methods.

Among the new methods already observed in this area is the increasing tendency of ransomware gangs to steal login credentials and session cookies to gain access via Adversary-in-the-Middle (AitM), sometimes referred to as Man-in-the-Middle. Middle (MitM) attacks using phishing kits such as EvilProxy or Tycoon2FA, which are readily available on the Dark Web. The research team said this trend should raise alarm among defenders because it may reduce the effectiveness of some types of multifactor authentication (MFA).

Even ransomware gangs are not immune to the appeal of artificial intelligence (AI). Since ChatGPT’s launch nearly two years ago, there’s been talk in the criminal community about how such models can be used for nefarious purposes – primarily phishing – but some of the use cases are more novel.

In one attack investigated by Secureworks, a cybercriminal monitored Google trends following a celebrity’s death to gauge interest in obituaries, then used generative AI to create tributes on malicious websites that rose to the top through SEO poisoning Google searches were manipulated. Such websites could easily be used as a vector for spreading malware or ransomware.

“The cybercrime landscape is evolving, sometimes minor, sometimes significant. The increasing use of AI gives threat actors scalability, but the increase in AitM attacks poses a more immediate problem for organizations as it reinforces that identity is the limit and should be the cause.” Urging companies to take stock and think about thinking about their defensive stance,” Smith said.