Blog

Ransomware and extortion attacks have been a growing concern for individuals and organizations alike in recent years. These types of attacks involve hackers gaining unauthorized access to a computer system or network and either holding the system hostage by encrypting the data until a ransom is paid, or threatening to release sensitive information unless a ransom is paid.

In addition to these types of attacks, particular attention was focused on the sale of network access on cybercrime sources, which can potentially be used by hackers to carry out ransomware and extortion attacks.

This report will provide an overview of the state of ransomware and extortion attacks and network access sales in 2022, as well as the evolution of trends and ways to prevent and mitigate these types of attacks.

Yael Kishon, Threat Intelligence Analyst

Threat actors are constantly looking for new monetization opportunities in the cybercrime ecosystem, trying to put their hands on sensitive corporate data and leverage that for their profit. Such compromised data on cybercrime forums can include databases, source code, internal documents, as well access to services such as corporate email credentials. Once credentials are obtained, unauthorized actors can view the content of organizational accounts, as well as send emails from the compromised accounts, which appear legitimate but contain phishing campaigns.

Threat actors now have new marketplaces and shops, which enable them to easily buy corporate email accounts for their attacks. KELA noticed that actors selling email access via these dedicated, automated shops offer hundreds of thousands of corporate email credentials for sale. In this analysis, KELA takes a closer look at the scope of shops such as Xleet, Odin, Xmina, and Lufix that are easing processes for cybercriminals. This report shows how actors could obtain access and monetize it through several attack vectors, which include phishing, BEC, and malware attacks.

Sarit Borochov, Threat Intelligence Analyst

The most prolific ransomware and data leak actors in Q3 were LockBit, Black Basta, Hive, Alphv (aka BlackCat) and BianLian, with the last one being a relatively new ransomware gang. In Q3 2022, the sector that was most targeted by ransomware attackers and data leak actors was professional services. LockBit, Alphv and Hive were responsible for 55% of the attacks in this sector.

The US is still the most targeted country, with 40% of ransomware and extortion attacks affecting US companies in Q3, followed by ransomware and data leak victims from companies in the UK, France, Germany and Spain. New data leak sites and ransomware blogs of the quarter included Yanluowang, BianLian, 0mega, Daixin Team, Donut Leaks.

In Q3 2022, KELA traced over 570 network access listings for sale, with a cumulative requested price of around USD 4 million. The average price for access was around USD 2800 and the median price — USD 1350. In Q3 actors offered more expensive listings since the total number of listings remained almost the same. On average, there were around 190 access listings in each month of Q3, slightly higher than in Q2.

Laura Weinberg, Threat Intelligence Analyst

The luxury sector is considered particularly dynamic in France due its traditions, manufacturing expertise and craftsmanship. With five French companies in the top 10 luxury brands for 2021, France is a world leader in the sector, with around 150 billion EUR in revenue for 2021.

Luxury companies’ clientele holds private data from typically wealthier individuals and potentially public figures, which makes these businesses even more attractive targets. Luxury brands provide a more tailored service to their clients, and as a result, the data they collect may be more detailed than that of other retailers. 

Employees’ data may also be compromised and could provide a foothold into a company’s internal system, giving attackers access to valuable internal data that they may want to exfiltrate and sell or use to extort the company.

Considering what is at stake, KELA decided to research cyber threats the French luxury sector faces, including sellers of counterfeits and refund methods targeting French luxury brands. In addition, KELA researched the sector’s threat landscape by focusing on the top 10 companies. Mentions of France’s top luxury brands were collected to evaluate the sector’s exposure to cyber threats concerning leaked credentials and compromised accounts based on the cybercrime underground sources that KELA monitors. The analysis focuses on 10 of France’s top luxury brands and groups, including global and local domains. Finally, KELA took a look at Initial Access Brokers and ransomware attackers targeting the sector.