The surge in cyberattacks and hacktivist activities, driven by multiple regional conflicts and geopolitical events, has led to an increase in ransomware attacks and the use of AI-driven tools by cybercriminals. According to research conducted by Trellix, the cybercriminal underground has evolved into a hub for malicious actors to sell new AI-based tools for carrying out cyber crimes.
The research highlights the growing complexity of the ransomware ecosystem, with threat actor groups adopting advanced tools embedded with AI technology to spread ransomware. The telemetry data from Trellix reveals that China-affiliated threat actor groups, particularly Mustang Panda, are significant sources of nation-state advanced persistent threat activities.
John Fokker, the Head of Threat Intelligence at Trellix Advanced Research Center, emphasized the importance of resilience planning for cybersecurity teams in light of the evolving tactics of cybercriminals. He mentioned that the increased use of generative AI by cybercriminals poses new challenges and urged the industry to monitor the transformative use of AI to strengthen defenses.
Despite several arrests and efforts by global law enforcement to dismantle infrastructure, ransomware groups have diversified and expanded their use of AI-powered tools to evade detection. The top five most active groups now account for less than 40% of all ransomware attacks, indicating a less concentrated effort among major actors. This dynamic nature of ransomware highlights the need for organizations and governments to continually update their strategies to counter evolving threats.
RansomHub emerged as the most active ransomware group, followed by LockBit, Play, Akira, and Medusa. The rise of smaller groups and the fluid nature of ransomware underscore the challenges faced by cybersecurity experts in combating these threats. Healthcare, education, and critical infrastructure sectors continue to be prime targets for ransomware attacks, with the US being the most targeted country, receiving 41% of all ransomware detections.
Trellix’s research also uncovered a thriving market for EDR evasion tools on the dark web, with ransomware groups like RansomHub using tools like EDRKillShifter to disable EDR capabilities before launching attacks. The sale of AI-based tools on the black market, such as the Radar Ransomware-as-a-Service program, further highlights the sophistication of cybercriminals in leveraging AI technology for criminal activities.
The study of industry cyber threat data revealed a rise in attacks from North Korea-aligned group Kimsuky, with targeted distribution across critical sectors. The government, financial sector, and manufacturing industry were among the most targeted sectors, underscoring the need for enhanced cybersecurity measures across all industries.
In conclusion, the evolving landscape of cyber threats, fueled by regional conflicts and geopolitical events, requires a proactive and adaptive approach from cybersecurity professionals to mitigate the impact of ransomware attacks and cybercrime driven by AI technology. Vigilance, resilience planning, and continual monitoring of emerging threats are essential to strengthen defenses and protect against evolving cyber threats.