Trellix released The CyberThreat
Report: November 2024, its latest research from the Trellix Advanced
Research Center. The report provides insight into the
regions and industries at risk, the evolving methods used by adversarial
actors, and offers recommendations
for CISOs and security operations teams tasked with protecting their
organization.
The research examines an
increasingly complex ransomware ecosystem where groups have adopted advanced
tools with embedded AI to spread ransomware. Further findings include the
accelerated use of endpoint detection and response (EDR) evasion, password
spray, infostealer, and backdoor tools and techniques to execute attacks.
Trellix telemetry reveals China-affiliated threat actor groups remain a
prevalent source of nation-state advanced persistent threat (APT) activities,
with Mustang Panda generating more than 12% of detected APT activity alone.
"The last six months delivered AI
advancements, from AI-driven ransomware to AI-assisted vulnerability analysis,
evolving criminal strategies, and geopolitical events, which have reshaped the
cyber landscape. Resilience planning has never been more important for
cybersecurity teams," said John Fokker, Head of Threat Intelligence, Trellix
Advanced Research Center. "We've seen significant events, including
state-sponsored attacks on critical infrastructure, the growth of AI-driven
ransomware, and the rise of hacktivism tied to global conflict. The increased
use of generative AI by cybercriminals has also posed new challenges. The
industry must continue monitoring for transformative use of AI by
cybercriminals to strengthen defenses."
An evolving ransomware ecosystem
With
several arrests, the indictment of LockBit leaders, and action to dismantle infrastructure by global law
enforcement, the Trellix Advanced Research Center observed a
diversification of ransomware groups, expanded use of AI-powered tools to
deliver ransom demands, and a focus on tools built specifically to evade
endpoint detection and response (EDR) solutions.
- Group
diversification: The top five most active groups
account for less than 40% of all attacks, demonstrating less concentrated
activity among major actors. This highlights the need for organizations
and governments to remain adaptable, continuously updating their
strategies to address the evolving tactics of ransomware groups.
- RansomHub:
RansomHub emerged as the most active among
ransomware groups, accounting for 13% of Trellix detections. Its rise, and
the activity of other smaller groups, further illustrates the fluid nature
of ransomware. LockBit remains active, generating the second most
detections (11%), followed by groups Play (7%), Akira (4%) and Medusa
(4%).
- EDR
evasion: Trellix found a thriving market for EDR
evasion tools on the dark web. They are built to avoid detection by the
tools most organizations rely on to identify and respond to known threats.
RansomHub adopted one such tool named EDRKillShifter to disable EDR
capabilities before executing their attacks.
- AI-powered
tools: The cybercriminal underground has become a hub
for malicious actors to sell new AI-based tools to execute crime. Trellix
observed the sale of a number of these tools on the black market,
including the Radar Ransomware-as-a-Service program, which conceals the
way AI is used but seeks to recruit forum users to join its affiliate
network.
- Sectors
and regions: Healthcare, education, and critical
infrastructure remain prime targets, and the global spread of ransomware
persists, focusing on the U.S. and other developed economies. The U.S.
received 41% of all Trellix ransomware detections, outpacing the next most
targeted country (the U.K.) nine-fold.
The broader cyber threat landscape
The
Trellix Advanced Research Center examined
industry cyber threat data, with analysis pointing to a rise in attacks from
North Korea-aligned group Kimsuky, which doubled the activity of other APT
groups. The study of industry reports of cybersecurity events also revealed a
targeted distribution across critical sectors, with the government bearing the
brunt of attacks (13%), followed by the financial sector (7%) and manufacturing
(5%).
The CyberThreat Report: November 2024 includes
proprietary data from Trellix's sensor network, investigations into
nation-state and cybercriminal activity by the Trellix Advanced Research
Center, and open and closed-source intelligence. It integrates AI-assisted data
gathering to enhance the depth and timeliness of insights. The report is based
on telemetry related to threat detections, when a file, URL, IP address,
suspicious email, network behavior, or other indicator is detected and reported
by the AI-powered Trellix Security Platform. This report
represents data collected April 1 - September 30, 2024.