Group-IB conducted a large-scale study of the underground market, identifying key hotbeds of threats to business and the public sector. In the Hi-Tech Crime Trends report, analysts record the merging of cybercrime groups within the framework of partner programs that are put on stream.
They are used by cryptographers, sellers of access to compromised networks, scammers engaged in phishing and scam. These alliances lead to an escalation of threats and new victims of cybercrime in the world.
The Hi-Tech Crime Trends report has been presented at the CyberCrimeCon conference for 10 years and examines various aspects of the cybercrime industry, analyzes attacks and predicts changes in the threat landscape for various sectors of the economy.
"Today, we traditionally presented our new Hi-Tech Crime Trends report at the CyberCrimeCon conference, but this year, for the first time, Group-IB experts divided the report into five volumes, examining in detail the most dangerous cyber threats in the world: "Sale of Access", "Empire of Cryptographers", "Threats to the financial sector", " Military Operations", "Phishing and scam", each of which will be published sequentially until the end of the year, - says Dmitry Volkov, CEO of Group-IB. "The forecasts and recommendations of Hi-Tech Crime Trends are aimed at reducing financial losses and infrastructure downtime, as well as for risk management and taking preventive measures to counter targeted attacks, espionage and cyberterrorist operations."
Empire of Cryptographers: Tools for exerting pressure on victims and RaaS
Using the Group-IB Threat Intelligence & Attribution system to collect historical data, including data removed from underground resources by hackers, Group-IB experts conducted an in-depth analysis of the development of the cryptographic market covering more than a 10-year period.
The catalyst for the success of ransomware programs-in Russia alone, the number of their attacks increased by 200% in 2021 — was the alliances of cryptographic operators with sellers of access to compromised networks of companies within the framework of partner programs Ransomware-as-a-Service (RaaS).
Despite the "protests" of a number of administrators of the underground forums "No more ransom!", during the analyzed period (H2 2020 — H1 2021), 21 new affiliate programs appeared here — this is 19% more than in the previous period. In total, from 2020 to 2021, 34 new "affiliate programs" of ransomware were published, which were actively joined by professional pentesters — Initial Access Brokers) - they hacked into the networks of companies for subsequent resale of the obtained access or participation in partner programs for a percentage of the ransom.
The use of Data Leak Sites (DLS) — sites on the darknet that are used as an additional lever of pressure on the victim to force them to pay a ransom under the threat of making the stolen data publicly available-has reached a peak.
The number of new DLS has more than doubled from 13 to 28 over the period H2 2020 — H1 2021 compared to H2 2019-H1 2020. They displayed data from 2,371 companies that were victims of ransomware operators. The increase compared to the previous period, when the data of 229 victims were exposed, was an unprecedented 935%.
Thus, for the whole of 2020, data from 1,335 companies that were victims of cryptographers were published on DLS, and for the first three quarters of 2021 — 1,966, that is, 47% more than for the whole of last year. If we take into account that only 10% of the attacked companies ' data is uploaded to DLS, this means that their number is ten times greater. At the same time, about 30% of victims prefer to pay a ransom.
In 2021, the most aggressive group using DLS was Conti, which posted data from 361 victim companies, accounting for 16.5% of the total volume. It is followed by Lockbit (251 victims), Avaddon (164), REvil (155) and Pysa (118). Last year, the top 5 looked different: Maze (259), Egregor (204), Conti (173), REvil (141) and Pysa (123).
Globally, according to the DLS analysis, the majority of victims of cryptographic programs occur in the United States (49.2%) and Canada (5.6%). They are followed by France (5.2%), which replaced the UK in this place. Distribution by the most attacked industries brought manufacturing to the first place (9.6%), followed by real estate (9.5%) and transport (8.2%). Cryptographers who attacked on the territory of the former Soviet Union, the most active of which were Dharma, Crylock and Thanos, made a total of more than 300 attacks. However, the data of Russian and CIS companies were not posted on DLS. Most likely, this technique will be adopted in the future.
Uninvited guests: more than 1000 accesses to company networks put up for sale on the darknet
Group-IB analysts are seeing a rapid increase in underground offers to sell access to compromised networks of companies around the world. The total number of accesses granted for the period H2 2020 — H1 2021 is 1,099. This is a 204% increase in casualties compared to the previous period (H2 2019 — H1 2020). The total volume of this market was $7,165,876, which is 16% more than in the previous period ($6,189,388). The main method of hacking companies ' networks remains the same: compromising remote access accounts, phishing, and exploiting vulnerabilities in published applications.
The number of sellers in the underground market increased by a record 205%. According to Group-IB estimates, there are already 262 of them, which is 3 times more than in the previous period. Moreover, 229 are" fresh blood " brokers whose activity was first recorded in the reporting period.
