KELA Cybercrime Intelligence Center

Ransomware groups continue to evolve and threaten organizations and companies around the world. While some gangs reduced their activity in Q2 2022 or shut down, new actors like Black Basta emerged and continued extorting money from businesses. Similarly to the ransomware attackers, there are actors mimicking their methods, such as stealing data and managing data leak sites, but not using actual encrypting software in their attacks.

Ransomware and data leak sites operators are constantly using the growing cybercrime ecosystem to ease the reconnaissance and initial compromise phases, constantly relying on other cybercriminals, including Initial Access Brokers (IABs). These actors, selling remote access to corporate networks, are an important part of the ransomware supply chain, therefore monitoring network access suppliers leads to better understanding of the ransomware-as-a-service (RaaS) ecosystem.

The report is based on KELA’s monitoring of ransomware gangs and initial access brokers’ activity in Q2.

German Automotive Sector Cybercrime Threats Landscape Report

Yael Kishon, Threat Intelligence Analyst

The automotive sector is considered to be the largest sector in Germany, generating over 411 billion euro in revenue. Germany is the largest automobile manufacturing country in Europe, producing 30% of all passenger cars in the EU in 2021. Automotive companies, their employees and users have frequently become targets of cybercriminals aiming to perform various attacks. One of the recent examples is an info-stealing campaign that targeted customers of German companies, mainly car dealers, with phishing emails aimed to infect the victims with info-stealing malware.
Another recent cyberattack that occurred in March 2022, targeted a German subsidiary of Denso, a Japanese automotive supplier. The Pandora ransomware group announced that it compromised the network and shared screenshots of purchase orders, automotive technical diagrams, and emails on its blog. Moreover, the gang claimed to have stolen 1.4 TB of data from the company. Following the attack, Denso apologized for any inconvenience caused and confirmed that the German network was illegally accessed.
With more and more vehicles connected to the internet and using many digital functions, major automotive companies are exposing cars to additional malicious activities and increasing the risk of cyberattacks.
The recent cyber-attacks that have targeted the automotive industry in Germany drove KELA to investigate the level of exposure of the 15 largest German automotive manufacturers, suppliers, and dealers to shed light on cyber threats they faced from January 2021 to April 2022.

The Next Generation of Info Stealers

KELA Cyber Intelligence Center

In recent years, information-stealing Trojans have become a very popular attack vector. This type of malware is used for harvesting saved information on machines including usernames and passwords (“logs”) which are further sold on automated botnet marketplaces such as RussianMarket, TwoEasy, and Genesis, or privately. If purchased by threat actors, these credentials pose a significant risk to an organization, as they allow actors to access various resources which may result in data exfiltration, lateral movement, and malware deployment, such as ransomware.

Some of the most popular info-stealers advertised on cybercrime forums and identified on these marketplaces are RedLine, Raccoon, and Vidar. While some of these commodity stealers remain relevant, KELA observed that the threat landscape started to change under various conditions. The Russia-Ukraine war, the info-stealer operators’ need to improve malware capabilities, and their financial motivation, resulted in new stealers and services becoming available.

This report focuses on the currently active information stealers, highlighting the evolution of the old stealers, as well as the debut of new ones.

How the Cybercrime Landscape has been Changed following the Russia-Ukraine War

Elena Koldobsky, Threat Intelligence Analyst

On February 24, 2022, Russian forces invaded Ukraine, following years of tension between the two countries. The notion of war led multiple countries to speculate that Russia may use cyber attacks against Ukraine and supporting it western organizations and companies, with the US sending “top security officials” to help NATO prepare for Russian cyberattacks. Surprisingly, expectations for severe cyber-attacks on Ukraine and Europe turned out to be overestimated, as Russia refrained from large-scale attacks, and instead used distributed denial-of-service and wiper attacks on Ukrainian governmental institutions, infrastructure and telecommunications companies, and more. To defend itself, Ukraine raised a volunteer “IT Army”, which, together with hacktivists organizations from across the world, is targeting Russian companies and organizations to this day.

The winds of change have not passed over the cybercrime underground. From new illicit services that have never been available before, through war-related discussions appearing on apolitical cybercrime forums, to a hacktivist group using a famous Russian ransomware gang’s source code to target Russian companies – the cybercrime landscape has altered beyond recognition.

This report reviews the various changes that occurred in the cybercrime underground following Russia’s invasion of Ukraine. It provides a unique window into the delicate geopolitics of cybercrime, demonstrating how real-life emergencies influence services and opportunities and generate new trends.

KELA logo


Yael Kishon, Threat Intelligence Analyst

In Q1 2022, ransomware gangs maintained their status as a major and central threat. They collaborated with various cybercriminals, such as initial access brokers (IABs), and aimed to conduct attacks against corporations worldwide.
The following insights are drawn from KELA’s monitoring of ransomware gangs and initial access brokers’ activity in Q1:

•The total number of ransomware victims (698) dropped by 40% in Q1 of 2022 compared to Q4 2021 (982), with LockBit replacing Conti as the most active gang since the beginning of the year. The number of attacks launched by the Conti gang dropped in January 2022 and increased following the leak of Conti’s internal data.

•The finance sector made it to the top five targeted sectors with 46 attacks.40% of the attacks were associated with LockBit gang.

