Trellix Uncovers Diversification Of Ransomware Ecosystem

Trellix has released The CyberThreat Report: November 2024, its latest research from the Trellix Advanced Research Center. The report provides insight into the regions and industries at risk, the evolving methods used by adversarial actors, and offers recommendations for CISOs and security operations teams tasked with protecting their organisation. 

The research examines an increasingly complex ransomware ecosystem where groups have adopted advanced tools with embedded AI to spread ransomware. Further findings include the accelerated use of endpoint detection and response (EDR) evasion, password spray, infostealer, and backdoor tools and techniques to execute attacks. Trellix telemetry reveals China-affiliated threat actor groups remain a prevalent source of nation-state advanced persistent threat (APT) activities, with Mustang Panda generating more than 12% of detected APT activity alone.

“The last six months delivered AI advancements, from AI-driven ransomware to AI-assisted vulnerability analysis, evolving criminal strategies, and geopolitical events, which have reshaped the cyber landscape. Resilience planning has never been more important for cybersecurity teams,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “We’ve seen significant events, including state-sponsored attacks on critical infrastructure, the growth of AI-driven ransomware, and the rise of hacktivism tied to global conflict. The increased use of generative AI by cybercriminals has also posed new challenges. The industry must continue monitoring for transformative use of AI by cybercriminals to strengthen defenses.”

An evolving ransomware ecosystem

With several arrests, the indictment of LockBit leaders, and action to dismantle infrastructure by global law enforcement, the Trellix Advanced Research Center observed a diversification of ransomware groups, expanded use of AI-powered tools to deliver ransom demands, and a focus on tools built specifically to evade endpoint detection and response (EDR) solutions. 

  • Group diversification: The top five most active groups account for less than 40% of all attacks, demonstrating less concentrated activity among major actors. This highlights the need for organisations and governments to remain adaptable, continuously updating their strategies to address the evolving tactics of ransomware groups. 
  • RansomHub: RansomHub emerged as the most active among ransomware groups, accounting for 13% of Trellix detections. Its rise, and the activity of other smaller groups, further illustrates the fluid nature of ransomware. LockBit remains active, generating the second most detections (11%), followed by groups Play (7%), Akira (4%) and Medusa (4%). 
  • EDR evasion: Trellix found a thriving market for EDR evasion tools on the dark web. They are built to avoid detection by the tools most organisations rely on to identify and respond to known threats. RansomHub adopted one such tool named EDRKillShifter to disable EDR capabilities before executing their attacks. 
  • AI-powered tools: The cybercriminal underground has become a hub for malicious actors to sell new AI-based tools to execute crime. Trellix observed the sale of a number of these tools on the black market, including the Radar Ransomware-as-a-Service programme, which conceals the way AI is used but seeks to recruit forum users to join its affiliate network.  
  • Sectors and regions: Healthcare, education, and critical infrastructure remain prime targets, and the global spread of ransomware persists, focusing on the U.S. and other developed economies. The U.S. received 41% of all Trellix ransomware detections, outpacing the next most targeted country (the U.K.) nine-fold. 

The broader cyber threat landscape

The Trellix Advanced Research Center examined industry cyber threat data, with analysis pointing to a rise in attacks from North Korea-aligned group Kimsuky, which doubled the activity of other APT groups. The study of industry reports of cybersecurity events also revealed a targeted distribution across critical sectors, with the government bearing the brunt of attacks (13%), followed by the financial sector (7%) and manufacturing (5%). 

The CyberThreat Report: November 2024 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, and open and closed-source intelligence. It integrates AI-assisted data gathering to enhance the depth and timeliness of insights. The report is based on telemetry related to threat detections, when a file, URL, IP address, suspicious email, network behavior, or other indicator is detected and reported by the AI-powered Trellix Security Platform. This report represents data collected April 1 – September 30, 2024.

Leave a Reply

Your email address will not be published. Required fields are marked *