The number of countries whose companies were accessed by hackers has increased proportionally: 68 countries were attacked in the current period compared to 42 countries in the past. At the same time, the leading countries in anti-rating remained the United States (30%), France (5%) and the United Kingdom (4%), but the number of accesses to companies in Australia (4%) and India (3%) increased significantly.
Most brokers are Russian — speaking, which makes Russia and the CIS the least attacked region, as attackers try not to work " on ru” in order to avoid arrest. The study showed that 76% of the total number of accesses sold in the region is in Russia. It is followed by Azerbaijan and Armenia — 12% each, respectively. Among the best-selling accesses in Russia: IT companies, Internet service providers, retail, and networks of state-owned companies. In Azerbaijan, one of the victims of brokers was a large oil company, in Armenia-from unusual online casinos. In general, during the period under study, the market volume for selling accesses related to companies in Russia and the CIS tripled and amounted to $48,239 against $142,058 in the previous period.
Access to the bank is open
Over the past year, the number of accesses sold to banks and financial institutions in the world has grown by almost 206% - from 31 (H2 2019 – H1 2020) to 95 (H2 2020 – H1 2021). The number of sellers of access to compromised networks of financial institutions also increased from 18 to 47.
For the period H2 2020 – H1 2021, brokers ' profit from sales of access to the financial sector amounted to at least $530,000. Most often, their victims were banks and financial organizations in the United States (22 cases of sale over the past year), India (6), Great Britain (5), the United Arab Emirates (5), Canada (4), Mexico (4), Thailand (4). In Russia, one case of selling access to a bank was recorded.
However, despite the growing interest of brokers in the financial sector, its share (9%) in the industry cross-section was equal to production (9%) and education (9%). They are closely followed by healthcare and trade with a share of 7% each.
Carding Market and the Wild Card Factor
Carding is becoming less attractive to cybercriminals. The volume of the global carding market (sales of stolen bank card data in the underground in the form of dumps or text) during the study period decreased by 26% — from $1.9 billion to $1.4 billion. This is due to the reduction in the number of dumps (contents of magnetic strips of bank cards) on sale by 17% - up to 58 million against 70 million due to the closure of the largest card shop Joker's Stash. At the same time, the average price per dump dropped: from $21.88 to $13.84. But the maximum price increased from $500 to $750.
A different situation has developed in the market of text data of bank cards (number, expiration date, name of the holder, address, CVV). Their number in the underground increased by 36% from 28 million to 38 million, due to the growth in the volume of phishing resources for well-known brands during the pandemic. The average price for” text " increased from $12.78 to $15.2, and the maximum price soared 7 times from — from $150 to an unprecedented $1000.
The carding market in Russia and the CIS shrank by 77% for the first time, amounting to only $270,935 during the reporting period (H2 2020 — H1 2021) against $ 1,210,491 in the previous period (H2 2019 — H1 2020). And the total number of bank card data posted for sale on the darknet and attributed to banks in Russia and the CIS decreased by 60% — from 34,816 to 13,799.
The size of the dump market in the region decreased by 88% from $931,978 to $115,098, and text data by 44% from $278,513 to $155,838. At the same time, the average price in card shops for “text” slightly increased — from $14.08 to $15.43 per card, and for the dump it fell by half from $61.98 to $31.12. Experts expect that the number of bank card sales in the underground will gradually decrease in the future. First of all, this will affect the sale of dumps.
Hand washes your hand: Phishing and fraudulent affiliate programs
During the reporting period, phishing and fraudulent affiliate programs (Scam-as-a-service, Phishing-as-a-service) became widespread. Initially, they were focused on Russia and the CIS countries. Now Group-IB specialists are increasingly looking at "affiliate programs" aimed at European, Asian, Middle Eastern and American companies. It is known about 71 brands from 36 countries, under which participants of such "affiliate programs"create and distribute phishing. Among the most attacked sites: marketplaces (69.5%), delivery services (17.2%), ridesharing (ride-sharing services) -12.8%, and others.
From the former Soviet Union, partner companies have started online migration to countries in Europe, America, Asia, and the Middle East. One such example is "Mammoth" - a fraudulent scheme that is popular among scam partners. It is still popular in Russia, Belarus, Kazakhstan, Uzbekistan, Azerbaijan, Ukraine and Georgia.
According to Group-IB experts, there are about 70 phishing and fraudulent affiliate programs. Participants in phishing and fraudulent affiliate programs are targeted for stealing money, personal and payment data. Their total profit was at least $10,000,000 for the reporting period. The average amount of theft by affiliate program participants is $83. Affiliate programs involve a large number of participants, have a strict hierarchy and a complex technical infrastructure for automating fraud. Group-IB experts note that the attackers began to actively use Telegram in their work. The "partners" now have a huge amount of manual traffic, which is obtained through targeted work with the victim.
