Dubai — Group-IB, a global cybersecurity leader specializing in the investigation and prevention of cybercrimes, has today published its new report Hi-Tech Crime Trends 2022/2023, the latest edition of the company’s annual round-up of the most pertinent global cyber threats. In the report, Group-IB Threat Intelligence analysts reveal how ransomware operations remained the top cyber threat to companies and organizations across the world between H2 2021 and H1 2022, not least in the Middle East and Africa (MEA). According to Group-IB’s research, the number of companies that had their information uploaded onto dedicated leak sites (DLS) between H2 2021 and H1 2022 was up 22% year-on-year to 2,886, which corresponds to eight companies having their data leaked online every single day. In the MEA region, 150 companies had their information leaked on DLS during the reporting period. 

In the GCC region in particular 42 companies had their data, files, or information published on DLS following ransomware attacks. Out of which, organizations in the UAE (33%) and Saudi Arabia (29%) experienced the majority of attacks, followed by other Gulf countries: Kuwait (21%), Qatar (10%), Oman (5%), and Bahrain (2%). In terms of industries, the energy, telecoms, IT and manufacturing sectors were frequently targeted. 

For the second consecutive year, Group-IB researchers observed the increasing impact of initial access brokers (IABs) on the ransomware market in MEA and beyond. Group-IB researchers detected 2,348 instances of corporate access being sold on dark web forums or privately by IABs, twice as much compared to the preceding period. The number of brokers also grew from 262 to 380, leading to a drop in prices that made the attacks of ransomware gangs and other threat actors more affordable. In the MEA region, the number of network access offers more than doubled to 179 in H2 2021 – H1 2022, resulting in a drop in price of total offers of 23%. 

For the 11th consecutive year, the Hi-Tech Crime Trends report analyzes the various aspects of the cybercriminal industry’s operations, examines attacks, and provides forecasts for the threat landscape for various sectors such as the financial industry, telecommunications, manufacturing and energy. Each year, Group-IB presents a comprehensive overview of the global threat landscape and our researchers share their predictions for what lies ahead. Group-IB’s hands-on experience in investigating cybercrime as well as its innovative suite of products and services help to describe all underground trends and activities that are worth watching and even make long-term predictions that help cybersecurity teams around the world to tailor their cyber defense. 

A devil’s ransom

Across the globe, 2,886 companies had their information, files, and data published on DLS in H2 2021 – H1 2022, a 22% increase compared to the 2,371 companies affected during the previous period (H2 2020 – H1 2021). As with the preceding year, the number of ransomware-related data leaks peaked in the final quarter of 2021, when the data of 881 companies was shared on dedicated leak sites. It is important to note that the actual number of ransomware attacks is believed to be significantly higher as many victims chose to pay the ransom and some ransomware gangs do not use DLS. 
Figure 1: Number of global ransomware-related data leaks per quarter

“It is worth noting that the number of victims whose data was published in the wake of ransomware attacks in H2 2020 – H1 2021 was 935% up from the preceding year. As a result, the 22% year-on-year growth seen in the observed period suggests that the Ransomware-as-a-Service market has passed the phase of rapid growth and is now beginning to stabilize,” says Dmitry Volkov, CEO at Group-IB.

Group-IB discovered that companies based in North America (50% of companies whose data was leaked by ransomware gangs) were the most affected by ransomware-related data leaks. Comparatively, the MEA region was the second-least affected by ransomware-related data leaks, as 150 companies from the region had their data published online. Only 5.3% of the leaks on DLS contained data from countries from this region. The most affected countries were Israel (23 companies), South Africa (21), Turkey (14), United Arab Emirates (14), and Saudi Arabia (12). The most active ransomware gang in the MEA market was Lockbit, responsible for 37% of publications of victims’ data from the region on designated leak sites. Second in this list was Conti, a Russian-speaking ransomware group that launched the devastating ARMattack campaign at the end of 2021, which was responsible for 12% of leaks, and third was Hive (4% of leaks).

Group-IB’s analysis of the threat posed by ransomware gangs also revealed that globally, the largest number of ransomware-related data leak victims were found in the following sectors: manufacturing (295 companies), real estate (291), professional services (226), and transportation industries (224). In the MEA region, 18 financial services companies, 12 manufacturing companies, 7 energy companies, 3 telecommunications companies, and 3 IT companies had their files published on DLS by cybercriminals.

In the reporting period, the number of ransomware attacks on companies in the manufacturing sector worldwide increased by 19% compared to the previous period (H2 2020-H1 2021) to 295. Similar increases were observed in the energy industry (up 43% to 80), financial organizations (up 43% to 181), and the IT sector (up 18% to 120). Interestingly, attacks on telecommunications companies dropped 15% year-on-year to 29.

