Cybercriminals are getting greedier. According to Google subsidiary Mandiant’s M-Trends 2024 Special Report, the proportion of financially motivated intrusions grew from more than a quarter of all investigations (26 percent) in 2022 to over a third (36 percent) in 2023.
Ransomware-related intrusions represented almost two-thirds of financially motivated intrusions and 23 percent of all 2023 intrusions; the remaining financially motivated intrusions included business email compromise (BEC) fraud and cryptocurrency theft. In 70 percent of cases, organizations learned of ransomware-related intrusions from external sources. In three-quarters of those cases, organizations were notified of a ransomware incident by an attacker ransom message. The remaining quarter came from external partners, such as law enforcement or cybersecurity companies.
“This is consistent with the extortion business model in which attackers intentionally and abruptly notify organizations of a ransomware intrusion and demand payment,” says Mandiant.
Mandiant observes this upward trend in ransomware and other extortion-related investigations in 2023 is consistent with a reported marked increase in extortion revenue estimates from data leak sites (DLS), where the stolen data of companies refusing to pay a ransom is published.
Attackers are focusing on evasion
A key theme of M-Trends 2024 is that attackers are focusing more on evasion. Their technique is to avoid detection technologies like endpoint detection and response and maintain persistence on networks for as long as possible. They either target edge devices, leverage “living off the land” and other techniques, or use the temporarily unpatched zero-day vulnerabilities in security and other solutions, which are prevalent throughout most enterprises.
But, despite the attackers’ efforts to evade detection, defenders are getting better at identifying data compromises. Despite the speed of ransomware notifications, the average “dwell time” taken between a breach occurring and then being identified by the target organization fell to 10 days from 16 days the previous year.
In 2023, Mandiant also identified a new named threat group: APT43, a prolific cyber operator that supports the interests of the North Korean Government. The group uses aggressive social engineering tactics, especially against South Korean and US government organizations, academics, and think tanks focused on geopolitical issues surrounding the Korean Peninsula. It creates numerous fraudulent personas for use in social engineering as well as cover identities for purchasing operational tooling and infrastructure. Mandiant believes that the group funds itself through cyber-crime operations to support its primary mission of collecting strategic intelligence.
