The number of companies that had their information uploaded onto dedicated leak sites (DLS) between the second half of the financial year (H2) 2021 and the first half of the financial year (H1) 2022 was up 22%, year on year, to 2,886, which amounts to an average of eight companies having their data leaked online every day, says a recent report, Hi-Tech Crime Trends 2022/2023, by Group-IB’s Threat Intelligence division.

One of the driving factors of this trend is the ever-increasing impact of affiliate programs, also known as the Ransomware as a Service (RaaS) model. Over the past year, ransom demands from cybercriminals operating according to the RaaS framework have risen significantly.

For the second consecutive year, researchers observed the increasing impact of initial access brokers (IABs) on the ransomware market. The report noted 2,348 instances of corporate access being sold on dark web forums or privately by IABs, twice the amount of the preceding period. The number of brokers also grew from 262 to 380 over this period, leading to a drop in prices. The average price for one access fell by around 50% to $2,800 making the attacks of ransomware gangs and other threat actors more affordable. The increased number of offers coupled with the reduced average price brought the size of the initial access market down by 8.5% to $6,555,332. U.S. networks and manufacturing companies became the most sought-after target. Compromised remote desktop protocol (RDP) (36%) and virtual private network (VPN) (37%) accounts became the types of access most frequently offered for sale, according to the report.

IABs expand worldwide presence

Of the 2,348 instances of corporate access being offered for sale during the period from H2 2021 to H1 2022, 2,111 offers contained information about the country, and 1,532 specified the victim’s industry. And, IABs have significantly expanded their presence worldwide. The number of countries where they broke into corporate networks increased by 41% from 68 to 96 during H2 2021 to H1 2022. U.S.-based companies were the most popular commodity among the IABs, with almost a quarter of all discovered access offers related to U.S. companies (558). According to the report, the industries most affected by IABs were manufacturing (5.8% of all companies), financial services (5.1%), real estate (4.6%) and education (4.2%).

Report researchers also collected information on the types and rights of access offered on dark web forums. They identified a total of 1,757 offers containing information about the access type and 1,329 ads with information relating to privileges. Overall, 70% of the access types put up for sale were RDP and VPN accounts, underscoring the importance of having an up-to-date digital asset inventory. Access with administrator rights (local administrators in the case of Active Directory) was the most commonly offered, accounting for 47% of all ads. In 0.5% of cases analyzed, cybercriminals were able to obtain enterprise admin rights.

In addition to dark web forums, IABs also buy and sell access on underground markets, which are automated platforms for trading any type of data, including bank card details, access to personal and corporate accounts, RDP, access to servers and website administrator panels. During the review period, Group-IB detected over 290,000 web shells and 65,000 instances of RDP access being sold on cybercriminal markets. Web shells are malicious scripts that allow cybercriminals to maintain persistent access on compromised web servers.

Increasing use of ransomware

Across the globe, 2,886 companies had their information, files and data published on ransomware DLS between H2 2021 and H1 2022, a 22% increase compared to the 2,371 companies affected during the previous period (H2 2020 to H1 2021). The report noted that the actual number of ransomware attacks is believed to be significantly higher as many victims pay the ransom and some ransomware gangs do not use DLS. As with the preceding year, the number of ransomware-related data leaks peaked in the final quarter of 2021, when the data of 881 companies was shared on dedicated leak sites.

Report analysts were also able to discover that companies based in North America (54.5% of companies whose data was leaked by ransomware gangs) and Europe (29.7%) were the most affected. When data from companies in individual countries is taken into account, it appears that ransomware gangs often targeted companies in the U.S. A total of 1,237 U.S.-based companies (43% of the global total), had their data published on DLS between H2 2021 and H1 2022. Rounding out the five most-affected countries are Germany (147 companies), United Kingdom (138), Canada (128) and Italy (124). The report revealed that, globally, the largest number of ransomware-related data leak victims were found in the following sectors: manufacturing (295 companies), real estate (291), professional services (226) and transportation industries (224).

More details from the report can be found here.