Let's dive a little bit deeper into the ransomware threat. According to the latest edition of Group-IBโs annual Hi-Tech Crime Trends report, ransomware will remain the top threat for organizations and businesses in 2023.
Here are some highlights:
๐Across the globe, 2,886 companies had their information, files, and data published on ransomware DLS between H2 2021 โ H1 2022.
๐The top five most affected countries were the United States, Germany, United Kingdom, Canada, and Italy.
๐The largest number of ransomware-related data leak victims were found in the following sectors: manufacturing, real estate, professional services, and transportation industries.
๐The most active ransomware groups in H2 2021 โ H1 2022 were Lockbit, Conti, and Hive.
Want to learn more about Group-IB's findings on ransomware and other cyberthreats? Download our newest report Hi-Tech Crime Trends 2022/2023๐
#HiTechCrimeTrends #report #ransomware
Here are some highlights:
๐Across the globe, 2,886 companies had their information, files, and data published on ransomware DLS between H2 2021 โ H1 2022.
๐The top five most affected countries were the United States, Germany, United Kingdom, Canada, and Italy.
๐The largest number of ransomware-related data leak victims were found in the following sectors: manufacturing, real estate, professional services, and transportation industries.
๐The most active ransomware groups in H2 2021 โ H1 2022 were Lockbit, Conti, and Hive.
Want to learn more about Group-IB's findings on ransomware and other cyberthreats? Download our newest report Hi-Tech Crime Trends 2022/2023
#HiTechCrimeTrends #report #ransomware
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ7๐1๐1
Make sure to download the full report
#HiTechCrimeTrends #report
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
๐7
Sharing is caring, and sharing data with the cybersec community is one of our contributions to the global fight against cybercrime. The Group-IB Threat Intelligence team now has its own Twitter account: make sure to follow for the latest research, analytics, IOCs and threat alerts ๐ https://twitter.com/GroupIB_TI
#ThreatIntelligence
#ThreatIntelligence
Please open Telegram to view this post
VIEW IN TELEGRAM
๐4๐ฅ2๐ฑ1
In the summer of 2022, the Group-IB Managed Extended Detection and Response (MXDR) solution successfully detected and blocked an email carrying a malicious attachment. This email was intended for Group-IBโs employees.
While analyzing this attack, the Group-IB Threat Intelligence team found patterns in the actions of the attackers and attributed the observed TTPs to the Tonto Team (aka HeartBeat, Karma Panda, CactusPete, Bronze Huntley, Earth Akhlut). What else did we find out about the threat actor?
โช๏ธThe attackers used phishing emails to deliver malicious Microsoft Office documents created with the Royal Road Weaponizer, a tool widely used by Chinese nation-state threat actors.
โช๏ธDuring the attack, Group-IB researchers noticed the use of the Bisonal.DoubleT backdoor. Bisonal.DoubleT is a unique tool developed by the Tonto Team APT.
โช๏ธThe attackers used a new downloader that Group-IB analysts named TontoTeam.Downloader (aka QuickMute).
Check out our fresh blog where we provide indicators of compromise associated with the Tonto Team campaign and detailed analysis of the tools, techniques, and procedures (TTPs) of the threat actor. This information is useful for organizations fighting cybercrime and information security professionals โ chief information officers, SOC analysts, and incident responders โ in other sectors targeted by the Tonto Team. Read
#APT #TontoTeam
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ10๐5
โ๏ธ The Group-IB Computer Emergency Response Team has analyzed malicious email campaigns detected by Group-IB Managed XDR in Q4 2022. Here are the highlights:
โช๏ธArchives remained the primary pathway for malware delivery, although the proportion of campaigns that used this vector fell compared to Q3.
โช๏ธIn Q4 2022, the top 3 widely used malware in phishing emails were SnakeKeylogger, AgentTesla, and FormBookFormgrabber. They accounted for 67% of all malicious email campaigns in Q3 2022. In 2023, stealers will remain one of the top cyber threats.
โช๏ธThreat actors most often used hosting providers located in the United States, Netherlands, and Germany to host their C2 servers. 45% of phishing websites were hosted on .com domains.
#CERT #MXDR
โช๏ธArchives remained the primary pathway for malware delivery, although the proportion of campaigns that used this vector fell compared to Q3.
โช๏ธIn Q4 2022, the top 3 widely used malware in phishing emails were SnakeKeylogger, AgentTesla, and FormBookFormgrabber. They accounted for 67% of all malicious email campaigns in Q3 2022. In 2023, stealers will remain one of the top cyber threats.
โช๏ธThreat actors most often used hosting providers located in the United States, Netherlands, and Germany to host their C2 servers. 45% of phishing websites were hosted on .com domains.
#CERT #MXDR
๐ฅ10๐3
๐ Old snake, new skin.
Group-IB Threat Intelligence team uncovered a previously undocumented spear phishing campaign carried out by the nation-state cyber threat actor SideWinder between June and November 2021. For the first time, Group-IB researchers confirmed the links between the SideWinder, Baby Elephant, and Donot APT groups and described the entire arsenal of the cyberespionage group, including newly discovered tools. What else?