They are used by cryptographers, sellers of access to compromised networks, scammers engaged in phishing and scam. These alliances lead to an escalation of threats and new victims of cybercrime in the world.
The Hi-Tech Crime Trends report has been presented at the CyberCrimeCon conference for 10 years and examines various aspects of the cybercrime industry, analyzes attacks and predicts changes in the threat landscape for various sectors of the economy.
"Today, we traditionally presented our new Hi-Tech Crime Trends report at the CyberCrimeCon conference, but this year, for the first time, Group-IB experts divided the report into five volumes, examining in detail the most dangerous cyber threats in the world: "Sale of Access", "Empire of Cryptographers", "Threats to the financial sector", " Military Operations", "Phishing and scam", each of which will be published sequentially until the end of the year, - says Dmitry Volkov, CEO of Group-IB. "The forecasts and recommendations of Hi-Tech Crime Trends are aimed at reducing financial losses and infrastructure downtime, as well as for risk management and taking preventive measures to counter targeted attacks, espionage and cyberterrorist operations."
Empire of Cryptographers: Tools for exerting pressure on victims and RaaS
Using the Group-IB Threat Intelligence & Attribution system to collect historical data, including data removed from underground resources by hackers, Group-IB experts conducted an in-depth analysis of the development of the cryptographic market covering more than a 10-year period.
The catalyst for the success of ransomware programs-in Russia alone, the number of their attacks increased by 200% in 2021 — was the alliances of cryptographic operators with sellers of access to compromised networks of companies within the framework of partner programs Ransomware-as-a-Service (RaaS).
Despite the "protests" of a number of administrators of the underground forums "No more ransom!", during the analyzed period (H2 2020 — H1 2021), 21 new affiliate programs appeared here — this is 19% more than in the previous period. In total, from 2020 to 2021, 34 new "affiliate programs" of ransomware were published, which were actively joined by professional pentesters — Initial Access Brokers) - they hacked into the networks of companies for subsequent resale of the obtained access or participation in partner programs for a percentage of the ransom.
The use of Data Leak Sites (DLS) — sites on the darknet that are used as an additional lever of pressure on the victim to force them to pay a ransom under the threat of making the stolen data publicly available-has reached a peak.
The number of new DLS has more than doubled from 13 to 28 over the period H2 2020 — H1 2021 compared to H2 2019-H1 2020. They displayed data from 2,371 companies that were victims of ransomware operators. The increase compared to the previous period, when the data of 229 victims were exposed, was an unprecedented 935%.
Thus, for the whole of 2020, data from 1,335 companies that were victims of cryptographers were published on DLS, and for the first three quarters of 2021 — 1,966, that is, 47% more than for the whole of last year. If we take into account that only 10% of the attacked companies ' data is uploaded to DLS, this means that their number is ten times greater. At the same time, about 30% of victims prefer to pay a ransom.
In 2021, the most aggressive group using DLS was Conti, which posted data from 361 victim companies, accounting for 16.5% of the total volume. It is followed by Lockbit (251 victims), Avaddon (164), REvil (155) and Pysa (118). Last year, the top 5 looked different: Maze (259), Egregor (204), Conti (173), REvil (141) and Pysa (123).
Globally, according to the DLS analysis, the majority of victims of cryptographic programs occur in the United States (49.2%) and Canada (5.6%). They are followed by France (5.2%), which replaced the UK in this place. Distribution by the most attacked industries brought manufacturing to the first place (9.6%), followed by real estate (9.5%) and transport (8.2%). Cryptographers who attacked on the territory of the former Soviet Union, the most active of which were Dharma, Crylock and Thanos, made a total of more than 300 attacks. However, the data of Russian and CIS companies were not posted on DLS. Most likely, this technique will be adopted in the future.
Uninvited guests: more than 1000 accesses to company networks put up for sale on the darknet
Group-IB analysts are seeing a rapid increase in underground offers to sell access to compromised networks of companies around the world. The total number of accesses granted for the period H2 2020 — H1 2021 is 1,099. This is a 204% increase in casualties compared to the previous period (H2 2019 — H1 2020). The total volume of this market was $7,165,876, which is 16% more than in the previous period ($6,189,388). The main method of hacking companies ' networks remains the same: compromising remote access accounts, phishing, and exploiting vulnerabilities in published applications.
The number of sellers in the underground market increased by a record 205%. According to Group-IB estimates, there are already 262 of them, which is 3 times more than in the previous period. Moreover, 229 are" fresh blood " brokers whose activity was first recorded in the reporting period.
