- Home >
- Services >
- Access to Knowledge >
- Trend Monitor >
- Domain of Application >
- Trend snippet: Developments in cyber-dependent crimes
Trends in Security Information
The HSD Trendmonitor is designed to provide access to relevant content on various subjects in the safety and security domain, to identify relevant developments and to connect knowledge and organisations. The safety and security domain encompasses a vast number of subjects. Four relevant taxonomies (type of threat or opportunity, victim, source of threat and domain of application) have been constructed in order to visualize all of these subjects. The taxonomies and related category descriptions have been carefully composed according to other taxonomies, European and international standards and our own expertise.
In order to identify safety and security related trends, relevant reports and HSD news articles are continuously scanned, analysed and classified by hand according to the four taxonomies. This results in a wide array of observations, which we call ‘Trend Snippets’. Multiple Trend Snippets combined can provide insights into safety and security trends. The size of the circles shows the relative weight of the topic, the filters can be used to further select the most relevant content for you. If you have an addition, question or remark, drop us a line at info@securitydelta.nl.
visible on larger screens only
Please expand your browser window.
Or enjoy this interactive application on your desktop or laptop.
Developments in cyber-dependent crimes
During the last 12 months, a number of developments pertaining to the dominant threats within the cyber-dependent crime threat landscape have emerged. Malware operators, especially those associated with ransomware affiliate programs, have improved their attack modi operandi and their malware functionalities. Mobile banking trojans have made a break-through thanks to the increasing number of users preferring to conduct their financial activities via mobile devices. Criminals also seem to have realised the increased impact that DDoS attacks have on their targets’ systems if there is a lack of physical alternatives, which has brought about a re- emergence of financially motivated DDoS attacks.
2.1 Ransomware continues to dominate and proliferate
Attackers focus on high-value targets
The use of traditional mass-distributed ransomware seems to be in decline and perpetrators are moving towards human-operated ransomware targeted at private companies, the healthcare and education sectors, critical infrastructure and governmental institutions. The shift in the attack paradigm indicates that ransomware operators choose their targets based on their financial capability to comply with higher ransom demands and their need to be able to resume their operations as quickly as possible. Some ransomware affiliate programs have started changing their policies to restrict their partners from attacking certain targets.
Increase in opportunities and sophistication
Ransomware attacks have become more sophisticated as criminals spend more time inside
the network researching the target and escalating their privileges in order to further compromise the infrastructure and get their hands on more data. Criminals use tools like Metasploit, Cobalt Strike and Mimikatz in their post-exploitation framework for lateral movement inside the network. Additionally, threat actors have started utilising fileless malware (using a system’s native tools to execute a cyber- attack) more extensively to avoid common detection methods that scan for malicious file attachments or the creation of new files.
Extra layers of extortion added
European law enforcement agencies and Europol have identified several new extortion methods that cybercriminals use to pressure their victims.
Ransomware crews have started using Voice over Internet Protocol (VoIP) services to call journalists, the organisation’s clients and business partners for further coercion. In some cases, ransomware operators also threaten their victims with DDoS attacks and the publication of their employees’ personal information if they do not comply with the ransom demand.
Rise of the ransomware affiliate programs
All the extra time and effort put into ransomware attacks for a bigger pay-out is enabled by the continuous development and specialisation of the criminal services ecosystem (Crime-as-a-Service model). Over the past year, a rise was identified in ransomware affiliate programs, whether sold publicly to a wide range of potential users or offered privately to a smaller group of hackers. Cause for concern comes from the rise of private affiliate programs that are usually operated by better- known criminal ransomware groups, such as Conti, DarkSide, Sodinokibi/REvil, NetWalker and Babuk. These threat actors are seeking out developers and hackers to improve the functionality of the malware or gain access to high-value targets’ infrastructure.
Ransomware crews are also collaborating with other malware developers. One such example is how perpetrators used EMOTET to deliver ransomware payloads to target networks. These trends are indicative of the fact that ransomware attacks will continue to evolve and increase in magnitude.
2.2 Mobile malware threat becomes reality
Mobile banking trojans improved
The Android banking trojan threat landscape now includes new tactics and techniques for stealing credentials. A number of mobile banking malware families have implemented new on-device capabilities to commit fraud by manipulating the banking apps on the user’s device using the Automated Transfer System (ATS) modules powered by the Android Accessibility Service. Banking trojans like Cerberus and TeaBot are also capable of intercepting text messages containing one-time passcodes (OTPs) sent by financial institutions and two-factor authentication (2FA) applications such as Google Authenticator.
FluBot is spreading rapidly
FluBot is currently one of the most prolific mobile banking trojans wreaking havoc in Europe and
the United States. A key part of the malware’s functionality is its ability to install display overlays for Google Play verification and various banking apps, which enables the theft of victims’ credentials (banking, credit card and crypto wallet). FluBot uses a domain generation algorithm (DGA) to connect to its C2 server, generating a list of domains to try until it finds one it can reach. FluBot spreads through self-propagation by sending phishing text messages from the infected device to its contact list.
2.3 Monetarily incentivised DDoS attacks re-emerge
Law enforcement and private partners are reporting
a re-emergence of DDoS attacks accompanied by ransom demands, as well an increase in high-volume attacks compared to the previous year. Cybercriminals have been targeting internet service providers (ISPs), financial institutions, and small and medium-sized businesses (SMBs).