Sophos 2023 Threat Report highlights Ransomware Remains One of the Greatest Cybercrime Threats to
Organizations
Sophos, a global leader in innovating and delivering next-generation cybersecurity as a service, today
published its 2023 Threat Report. The report details how the cyberthreat landscape has reached a new
level of commercialization and convenience for would-be attackers, with nearly all barriers to entry for
committing cybercrime removed through the expansion of cybercrime-as-a-service. The report also
addresses how ransomware remains one of the greatest cybercrime threats to organizations with
operators innovating their extortion tactics, as well as how demand for stolen credentials continues to
grow.
Criminal underground marketplaces like Genesis have long made it possible to buy malware and
malware deployment services (“malware-as-a-service”), as well as to sell stolen credentials and other
data in bulk. Over the last decade, with the increasing popularity of ransomware, an entire
“ ransomware-as-a-service ” economy sprung up. Now, in 2022, this “as-a-service” model has expanded,
and nearly every aspect of the cybercrime toolkit—from initial infection to ways to avoid detection—is
available for purchase.
“This isn’t just the usual fare, such as malware, scamming and phishing kits for sale,” said Sean
Gallagher, principal threat researcher, Sophos. “Higher rung cybercriminals are now selling tools and
capabilities that once were solely in the hands of some of the most sophisticated attackers as services to
other actors. For example, this past year, we saw advertisements for OPSEC-as-a-service where the
sellers offered to help attackers hide Cobalt Strike infections, and we saw scanning-a-service, which
gives buyers access to legitimate commercial tools like Metasploit, so that they can find and then exploit
vulnerabilities. The commoditization of nearly every component of cybercrime is impacting the threat
landscape and opening up opportunities for any type of attacker with any type of skill level.”
With the expansion of the “as-a-service” economy, underground cybercriminal marketplaces are also
becoming increasingly commodified and are operating like mainstream businesses. Cybercrime sellers
are not just advertising their services but are also listing job offers to recruit attackers with distinct skills.
Some marketplaces now have dedicated help-wanted pages and recruiting staff, while job seekers are
posting summaries of their skills and qualifications.
“Early ransomware operators were rather limited in how much they could do because their operations
were centralized; group members were carrying out every aspect of an attack. But as ransomware
became hugely profitable, they looked for ways to scale their productions. So, they began outsourcing
parts of their operations, creating an entire infrastructure to support ransomware. Now, other
cybercriminals have taken a cue from the success of this infrastructure and are following suit,” said
Gallagher.
Indeed, as the cybercrime infrastructure has expanded, ransomware has remained highly popular—and
highly profitable. Over the past year, ransomware operators have worked on expanding their potential
attack service by targeting platforms other than Windows while also adopting new languages like Rust
and Go to avoid detection. Some groups, most notably Lockbit 3.0, have been diversifying their
operations and creating more “innovative” ways to extort victims.
The evolving economics of the underground has not only incentivized the growth of ransomware and
the “as-a-service” industry, but also increased the demand for credential theft. With the expansion of
web services, various types of credentials, especially cookies, can be used in numerous ways to gain a
deeper foothold in networks, even bypassing MFA. Credential theft also remains one of the easiest ways
for novice criminals to gain access to underground marketplaces and begin their “career.”
Sophos also analyzed the following trends:
The war in Ukraine had global repercussions for the cyberthreat landscape. Immediately
following the invasion, there was an explosion of financially motivated scams, while nationalism
led to a shake-up of criminal alliances between Ukrainians and Russians, particularly among
ransomware affiliates
Criminals continue to exploit legitimate executables and utilize “living off the land binaries”
(LOLBins) to launch various types of attacks, including ransomware. In some cases, attackers
deploy legitimate but vulnerable system drivers in “bring your own driver” attacks to attempt to
shut down endpoint detection and response products to evade detection.
Mobile devices are now at the center of new types of cybercrimes. Not only are attackers still
using fake applications to deliver malware injectors, spyware and banking-associated malware,
but newer forms of cyberfraud have been growing in popularity, such as “pig butchering”
schemes. And this crime is no longer just affecting Android users, but iOS users as well.
The devaluation of Monero, one of the most popular cryptocurrencies for cryptominers, led to a
decrease in one of the oldest and most popular types of cryptocrime—cryptomining. But mining
malware continues to spread through automated “bots” on both Windows and Linux systems.