Semi-annual threat report reveals significant changes in ransomware gangs and malware campaigns

Deep Instinct, the first company to apply Deep Learning to cybersecurity on an end-to-end basis, this week released its semi-annual Cyber Threat Report 2022. The latest edition of the report focuses on key malware and ransomware trends and tactics from the first half of 2022, providing key insights and predictions for the ever (and rapidly) evolving cybersecurity threat landscape.

“2022 was another bumper year for cyber criminals and ransomware gangs. It’s no secret that these threat actors continue to improve their attacks with new and improved tactics designed to evade traditional cyber defences,” said Mark Vaitzman, Threat Lab Team Leader at Deep Instinct. “With our Threat Report, we aim to highlight the many challenges that organisations and their security teams face on a daily basis. It is now more important than ever for defenders to be vigilant and find new approaches to prevent these attacks.”?

Key findings from the report include the following:

1. Changes in the structure of cybercriminals: Among the most commonly observed activities are changes in the world of ransomware gangs, including LockBit, Hive, BlackCat and Conti. The latter has spawned “Conti Splinters”, which are made up of Quantum, BlackBasta and BlackByte. These three well-known former sub-groups of the Conti Group have become independent after Conti withdrew.
2. Malware campaigns in transition: The report highlights the reasons for the significant changes at Emotet, Agent Tesla, NanoCore and others. For example, Emotet uses heavily obfuscated VBA macros to avoid detection.
3. While Microsoft closes a door, malicious actors open a window: Deep Instinct experts have found that documents are no longer the main attack vector for malware after Microsoft disabled macros in Microsoft Office files by default. Instead, observations have shown that cyber attackers are now using other methods to spread their malware, such as LNK, HTML and archive email attachments.
4. Major vulnerabilities that can be easily exploited:Vulnerabilities such as SpoolFool, Follina and DirtyPipe highlight the exploitability of Windows and Linux systems despite efforts to improve their security. An analysis of the catalogue of known vulnerabilities published by CISA (the U.S. Cybersecurity & Infrastructure Security Agency) shows that the number of exploited vulnerabilities skyrockets every three to four months, and we expect the next increase towards the end of the year.
5. Data exfiltration attacks now extend to third parties: Hacker groups are using data exfiltration in their attacks to demand ransom for the leaked data. In the case of sensitive data exfiltration, there are fewer options for recovery, so many attackers go even further and demand ransom from third-party companies if their sensitive information is also among the stolen data.

It is no surprise that ransomware attacks continue to pose a serious threat to businesses, considering that there are currently 17 leaked databases operated by cybercriminals. They use the data for attacks on third-party companies and especially for social engineering, theft of access data and triple extortion (described in point 5).

The report also includes three specific forecasts:

1. Insiders and Partner Programmes: Malicious threat actors always look for the weakest link in the network. Given the increasing innovation in cybersecurity, some attackers are choosing to either directly seek out weak targets or simply pay an insider. Groups like Lapsus$, for example, rely less on exploiting vulnerabilities and more on insiders willing to sell access to certain of their organisation’s data.
2. Protestware is on the rise: The phenomenon of protestware is not only growing in popularity, but also in use. This is the self-sabotage of one’s own software, which is transformed into an indirect cyberweapon with the help of malware and harms all or some users. The war between Russia and Ukraine has led to a rise in protestware, the most well-known example being the node-ipc wiper, a popular NPM package. It is not easy to detect such supply chain attacks, and they are usually only discovered when multiple victims are affected.
3. Year-end attacks: While we have not yet heard of a major vulnerability in 2022 comparable to the Log4J or Exchange cases in 2021, the number of publicly assigned Common Vulnerabilities and Exposures (CVE – or Known Vulnerabilities and Exposures) for reported vulnerabilities has increased year-on-year. Cyber attackers are still exploiting old vulnerabilities in 2022 simply because there is an abundance of unpatched systems for CVEs from 2021.

For more information on the current state of cyber security threats and their further development, please visit: https://www.deepinstinct.com/cyber-threat-reports.