Group-IB has introduced a report that examines key changes from the cybercrime globe globally between H2 2019 and H1 2020 and provides forecasts for the next year. The severe financial damage has happened as a consequence of ransomware action.
The last year — a harrowing interval for the world market — culminated from the spike of cybercrime.
It was marked by the growth of the underground marketplace for promoting access to corporate networks and a more two-fold increase of the carding marketplace.
The stand-off between different pro-government hacker classes saw new gamers come onto the scene, even while some formerly known classes resumed their surgeries.
The report assesses various facets of cybercrime industry surgeries and forecasts changes to the hazard landscape for a variety of businesses, namely the financial sector, telecommunications, retail, production, and the energy industry.
Forecasts and recommendations laid out in search to stop financial damage and production downtimes. Its objective is also to assist companies to adopt preventative measures for counteracting targeted strikes, cyber espionage, and cyberterrorist surgeries.
The Price of ransomware
Late 2019 and most of 2020 were indicated by an unprecedented surge in ransomware strikes. Neither private business companies nor government agencies have proven to be resistant to the ransomware plague.
During the reporting period, over 500 effective ransomware strikes in over 45 nations have been reported.
Since they’re motivated by monetary gain, any business irrespective of size and business could fall prey to ransomware strikes.
Meanwhile, in the event the technical toolsets and information partitioning capabilities aren’t in position, ransomware strikes couldn’t just bring about downtime in production but also bring operations to a standstill.
Based on conservative estimates, the overall financial damage from ransomware operations accounted for more than $1 billion ($1,005,186,000), however, the true damage is very likely to be much greater.
Victims often stay silent about episodes and cover ransoms softly, while attackers don’t always publish information from endangered networks.
A significant ransomware outbreak was discovered in the USA, together with the nation accounting for approximately 60 percent of all known episodes.
The top five most often attacked businesses include manufacturing (94 sufferers ), retail (51 sufferers ), state agencies (39 sufferers ), health care (38 sufferers ), and structure (30 sufferers ).
Maze and REvil are deemed to have the most significant appetite: the operators of both of these breeds are considered to be supporting over half of the successful attacks.
The ransomware pandemic has been triggered by the active development of public and private affiliate applications that bring together ransomware operators and cybercriminals involved with sabotaging corporate networks.
Another reason for a rise in ransomware strikes is that conventional security options, still popular by plenty of businesses on the current market, very often don’t find and block ransomware action at early phases.
Ransomware operators purchase accessibility and encrypt devices on the system. After getting the ransom from the victim, they cover a fixed speed to their spouses under the affiliate application.
The latter has been used for dispersed brute-force strikes from a high number of infected devices, such as servers.
They started downloading all of the data from prey organizations and then blackmailed them to raise the odds of the ransom being paid.
Maze (who supposedly called it quits long past ) initiated the strategy of publishing sensitive information because leverage to extort cash. If a victim won’t pay the ransom, they risk not only losing their information but also using it leaked.
Seven brand new APT groups combined the International intelligence agency stand-off
Army operations performed by different intelligence services are getting to be more and more common. An ongoing trend was identified, in which the bodily destruction of infrastructure is substituting espionage.
Attacker toolkits are updated with tools meant for strikes on air-gapped networks.
The nuclear industry is turning to the number one goal for state-sponsored hazard celebrities. Contrary to the prior reporting period, during that no strikes were detected, the present one was marked by strikes on atomic energy centers in Iran and India.
A clear assault was tried in Israel, where hazard performers gained access to several of Israel’s water treatment methods and attempted changing water contamination levels.
Had it been successful, the attack could have resulted in water shortages as well as civilian casualties.
State-sponsored APT groups aren’t losing interest in the telecommunications industry.
During the review period, it had been targeted by 11 groups connected with intelligence providers. Threat celebrities’ main goals stay spying on telecommunications operators or even efforts to disable infrastructure.
Threat celebrities also have set a new album in DDoS attack electricity: 2.3 Tb each minute and 809 million packs per minute.
BGP hijacking and path leaks remain a critical issue too. Over the last year, nine important cases are made public.
Based on data examined, Asia-Pacific became the very knowingly attacked region by state-sponsored hazard celebrities.
At least 22 efforts were listed on the European continent, together with strikes completed by APT teams from China, Pakistan, Russia, and Iran.
Additionally, six known bands that stayed unnoticed lately resumed their surgeries.
Revenue of access to endangered corporate networks increases four-fold
It’s hard to evaluate the size of this marketplace for selling accessibility, but as provides printed on underground forums frequently don’t include the purchase price, though some prices are cut privately.
