Ransomware, Generative AI

Ransomware Crews Develop GenAI Tools for Cyberattacks

CEO: MOVEit customers ‘happy’ with company’s response to hack

Trellix, an extended detection and response (XDR) solution provider, said in a newly released report that it has uncovered “indicators of collaboration” between ransomware groups and nation-state backed operatives.

In its CyberThreat Report: November 2023, Trellix researchers also found evidence of ransomware groups adopting and using lesser-known programming languages for malware and cybercriminals developing Generative AI (GenAI) tools.

"As technology advances, so does cybercrime and understanding the changing landscape is vital for CISOs and SecOps teams to stay ahead of threats," said John Fokker, head of threat intelligence, Trellix Advanced Research Center. “Cybercriminals are becoming increasingly more agile, organized, and politically aligned. It is imperative defenders refer to threat intelligence to strengthen their security posture with limited resources."

Trellix Tracks Cybercrime Tactics

Trellix’s report also found:

  • Cybercriminals bypass protections to take advantage of commonly known tools and use GenAI to enhance phishing campaigns. The accelerating scale and speed of phishing attacks indicates malicious GenAI may already be in deployment today.
  • Nation-state threat activity spiked more than 50% in the last six months due to conflict escalation in Russia and Ukraine, intensified cyber activity in Israel just before and during the conflict, and disruptive attacks on Taiwan heading into their 2024 elections.
  • Global detections and industry-reported incidents reflect unusual variations in ransomware families, as well as countries and industries targeted, particularly in Q2. The Trellix Advanced Research Center also observed a splintering of large ransomware groups, with the introduction of smaller groups and more attacks focused on data exfiltration.
  • The last six months demonstrated an increase in threat actors actively collaborating on Dark Web forums. This spanned groups formally joining together (“The Five Families”), an escalation in selling/sharing of zero-day vulnerabilities, joint proof-of-concept (PoC) development efforts to accelerate exploitations, and more.
  • New programming languages are becoming popular malware choices, with Golang seeing high usage for ransomware (32%), backdoors (26%), and Trojan Horses (20%).

Data from the report are gleaned from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by its research team and open and closed-source intelligence. The report is based on telemetry related to detection of threats, when a file, URL, IP-address, suspicious email, network behavior, or other indicator is detected and reported by the Trellix XDR platform.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.