โช๏ธSideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years.
โช๏ธThe attackers attempted to target 61 government, military, law enforcement, and other organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
โช๏ธGroup-IB specialists analyzed SideWinderโs network infrastructure and found numerous phishing resources, including a spear-phishing project targeting the crypto industry.
โช๏ธAmong the newly discovered tools were SideWinder.RAT.b (a remote access Trojan) and SideWinder.StealerPy, which is a custom information stealer written in Python designed to exfiltrate information collected from the victimโs computer.
Curious to know more? Download Group-IBโs new report "Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021". The report contains YARA rules for hunting the group and a table with the groupโs TTPs (Tactics, Techniques, and Procedures) mapped to the MITRE ATT&CKยฎ matrix, providing all the information companies and organizations needed to update their security controls to detect SideWinder. Download๐
#APT #SideWinder
Group-IB Threat Intelligence team uncovered a previously undocumented spear phishing campaign carried out by the nation-state cyber threat actor SideWinder between June and November 2021. For the first time, Group-IB researchers confirmed the links between the SideWinder, Baby Elephant, and Donot APT groups and described the entire arsenal of the cyberespionage group, including newly discovered tools. What else?
โช๏ธSideWinder has been systematically attacking government organizations in South and East Asia for espionage purposes for about 10 years.
โช๏ธThe attackers attempted to target 61 government, military, law enforcement, and other organizations in Afghanistan, Bhutan, Myanmar, Nepal, and Sri Lanka.
โช๏ธGroup-IB specialists analyzed SideWinderโs network infrastructure and found numerous phishing resources, including a spear-phishing project targeting the crypto industry.
โช๏ธAmong the newly discovered tools were SideWinder.RAT.b (a remote access Trojan) and SideWinder.StealerPy, which is a custom information stealer written in Python designed to exfiltrate information collected from the victimโs computer.
Curious to know more? Download Group-IBโs new report "Old snake, new skin: Analysis of SideWinder APT activity between June and November 2021". The report contains YARA rules for hunting the group and a table with the groupโs TTPs (Tactics, Techniques, and Procedures) mapped to the MITRE ATT&CKยฎ matrix, providing all the information companies and organizations needed to update their security controls to detect SideWinder. Download
#APT #SideWinder
Please open Telegram to view this post
VIEW IN TELEGRAM
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ7๐2
๐ฆ What happens when you combine ransomware with information stealers, remote access Trojans, and other malware in one easy-to-download package?
Dubai-based researchers from Group-IBโs Digital Forensics and Incident Response (DFIR) team found that malicious actors, instead of simply infecting a computer with ransomware, have taken to packaging a whole host of malicious files into what we call malware bundles.
Malware bundles have been around for a while, but their recent usage by cybercriminals reveals some interesting trends. First, it highlights how threat actors, with their ever-growing appetite for cash, create new approaches for monetization. Secondly, their usage can reveal insights into the interactions between low-skilled threat actors and their more sophisticated counterparts. An entry-level cybercriminal can leverage a malware bundle to gain access to a single computer, but they are also able to sell this access to a more-skilled threat actor who is able to move laterally from a single device to an entire corporate network.
Check out our latest blog post to get the insights from our investigations into affected companies in Egypt, South Africa, Saudi Arabia, Turkey, Morocco, UAE, Kenya, Israel, Pakistan, India, and Germany. We discuss channels of delivery, malware attribution, tactics, techniques and procedures (TTPs), and bundled parts and roles, all in reference to the MITRE ATT&CKยฎ (Adversarial Tactics, Techniques & Common Knowledge) framework, in order to detail how the cybercriminals gained initial access and secured persistence. Read now๐
#ransomware
Dubai-based researchers from Group-IBโs Digital Forensics and Incident Response (DFIR) team found that malicious actors, instead of simply infecting a computer with ransomware, have taken to packaging a whole host of malicious files into what we call malware bundles.
Malware bundles have been around for a while, but their recent usage by cybercriminals reveals some interesting trends. First, it highlights how threat actors, with their ever-growing appetite for cash, create new approaches for monetization. Secondly, their usage can reveal insights into the interactions between low-skilled threat actors and their more sophisticated counterparts. An entry-level cybercriminal can leverage a malware bundle to gain access to a single computer, but they are also able to sell this access to a more-skilled threat actor who is able to move laterally from a single device to an entire corporate network.
Check out our latest blog post to get the insights from our investigations into affected companies in Egypt, South Africa, Saudi Arabia, Turkey, Morocco, UAE, Kenya, Israel, Pakistan, India, and Germany. We discuss channels of delivery, malware attribution, tactics, techniques and procedures (TTPs), and bundled parts and roles, all in reference to the MITRE ATT&CKยฎ (Adversarial Tactics, Techniques & Common Knowledge) framework, in order to detail how the cybercriminals gained initial access and secured persistence. Read now
#ransomware
Please open Telegram to view this post
VIEW IN TELEGRAM
๐ฅ7๐3