Cybersixgill released its annual State of the Underground report in February (read the press release for the summary and register for the full details in the report). The report itself is 52 pages in length, and covers threat actor trends across six areas, e.g., compromised credit cards, messaging platform usage, initial access.

Here’s our key takeaways:

• Compromised credit cards less of a problem
  The market for compromised credit cards has collapsed over the past 5 years, from 140 million cards in 2019 to 12 million in 2023. Improved fraud detection and prevention is a key contributor to this change.
• Less activity on underground forums and messaging apps
  Threat actors are making less use of underground forums and messaging apps, e.g., Telegram. However, much of this is due to significantly less activity by right-wing extremist groups and the disbandment of popular forums.
• Vulnerabilities need to be paired with likelihood of exploit to be meaningful in defensive strategies
  There were 7 CVEs introduced in 2023 that scored the highest marks for likelihood of being exploited within the next 90 days. MOVEit Transfer was in first place. In the top 10, half were for Microsoft products.
• Stealer malware continues to get worse
  Stealer malware grew in popularity in 2023, with 617 new types of malware (including stealers) mentioned on underground forums. Raccoon Stealer had >50% market share in 2023.
• Availability of compromised endpoints for sale increased, too
  The number of compromised endpoints increased (almost doubled, actually), which is problematic since they can be used for data theft, lateral movement, botnet recruitment, and more.
• Ransomware attack volumes were down, but ransom payouts up significantly
  Fewer attacks (by around 10%) combined with significantly higher ransom payouts (almost doubled) means ransomware continues to be a significant threat. While the likelihood of being targeted went down, for those that are targeted and compromised, costs are much higher.

Thanks to Cybersixgill for assembling such a good resource.

Key findings:

• Ransomware (as a category of malware) tops the nastiest list in 2023, driven by ransomware-as-a-service (RaaS) business models. This aligns with our 2022 report on ransomware, in which we profiled the growing prevalence of RaaS as driving increases in ransomware attackers, attacks, and variants. In 2023, Cl0p has been particularly active.
• Double / triple extortion designs are highly devastating to organizations, because even if there is a backup to restore data, the threat of the ransomware gang publishing stolen data forces many organizations to pay the ransom.
• The press release says that “only 34% of businesses pay ransom, an all-time low.” In light of the double / triple extortion comment above, we had to think this one through. For it to be so low, the 71% of organizations that are not paying the ransom must do two things very well – firstly, have data backups to enable rapid and error-free restoration, and secondly, use strong data protection methods such as encryption so that any exfiltrated data is unreadable and won’t trigger “crisis communications and data compliance fines” (see the report for that line). With the way ransomware is going, organizations not doing both are asking for trouble.
• The average ransom payment, when one is made, skyrocketed to $740K (in Q2 2023). In late 2021, the average was $167K. That’s a big change, and one that OpenText attributes to the wild success of Cl0p’s exploitation of customers using MOVEit Transfer.