The number of countries whose companies were accessed by hackers has increased proportionally: 68 countries were attacked in the current period compared to 42 countries in the past. At the same time, the leading countries in anti-rating remained the United States (30%), France (5%) and the United Kingdom (4%), but the number of accesses to companies in Australia (4%) and India (3%) increased significantly.
Most brokers are Russian — speaking, which makes Russia and the CIS the least attacked region, as attackers try not to work " on ru” in order to avoid arrest. The study showed that 76% of the total number of accesses sold in the region is in Russia. It is followed by Azerbaijan and Armenia — 12% each, respectively. Among the best-selling accesses in Russia: IT companies, Internet service providers, retail, and networks of state-owned companies. In Azerbaijan, one of the victims of brokers was a large oil company, in Armenia-from unusual online casinos. In general, during the period under study, the market volume for selling accesses related to companies in Russia and the CIS tripled and amounted to $48,239 against $142,058 in the previous period.
Access to the bank is open
Over the past year, the number of accesses sold to banks and financial institutions in the world has grown by almost 206% - from 31 (H2 2019 – H1 2020) to 95 (H2 2020 – H1 2021). The number of sellers of access to compromised networks of financial institutions also increased from 18 to 47.
For the period H2 2020 – H1 2021, brokers ' profit from sales of access to the financial sector amounted to at least $530,000. Most often, their victims were banks and financial organizations in the United States (22 cases of sale over the past year), India (6), Great Britain (5), the United Arab Emirates (5), Canada (4), Mexico (4), Thailand (4). In Russia, one case of selling access to a bank was recorded.
However, despite the growing interest of brokers in the financial sector, its share (9%) in the industry cross-section was equal to production (9%) and education (9%). They are closely followed by healthcare and trade with a share of 7% each.
Carding Market and the Wild Card Factor
Carding is becoming less attractive to cybercriminals. The volume of the global carding market (sales of stolen bank card data in the underground in the form of dumps or text) during the study period decreased by 26% — from $1.9 billion to $1.4 billion. This is due to the reduction in the number of dumps (contents of magnetic strips of bank cards) on sale by 17% - up to 58 million against 70 million due to the closure of the largest card shop Joker's Stash. At the same time, the average price per dump dropped: from $21.88 to $13.84. But the maximum price increased from $500 to $750.
A different situation has developed in the market of text data of bank cards (number, expiration date, name of the holder, address, CVV). Their number in the underground increased by 36% from 28 million to 38 million, due to the growth in the volume of phishing resources for well-known brands during the pandemic. The average price for” text " increased from $12.78 to $15.2, and the maximum price soared 7 times from — from $150 to an unprecedented $1000.
The carding market in Russia and the CIS shrank by 77% for the first time, amounting to only $270,935 during the reporting period (H2 2020 — H1 2021) against $ 1,210,491 in the previous period (H2 2019 — H1 2020). And the total number of bank card data posted for sale on the darknet and attributed to banks in Russia and the CIS decreased by 60% — from 34,816 to 13,799.
The size of the dump market in the region decreased by 88% from $931,978 to $115,098, and text data by 44% from $278,513 to $155,838. At the same time, the average price in card shops for “text” slightly increased — from $14.08 to $15.43 per card, and for the dump it fell by half from $61.98 to $31.12. Experts expect that the number of bank card sales in the underground will gradually decrease in the future. First of all, this will affect the sale of dumps.
Hand washes your hand: Phishing and fraudulent affiliate programs
During the reporting period, phishing and fraudulent affiliate programs (Scam-as-a-service, Phishing-as-a-service) became widespread. Initially, they were focused on Russia and the CIS countries. Now Group-IB specialists are increasingly looking at "affiliate programs" aimed at European, Asian, Middle Eastern and American companies. It is known about 71 brands from 36 countries, under which participants of such "affiliate programs"create and distribute phishing. Among the most attacked sites: marketplaces (69.5%), delivery services (17.2%), ridesharing (ride-sharing services) -12.8%, and others.
From the former Soviet Union, partner companies have started online migration to countries in Europe, America, Asia, and the Middle East. One such example is "Mammoth" - a fraudulent scheme that is popular among scam partners. It is still popular in Russia, Belarus, Kazakhstan, Uzbekistan, Azerbaijan, Ukraine and Georgia.
According to Group-IB experts, there are about 70 phishing and fraudulent affiliate programs. Participants in phishing and fraudulent affiliate programs are targeted for stealing money, personal and payment data. Their total profit was at least $10,000,000 for the reporting period. The average amount of theft by affiliate program participants is $83. Affiliate programs involve a large number of participants, have a strict hierarchy and a complex technical infrastructure for automating fraud. Group-IB experts note that the attackers began to actively use Telegram in their work. The "partners" now have a huge amount of manual traffic, which is obtained through targeted work with the victim.
