Group-IB, a leading creator of cybersecurity technologies to investigate, prevent, and fight digital crime, is proud to announce the launch of its new report Hi-Tech Crime Trends 2023/2024, the latest edition of the company’s annual round-up of the most pressing global cyber threats to organizations and individuals.
RELATED: Stealing your career: Group-IB uncovers ResumeLooters’ data thefts
In the research, Group-IB analysts reveal how the unholy alliance between ransomware groups and Initial Access Brokers (IABs) is still the powerful engine for cybercriminal industry, evidenced by the 74% year-on-year increase in the number of companies that had their data uploaded on dedicated leak sites (DLS). Global threat actors also demonstrated increased interest in Apple platforms, exemplified by the fivefold increase in underground sales related to macOS information stealers.
The growing appetite of nation-state sponsored threat actors, also known as advanced persistent threat (APT) groups, has shown that no region is immune to cyber threats. Group-IB experts discovered a 70% increase in the number of public posts offering zero-day exploits for sale, and also identified cybercriminals’ malicious use of legitimate services and artificial intelligence (AI) infused technologies as the main cyber risks for 2024.
The first edition of Hi-Tech Crime Trends was launched 12 years ago, and the information contained in the report enables businesses, NGOs, governments, and law enforcement agencies around the world to fight cybercrime and help potential victims. For the first time, Hi-Tech Crime Trends includes a section outlining the intricate relationship between artificial intelligence (AI) and cybersecurity threats, outlining how this new technology is being leveraged by cybercriminals, including the misuse of large language models (LLM) such as ChatGPT, and the potential risks to corporate data through AI integration.
Nothing artificial about this threat
Threat actors have already shown how AI can help them develop malware only with a limited knowledge of programming languages, brainstorm new TTPs, compose convincing text to be used in social engineering attacks, and also increase their operational productivity.
Large language models (LLM) such as ChatGPT remain in widespread use, and Group-IB analysts have observed continued interest on underground forums in ChatGPT jailbreaking and specialized generative pre-trained transformer (GPT) development, looking for ways to bypass ChatGPT’s security controls. Group-IB experts have also noticed how, since mid-2023, four ChatGPT-style tools have been developed for the purpose of assisting cybercriminal activity: WolfGPT, DarkBARD, FraudGPT, and WormGPT – all with different functionalities.
FraudGPT and WormGPT are highly discussed tools on underground forums and Telegram channels, tailored for social engineering and phishing. Conversely, tools like WolfGPT, focusing on code or exploits, are less popular due to training complexities and usability issues. Yet, their advancement poses risks for sophisticated attacks.
Group-IB’s Hi-Tech Crime Trends 2023/2024 also highlighted the sale of compromised ChatGPT credentials on the dark web, building upon past research. With more employees relying on ChatGPT for work optimization and its storage of past interactions, compromised logins could expose sensitive information, posing significant security risks for businesses.
From January 2023 to October 2023, Group-IB detected more than 225,000 logs up for sale on the dark web containing compromised ChatGPT credentials. Group-IB’s Threat Intelligence platform found these compromised credentials within the logs of information-stealing malware traded on illicit dark web marketplaces.
Notably, the number of compromised hosts with access to ChatGPT detected by Threat Intelligence between June 2023 and October 2023 was more than 130,000, an increase of 36% compared to the preceding five-month period (January-May 2023). The number of available logs containing ChatGPT logs peaked in the final month of the study – in October 2023 – when 33,080 were registered. Group-IB’s analysis found that the majority of the logs containing ChatGPT accounts were breached by the LummaC2 information stealer.
Double trouble: ransomware gangs and initial access brokers wreak havoc
Group-IB’s Threat Intelligence unit constantly monitors all ransomware activity and detected 4,583 companies that had their information, files, and data published on ransomware DLSs in 2023. This marks a growth of 74% compared to the previous year, when 2,629 such posts were made. Group-IB researchers note that the number of total ransomware attacks worldwide is likely to be much larger, with probable instances of organizations paying the ransom or groups deciding not to go ahead with their threat of publishing data on a DLS.
Companies based in North America most commonly appeared in the DLS posts of ransomware groups, accounting for 2,487 (or 54%) of the annual total, and more than double the corresponding figure in 2022 (1,192 companies). Roughly 26% of posts on ransomware DLSs related to companies from Europe (1,186, up 52% YoY) and 10% were from the APAC region (463, up 39% YoY).
The United States was the most common target for ransomware groups, as 1,060 US-based companies were the subject of ransomware DLS posts in 2023. The next most affected countries were Germany (129), Canada (115), France (103), and Italy (100).
In terms of affected industries, attacks as per ransomware DLS on manufacturing (580 instances) and real estate (429) companies rose year-on-year by 125% and 165%, respectively, and these key sectors were the two most targeted worldwide. Notably, Group-IB observed a 88% year-on-year increase in ransomware DLS posts related to healthcare companies, and a 65% rise in posts concerning government and military organizations.
Throughout the reporting period, Group-IB experts uncovered 27 new advertisements for ransomware-as-a-service programs on dark web forums, including well known groups such as Qilin, as well as other collectives that have yet to be seen in the wild. As was the case in 2022, LockBit was 2023’s most prominent ransomware-as-a-service group with 1,079 posts on its DLS (24% of the annual total). In second place was BlackCat with 427 posts (9% of annual total) and third was Clop (385 posts or 9%).
Researchers also found that Initial Access Brokers (IABs) are continuing to play a significant role in the ransomware market. In 2023, they found 2,675 instances of corporate put up for sale – almost an identical figure compared with 2022, when 2,702 offers were found.
Notably, Group-IB data shows that the average price for corporate access in 2023 was $2,470, which represents a 27% reduction compared to the preceding year. Group-IB analysts believe that this drop in average price is due to a rise in the number of new sellers entering the market that have lowered the price of their offers in order to attract buyers.
Companies in the United States (29%), the United Kingdom (4%) and Brazil (4%) were the most commonly featured in IAB offers. Professional services, government and military organizations, financial services, manufacturing, and real estate were the verticals that appeared most frequently.
APTitude test
Group-IB researchers discovered that the Asia-Pacific region was the world’s main battleground for nation-state sponsored threat actors, also known as advanced persistent threat (APT) groups last year. In sum, Group-IB attributed 523 attacks to nation-state actors across the globe in 2023.