Cybersecurity

Increase in Cyber Extortion and Ransomware Attacks Identified

A dataset of over 11,000 victim organizations reveals a surge in Cyber Extortion attacks, with concerns raised about re-victimization and organizations’ vulnerability, prompting law enforcement agencies to take proactive measures to disrupt cybercriminal activities.

At a glance

  • A dataset of over 11,000 victim organizations has experienced Cyber Extortion and Ransomware attacks.
  • Cyber Extortion attacks surged by 46% between 2022 and 2023, with 2,141 victims reported in Q4 2023 and Q1 2024
  • Over 100 instances of victims’ information being reposted on Cy-X data leak sites have been recorded.
  • The Akira ransomware group has extorted $42 million from more than 250 victims as of January 1, 2024
  • The takedown of the LockBit gang has disrupted its operations, impacting potentially hundreds of affiliates.

The details

A dataset comprising over 11,000 victim organizations has been identified as having experienced Cyber Extortion and Ransomware attacks.

An alarming trend of re-victimization has emerged, with some victims suffering repeated attacks, raising concerns about the vulnerability of these organizations.

The number of Cyber Extortion attacks has surged by 46% between 2022 and 2023

with a total of 2,141 victims reported in Q4 2023 and Q1 2024. Law Enforcement agencies have taken proactive measures to disrupt cybercriminal activities, targeting groups like ALPHV in December 2023 and LockBit’s infrastructure in February 2024.

In the past two and a half years, 169 actions have been undertaken to combat cybercrime, including efforts to dismantle infrastructure and hosting services utilized by threat actors.

Disturbingly, over 100 instances have been recorded where victims’ information has been reposted on Cy-X data leak sites, exposing them to harm further.

Network graph analysis has revealed patterns of re-victimization by specific Cy-X groups, underscoring the opportunistic nature of Cyber Extortion and the increased suffering experienced by victim organizations.

In a separate development, the Akira ransomware group has extorted approximately $42 million from more than 250 victims as of January 1, 2024.

This group has targeted businesses and critical infrastructure entities across North America, Europe, and Australia since March 2023. Initially focusing on Windows systems, Akira ransomware later deployed a Linux variant to target VMware ESXi virtual machines in April 2023. The group’s tactics include exploiting known vulnerabilities in Cisco appliances for initial network access, as well as utilizing vectors such as Remote Desktop Protocol (RDP), spear-phishing, and credential scraping tools like Mimikatz and LaZagne for privilege escalation.

Data exfiltration is carried out using tools like FileZilla and WinSCP, while encryption is achieved through a hybrid algorithm combining Chacha20 and RSA. Furthermore, Akira ransomware has undergone mutations, shifting from a C++ variant to a Rust-based code, and is believed to have links to the now-defunct Conti ransomware gang.

The recent takedown of the LockBit gang has disrupted its operations, potentially impacting hundreds of affiliates associated with this widely used Ransomware-as-a-Service (RaaS) strain.

In a concerning revelation, Chainalysis has traced cryptocurrency transactions linking a LockBit administrator to a journalist known as Colonel Cassad, who was implicated in an anti-Ukraine disinformation campaign in January 2022.

The Agenda ransomware group has also been active, utilizing an updated Rust variant to target VMware vCenter and ESXi servers.

Moreover, the emergence of cheap and rudimentary ransomware tools in the cybercrime underground, such as Junk-gun ransomware, has enabled lower-tier threat actors to conduct real-world attacks and generate substantial profits independently.

This comprehensive overview highlights the escalating threat posed by Cyber Extortion and Ransomware attacks, underscoring the urgent need for robust cybersecurity measures and collaborative efforts to combat these malicious activities.

Article X-ray

Facts attribution

This section links each of the article’s facts back to its original source.

If you suspect false information in the article, you can use this section to investigate where it came from.

thehackernews.com
– Dataset of over 11,000 victim organizations that have experienced a Cyber Extortion / Ransomware attack
– Some victims re-occur, leading to questions about re-victimization
– Increase of 46% in Cyber Extortion attacks between 2022 and 2023
– Total number of victims for Q4 2023 and Q1 2024 tallies to 2,141
– Law Enforcement aimed to disrupt ALPHV in December 2023 and LockBit’s infrastructure in February 2024
– 169 actions combating cybercrime by Law Enforcement in the last two and a half years
– Increased efforts to take down or disrupt infrastructure and hosting services used by threat actors
– Over 100 occurrences of victims being re-posted on Cy-X data leak sites
– Network graph analysis shows re-victimization activity by certain Cy-X groups
– Re-victimization exposes victim organizations to various forms of harm
– Re-victimization shows the opportunistic nature of Cyber Extortion
– Re-victimization increases the suffering of victim organizations
– Understanding victim variables is important in addressing Cyber Extortion attacks
securityweek.com
– Akira ransomware group has extorted approximately $42 million in illicit proceeds from over 250 victims as of January 1, 2024
– The group has targeted businesses and critical infrastructure entities in North America, Europe, and Australia since March 2023
– Akira ransomware initially focused on Windows systems before deploying a Linux variant targeting VMware ESXi virtual machines in April 2023
– The group has shifted from using a C++ variant of the locker to a Rust-based code as of August 2023
– Initial access to target networks is facilitated by exploiting known flaws in Cisco appliances
– Other vectors include Remote Desktop Protocol (RDP), spear-phishing, valid credentials, and VPN services lacking MFA protections
– Akira actors set up persistence by creating a new domain account and evade detection by abusing the Zemana AntiMalware driver
– The group uses credential scraping tools like Mimikatz and LaZagne for privilege escalation and Windows RDP for lateral movement
– Data exfiltration is done through FileZilla, WinRAR, WinSCP, and RClone
– Akira ransomware encrypts systems using a hybrid encryption algorithm combining Chacha20 and RSA
– The group has delivered two distinct ransomware variants against different system architectures in some instances
– Akira ransomware group is likely affiliated with the now-defunct Conti ransomware gang
– Trend Micro released a decryptor for Akira in July, but it’s likely the shortcomings have been addressed
– Akira’s mutation to target Linux enterprise environments follows similar moves by other ransomware families
– The takedown of the LockBit gang has had a significant impact on its ability to bounce back
– LockBit was a widely used RaaS strain with potentially hundreds of affiliates
– Chainalysis uncovered cryptocurrency trails connecting a LockBit administrator to a journalist known as Colonel Cassad
– Colonel Cassad was linked to an anti-Ukraine disinformation campaign by Cisco Talos in January 2022
– LockBitSupp, the alleged leader of LockBit, is attempting to inflate the victim count post-takedown
– The Agenda ransomware group has used an updated Rust variant to infect VMWare vCenter and ESXi servers
– Crude, cheap ransomware sold on the cybercrime underground is being used in real-world attacks
– Junk-gun ransomware allows lower-tier individual threat actors to generate significant profit independently

What's your reaction?

Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0

You may also like

Comments are closed.