Ransomware Threats Doubled in 2023

Ransomware has always been one of the most potent threats in cyberspace, but 2023 witnessed an unprecedented surge in Ransomware attacks, charting a 200% increase from the previous year. While this increased volume and frequency of ransomware attacks is extremely concerning by itself, what is making security researchers and infosec teams worldwide take notice is also the rising sophistication of these attacks. Recent Ransomware variants are showing signs of rapid evolution in the fields of initial access, evasion, and persistence, all while becoming stealthier and disguising their exfiltration processes to refine them further.

In 2023, ransomware groups evolved their tactics with a focus on diverse and sophisticated attack vectors. Compromised accesses via Stealer Logs, Social Engineering, and Phishing persisted, highlighting the need for heightened user awareness and robust security measures. The integration of AI in targeted reconnaissance campaigns increased precision and adaptability. Living off the Land (LOLBins) techniques and Active Directory discovery tools were extensively employed for stealth and network enumeration. Techniques like HTTP tunneling to impersonate privileged services and novel malware delivery underscored the dynamic ransomware threat landscape, highlighting the rising need for proactive and adaptable cybersecurity measures.

Last year, the Transportation and Logistics sector saw a staggering 110% rise in ransomware attacks, influenced by the Russia-Ukraine conflict and recent tensions in the Middle East. Technology industry component manufacturers, handling Semiconductors, IoT devices, Industrial Automation, and other related tech were also aggressively targeted. Industries producing critical components experienced robust attacks, with ransomware groups extracting data for potential supply-chain exploits. Similarly, there was a 66% increase in attacks from 2022 in Banking, Financial Services, and Insurance (BFSI) institutions in APAC and META regions. The US remained the most targeted region last year as well, with known and new ransomware families and affiliates targeting it aggressively.

Cyble Research & Intelligence Labs has covered Ransomware and the overall threat landscape extensively in its 2023 Annual Threat Landscape report.

Holiday-themed emails distributing malware potentially affiliated with Remcos RAT

Recently, Cyble Research and Intelligence Labs (CRIL) uncovered a potential holiday-themed malware campaign propagated through New Year-themed phishing emails. Within a ZIP archive, researchers identified a deceptive shortcut file masked as a PNG image. When activated, the shortcut file utilizes MSHTA and JavaScript to download and open what appears to be a benign “Happy New Year” image to deceive potential victims.

The JavaScript operates discreetly, downloading and decoding a malicious payload via the Certutil executable encapsulated within a CAB file. Subsequently, the CAB file is extracted, unleashing the malware executable. Upon execution, the malware drops an additional DLL payload, leveraging DLL sideloading to advance the infection.

Interestingly, the malware establishes a connection to a Command-and-Control (C&C) server, raising concerns about potential ties to the Remcos RAT based on the IP address associated with the C&C server. This discovery underscores the importance of heightened vigilance during holiday seasons when cybercriminals exploit thematic lures to compromise unsuspecting users.

Read CRIL’s analysis of this threat here.

Mandiant’s Twitter Account Compromised for Cryptocurrency Scam

The Twitter account of Mandiant, a prominent cybersecurity firm and Google subsidiary, was compromised in a security breach, leading to a cryptocurrency scam orchestrated by an unknown perpetrator. Initially posing as Phantom, a cryptocurrency wallet company, the imposter account on Mandiant’s platform urged users to visit a dubious website to check their eligibility for a token award.

Mandiant employees engaged in a prolonged battle with the scammer, repeatedly removing fraudulent posts only to see them reappear. The situation escalated when the scammer changed the @mandiant username and continued the scam under a new identity, detached from Mandiant. The imposter account persisted in promoting a fake website mimicking Phantom, luring users with promises of free tokens.

Mandiant, renowned for its cybersecurity expertise, faces scrutiny over the security measures for its Twitter account, raising questions about the vulnerability of high-profile accounts. The incident highlights broader concerns regarding the security of influential accounts and the potential risks associated with cyberattacks on companies possessing extensive knowledge of global cybersecurity threats. Read The Cyber Express’s detailed breakdown of the incident here.

Navigating the Cyber Threat Landscape in 2024: Key Trends and Strategies for India and SAARC

Don’t miss out on a unique opportunity to stay ahead in the ever-evolving cybersecurity landscape! Register now for our upcoming webinar with Dipesh Kaura, a renowned cyber threat intelligence expert. Explore the 2024 cyber threat scenario in India and the SAARC region, understanding emerging threats, the latest in cyber threat intelligence tools, and effective risk mitigation strategies.

Engage in interactive discussions with Dipesh during the Q&A session. This event is a must-attend for IT leaders, cybersecurity professionals, tech policymakers, and anyone keen on Indian/South Asian cyber threat dynamics. Secure your spot today to gain valuable insights and network with industry experts! Register here.

Supply Chain Risk Webinar

The global supply chain is vulnerable to cyberattacks due to its diverse and multifaceted aspects. Cybersecurity supply chain risk management guidance is essential for businesses to protect themselves, their partners, and their consumers. They must assess cybersecurity risks at all levels of their organization and consider the vulnerabilities of all players involved in creating a product or service, particularly in light of increasing incidences of cyberattacks carried on supply chains. Threat Actors have shifted their tactics to compromise firms via their supply chains in an attempt to identify and exploit the weakest links, requiring organizations to reevaluate their cybersecurity approach accordingly.

Join Kaustubh Medhe, VP Research and Threat Intelligence at Cyble, as he presents his findings and predictions at the CSA CloudBytes Webinar on January 31^st, 2024.