But technologies for tracking underground forums (making it feasible to see hidden and deleted articles ) assisted the specialists assess the entire market size for accessibility sold from the review interval (H2 2019 into H1 2020): $6.2 million. This is a four-fold increase in comparison to the preceding review period (H2 2018 into H1 2019), as it totaled $1.6 million.
Surprisingly, state-sponsored attackers combined this section of the cybercriminal marketplace seeking extra earnings. The expense of the accessibility to the firms listed was near $5 million.
The amount of vendors has also increased. Throughout this period, 63 sellers were busy, and 52 of them started selling accessibility in 2020.
In contrast, during all 2018, just 37 access vendors were busy, while in 2019 there have been 50 vendors who provided entry to 130 corporate networks. In total, the earnings of corporate community access grew by 162 percent in comparison to the prior period (138 provides against 362).
After assessing supplies of access to corporate sites, specialists discovered correlations with ransomware strikes: most hazard actors provided access to US businesses (27 percent ), while manufacturing was the most often assaulted sector in 2019 (10.5percent ).
In 2020, accessibility to state service networks (10.5percent ), educational institutions (10.5percent ), and IT businesses (9 percent ) were high in need.
It must be mentioned that sellers of accessibility to corporate networks progressively rarely mention business names, their geographic location, and business, making it nearly impossible to spot the sufferer without calling the attackers.
Promoting access to an organization’s network is usually just 1 point of the assault: the rights gained could be utilized for both launch ransomware and concealing information, to later sell it upon underground hacking or forums.
The economy of stolen credit card information reached nearly $2 billion
The quantity of textual data provided for sale rose by 133 percent, from 12.5 to 28.3 million cards, while dumps soared by 55 percent, from 41 to 63.7 million. The maximum cost for card textual information is $150 and $500 to get a ditch.
Dumps are primarily accessed by infecting computers with linked POS terminals with specific Trojans and therefore amassing data from random-access memory.
During the review period, 14 Trojans utilized for amassing loopholes were shown to be active.
Cybercriminals try to acquire data concerning credit and debit cards issued by US banks: these account for more than 92 percent of compromised bank cards.
Bank card information of bank clients in India and South Korea would be the third and second most desired goals for cybercriminals. During the review period, the entire cost of all of the bank card dumps available for sale accounted for $1.5 billion, while textual information — to $361.7 million.
Textual information is accumulated through phishing sites and PC/Android banking Trojans, by sabotaging e-commerce sites, and by employing JS sniffers.
The latter were among the chief tools for stealing considerable quantities of payment information within the last year. JS sniffers also became popular in light of this tendency of reselling access to several sites and associations on subterranean forums.
Group-IB is presently tracking the actions of 96 JS sniffer families. This is a 2.5-fold increase in comparison with the preceding reporting period, where there were 38 households on the organization’s radar. According to the findings, over the last year, almost 460,000 bank cards have been compromised with JS sniffers.
The danger of bank card info flows is acute for retail businesses that have online sales stations, e-commerce businesses offering goods and services on the internet, and banks that unwittingly become involved in events.
Latin America could become an increasingly attractive target for carders because it has an older hacker community experienced using Trojans for this objective.
Phishing develops by 118 percent
Between H2 2019 and H1 2020, the amount of phishing net resources blocked and found rose by 118 percent in comparison with the prior reporting period.
Analysts cite the international outbreak and lockdowns as the key motives: web-phishing, which can be among the easiest methods to make money from the cybercriminal sector, brought individuals who lost their incomes.
The greater requirement for internet purchases made a positive atmosphere for phishers.
They quickly adapted to the trend and started carrying out phishing attacks on individual and services brands that formerly didn’t have a lot of financial allure to them.
Scammers also shifted their strategies. In preceding decades, attackers finished their attempts after fraudulent sites were removed and immediately switched to other manufacturers.
Today they are automating their strikes rather and substituting the blocked pages using fresh ones.
Since the beginning of the year, there’s been an increase in advanced social technologies, particularly when multi-stage situations are used in phishing attacks. Included in these popular phishing schemes, hazard actors stake out the sufferer.
One-time hyperlinks have proven to be the following phishing fad of yesteryear.
After an individual receives a hyperlink and clicks on it once, it won’t be possible to acquire exactly the identical content to gather evidence. This considerably simplifies the procedure for carrying down phishing resources.
Online services were followed closely by email service suppliers (15.6percent ), monetary organizations (15 percent ), cloud storage methods (14.5percent ), payment solutions (6.6percent ), and also bookmakers (2.2percent ).