•Ransomware gangs were seen using a relatively new intimidating method which includes publishing a victim without its name.

•The number of network access listings on sale slightly increased compared to Q4 2021. KELA traced over 521 offers for sale with the cumulative price requested for all accesses surpassing $1.1 million, while in Q4 2021 KELAmonitored 468 access networks for sale.

•The average sales cycle for network access is 1.75 days.

KELA was able to identify more than 150 network access victims and then link some of them to ransomware attacks carried out by BlackByte, Quantum, and Alphv. The network accesses were most likely bought by ransomware affiliates.

KELA logo


Elena Koldobsky, Threat Intelligence Analyst

UK firms have been recently warned over possible Russian cyber-attacks against western countries, the UK included, placing a scrutinizing spotlight on the UK’s cyber security. Eastern European geopolitics is far from being the UK’s only cyber threat. Various threat actors often target the UK for multiple reasons, including its wealth and importance to the world’s economy.

This research aims to shed light on the cyber threats targeting the UK’s financial sector which is following the trend of transporting banking and financial services online, putting itself at risk of being cyber-attacked. With the financial sector in the UK being the most likely sector to hold personal data of customers, the question of this sector’s state of cyber security is of utmost importance. In addition, the research describes threats that UK companies have faced during 2021 and early 2022 and provides information on advanced persistent threat groups (APTs) that have targeted the UK during 2021.

KELA logo

Beware. Ransomware. Top Trends of 2021

Executive Summary

In 2021, ransomware attacks continued to be one of the most prominent threats targeting businesses and organizations worldwide. High-profile attacks disrupted operations of companies in various sectors, including critical infrastructure (Colonial Pipeline), food processing (JBS Foods), insurance (CNA) and many more. Following the attacks, pressure of law enforcement on ransomware gangs intensified, though simultaneously these threat actors continue to evolve. They not only become more technologically sophisticated but also extensively leverage the growing cybercrime ecosystem aiming to find new partners, services and tools for their operations.

In this report, KELA provides insights into ransomware victims, recaps activity of ransomware groups in 2021 — both in terms of their attacks and presence on cybercrime forums — and shares exclusive findings about collaboration of ransomware actors with other cybercriminals.

KELA logo

Analysis of leaked Conti’s internal data

On February 27, 2022, as a response to the Conti ransomware gang’s support of the Russian invasion of Ukraine, a suspected Ukrainian researcher leaked internal conversations of its members. KELA analyzed the leaks to understand the group’s evolution and TTPs, as well as organizational structure.

Main findings:

  • Internal conversations show an evolution of a gang of ransomware attackers who at first were not a part of a specific ransomware group. They discussed Ryuk, Conti, and Maze as separate projects. Their activity eventually led to the formation of the modern Conti operation.
  • The group used various malware and tools. KELA found proof of Conti’s strong connection to Trickbot and Emotet, as well as BazarBackdoor, used for gaining initial access. The Diavol ransomware appears to be Conti’s side project. As for legitimate tools, Conti attempted to test products of VMware CarbonBlack and Sophos.
  • Conti used services of Initial Access Brokers to gain initial access.
  • Conversations regarding almost 100 victims – about a half of which were not publicly disclosed on Conti’s blog – shed light on the attacks’ process, including multiple steps before and after the ransomware deployment.
  • The gang’s members expressed interest in attacking the US public sector.
  • Conti’s team is highly organized and includes the following teams: hackers, coders, testers, reverse specialists, crypters, OSINT specialists, negotiators, IT support, HR.
  • KELA prepared descriptions of the top-15 actors based on the amount of their messages, as well as their connection maps.

From Initial Access to Ransomware Attack – 5 Real Cases Showing the Path from Start to End

KELA Cyber Intelligence Center

Successful ransomware attacks are all alike: they start from unnoticed access to a company’s network. While some attackers get their access in a stealthy way, some use publicly available offerings on cybercrime forums and markets.
Part of these offerings is made by Initial Access Brokers who play a crucial role in the ransomware-as-a-service (RaaS) economy. These actors significantly facilitate network intrusions by selling remote access to a computer in a compromised organization (Initial Network Access) and linking opportunistic campaigns with targeted attackers. Ransomware actors are actively looking for network access listings on cybercrime forums to match their ideal ransomware victim.

In this blog, KELA reveals several ransomware attacks that started with network access on sale and led to an attack within a month from the sale offer.

Season’s Stealings – The Dark Side of Holiday Shopping

Elena Koldobsky, Threat Intelligence Analyst

Offering holiday discounts to potential customers is a known marketing strategy – selling products, be it chocolate, clothes, or perfumes, for a decreased price, to increase sales during the holiday season. Unsurprisingly, the unwritten marketing laws have not skipped cybercrime communities. During this time of the year, threat actors get “cheerful” and post creative promotion ideas, offering malware, botnets, and encryptors for a decreased price as a holiday sale. 

For instance, on December 11, 2021, the threat actor “Grimxploit” posted a Christmas offer on the cybercrime forum RaidForums – an English-speaking forum focusing mostly on data breaches – promising to sell his products for a 20% discount to all those who use the coupon code “CHRISTMASS20”. Among the products sold were his Grimxploit branded crypter, worm, keylogger, and others, as well as a “remoded” version of Anubis botnet.