A report by Secureworks revealed a 30% year-over-year rise in active ransomware groups, which demonstrates fragmentation of an established criminal ecosystem. 31 new groups entered the ransomware ecosystem during the last 12 months.

Law enforcement activity targeting GOLD MYSTIC (LockBit) and GOLD BLAZER (BlackCat/ALPV) caused significant disruption to the status quo of the ransomware operating landscape. The number of active ransomware groups using "name and shame" leak sites grew 30% year-over-year.

Despite this growth in ransomware groups, victim numbers did not rise at the same pace, showing a significantly more fragmented landscape posing the question of how successful these new groups might be. Scan-and-exploit and stolen credentials remain the two largest initial access vectors (IAV) observed in ransomware engagements based on our observations.

Observed increase in adversary-in-the-middle (AiTM) attacks – a notable and concerning trend for cyber defenders. AI is growing in use and in variation for cybercriminals – expanding the scale and credibility of existing scams like CEO fraud or "obituary pirates."

In the past year, threat actors are increasingly stealing credentials and session cookies to gain access by using AiTM attacks. This potentially reduces the effectiveness of some types of MFA, a worrying trend for network defenders. These attacks are facilitated and automated by phishing kits that are available for hire on underground marketplaces and Telegram. Popular kits include Evilginx2, EvilProxy and Tycoon2FA.

As AI tools have become widespread and readily available, it was inevitable that cybercriminals would take note as they look to scale. Since mid-February 2023, Secureworks CTU researchers have observed an increase in posts on underground forums about OpenAI ChatGPT and how it can be employed for nefarious purposes. Much of the discussion relates to relatively low-level activity including phishing attacks and basic script creation.

One novel example of AI being used by threat actors, as observed by Secureworks researchers, was the role it played in a fraud perpetrated by so-called obituary pirates. Threat actors monitored Google trends following a death to identify interest in obituaries and then used generative AI to create lengthy tributes on sites that were manipulated to the top of Google search results by SEO poisoning. They then directed users to other sites pushing adware or potentially unwanted programs.

Read the report.