Ransomware Gangs Evolve as Cybercrime Ramps Up

Highlights:

• Despite efforts to improve security, there are still significant vulnerabilities, with malware like SpoolFool, Follina, and DirtyPipe being recognized as attacking both Windows and Linux systems.
• Attacks on data exfiltration were discovered to target outside parties, with threat actor organizations demanding ransom payments for data leaks.

As the fight against cybercrime has intensified throughout the year, threat prevention startup Deep Instinct Ltd. published new research that reveals some alarming changes in the ransomware industry.

The threat actor structure has seen considerable changes, according to the 2022 Bi-Annual Cyber Threat Report, as several of the most familiar actors have changed or fractured. After being taken offline, ransomware gangs, including LockBit, Hive, BlackCat, and Conti, have either re-emerged in new guises or, in the case of Conti, erstwhile associate organizations have established independent operations.

According to the research, malware campaigns are in flux, which details updates to Emotet, Agent Tesla, NanoCore, and other malware. To evade detection, Emotet, which has experienced growth this year, is now using highly obfuscated VBA macros.

It was discovered that the decision by Microsoft Corp. to keep macros disabled by default in Microsoft Office files significantly reduced the amount of malware sent through documents. Threat actors were discovered to be “changing gears” and using alternative means, such as LNK, HTML, and archive email attachments, to spread their malware.

Despite efforts to improve security, there are still significant vulnerabilities, with malware like SpoolFool, Follina, and DirtyPipe recognized as attacking both Windows and Linux systems. According to the researchers, vulnerabilities exploited in the wild also experience peaks every three to four months, and they anticipate another in the year’s final two months.

Attacks on data exfiltration were discovered to target outside parties, with threat actor organizations demanding ransom payments for leaked data. Because there are fewer options for businesses affected, sensitive data exfiltration continues to be a common target. Ransomware gangs currently create 17 active leak databases.

According to the research, insiders and affiliate programs will become more and more common as nefarious threat actors search for the weakest link. Some threat actors pick easy targets to attack or bribe an insider for access. One notorious group that frequently engages in the latter is the Lapsus$ gang.

The Deep Instinct researchers expect “” “protestware” “” to keep growing as long as Russia is occupying Ukraine. Given that 2022 has not seen any vulnerabilities resembling those in 2021” ’s Log4j or Exchange concerns, they also caution that there is a high likelihood of significant end-of-year attacks.