SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
Story image

Trellix report reveals evolving ransomware ecosystem trends

Today

Trellix has released its latest CyberThreat Report, highlighting a developing ransomware ecosystem shaped by law enforcement actions, advancements in artificial intelligence, and a fragile geopolitical environment.

One of the primary findings from the report is the diversification of ransomware groups, with the top five most active groups causing less than 40% of all attacks. RansomHub has emerged as the most active group, representing 13% of Trellix's detections. "The last six months delivered AI advancements, from AI-driven ransomware to AI-assisted vulnerability analysis, evolving criminal strategies, and geopolitical events, which have reshaped the cyber landscape," explained John Fokker, Head of Threat Intelligence at the Trellix Advanced Research Center.

The market for endpoint detection and response (EDR) evasion tools on the dark web is thriving. These tools are designed to skirt around the detection mechanisms that many organisations depend on. The report notes that RansomHub has adopted a tool known as EDRKillShifter, which disables EDR capabilities, enabling the group to carry out their attacks.

Trellix's research highlights the sale of new AI-based tools on the black market. An instance of this is a tool offered for USD $1,000 on an underground forum, that can collate and analyse vulnerabilities. Additionally, the Radar Ransomware-as-a-Service programme is noted for its concealment of AI use and its attempts to recruit forum users to join its affiliate network.

The report identifies healthcare, education, and critical infrastructure sectors as prime targets for ransomware, with continued focus on developed economies. The United States was the target of 41% of all Trellix ransomware detections, with the next most targeted country, the United Kingdom, experiencing attacks at a much lower rate.

Regarding nation-state threats, China-affiliated groups continue to be significant actors, with Mustang Panda accounting for over 12% of detected advanced persistent threat (APT) activities. The report also points to North Korea-aligned group Kimsuky, which has doubled the activity of other APT groups, as another rising threat.

The findings are underpinned by proprietary data from Trellix's sensor network and involve investigations into both nation-state and cybercriminal activity. John Fokker stressed the importance of resilience planning for cybersecurity teams in light of these developments. He stated: "We've seen significant events, including state-sponsored attacks on critical infrastructure, the growth of AI-driven ransomware, and the rise of hacktivism tied to global conflict. The increased use of generative AI by cybercriminals has also posed new challenges. The industry must continue monitoring for transformative use of AI by cybercriminals to strengthen defences."

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X