“Ransomware is likely to remain the major threat for business and governments across the globe in 2023,” says Dmitry Volkov, CEO at Group-IB. “Ransomware gangs have been able to craft a stable market for their criminal enterprises, and the ransom demands issued to companies once they have been attacked are continuing to rise rapidly. Many of the most prominent ransomware gangs have turned into criminal start-ups. They have a rigid hierarchy and bonuses for overachievement. While the growth trends might slow down, it is likely that the ransomware market could consolidate further, continuing a trend seen in H2 2021 – H1 2022.”

InsatIABle appetite

During the period from H2 2021 to H1 2022, Group-IB’s Threat Intelligence unit analyzed underground advertisements describing compromised networks and detected 2,348 instances of corporate access being offered for sale —  twice as much as during the previous period (1,099 access offers). Among these, 2,111 offers contained information about the country, and 1,532 specified the victim’s industry.

Initial access brokers have significantly expanded their presence worldwide. The number of countries where they broke into corporate networks increased by 41%: from 68 to 96 during H2 2021 – H1 2022. Just like last year, US-based companies were the most popular commodity among the initial access brokers, with almost a quarter of all discovered access offers related to US companies (558). Similarly to last year, the industries most affected by IABs were manufacturing (5.8% of all companies), financial services (5.1%), real estate (4.6%), and education (4.2%). 

“Initial access brokers play the role of oil producers for the whole underground economy,” says Dmitry Volkov. “They fuel and facilitate the operations of other criminals, such as ransomware and nation-state adversaries. As access sales continue to grow and diversify, IABs are one of the top threats to watch in 2023.  Private and public companies in the MEA region should consider setting up a threat intelligence program to monitor for compromised credentials of their workforce.”

 Figure 2: IAB market size & offers in MEA (H2 2021 – H1 2022)

In the MEA region, UAE companies remained the most sought-after assets (26.3% of all network access offers in the region detected between the second half of 2021 and the first half of 2022), followed by Turkey (19.6%), Pakistan (6.7%), Egypt (5.6%), South Africa (5%), Iran (4.5%), Saudi Arabia (4.5%), Israel (3.4%), Kenya (2.8%), and Algeria (2.2%).  

In line with the global trend, the total cost of offers of access to MEA companies’ networks traded on underground markets decreased by 23% to $281,470. The reduction is due to the major increase in supply: the number of MEA-related network access offers more than doubled from 88 in H2 2020-H1 2021 to 179 this past year. This explains the growing number of ransomware incidents in the region. Group-IB underlined that companies should think more not about universal systems for protection,  but understand who is behind the attack and use technologies based on cyber investigations, researches and incident response operations in their region.

Stealing the limelight

One of the most notable changes to the global threat landscape is the increasing popularity of logs obtained with the use of information stealers — malware that gathers personal details from the user’s browser metadata. These stealers can obtain credentials, bank cards, cookies, browser fingerprints, etc. Group-IB found that between July 1, 2021 and June 30, 2022, over 96 million logs were offered for sale, with most of the compromised data coming from US users (80%), with the UK (5.4%), India (4.6%), Indonesia (2.4%), and Brazil (2.0%) trailing behind. 

Group-IB experts discovered over 400,000 Single Sign-On logs among these 96 million logs. SSO is a widely used corporate authentication method that uses a single pair of credentials to access multiple services, making them highly sought after by cybercriminals as they allow them to get into several systems at a time with little effort. As discovered by Group-IB researchers, the threat actor behind the recent attack on Uber purchased stealer logs on one of the underground marketplaces for $20. These logs contained  SSO credentials of at least two Uber employees.  

“It is quite concerning what a cybercriminal with $20 and modest technical skills is capable of these days,” says Dmitry Volkov, CEO at Group-IB. “With remote work and SSO services becoming more prevalent, instances of access to corporate networks started appearing in stealer logs more often. Attacks on companies through their employees will become one of the main infection vectors. A silver bullet against such attacks doesn’t exist. This trend highlights the need for companies to improve their cybersecurity across all layers, including training employees to respond to social engineering, enhancing detection and response capabilities, and of course, monitoring the cybercriminal underground for compromised employee records and offers to sell access to their networks.”


About Hi-Tech Crime Trends report

Group-IB has been presenting its annual reports since 2012, integrating data gathered as a result of the company's own investigations with incident response findings worldwide. Serving as a practical guide for a wide range of experts — in risk management, digital business transformation, strategic planning in the cybersecurity field and investing in information system protection — the report provides annual forecasts that have always proved to be accurate. For technical specialists, including СISOs, SOC and DFIR teams, researchers and malware analysts, as well as Threat Hunting experts, Group-IB’s report provides an opportunity to analyze the relevance of cybersecurity policies, adjust security settings for their systems and strengthen their expertise in countering cyberthreats relevant to their industry. Thanks to the use of unique tools for tracking the infrastructure of cybercriminals, as well as a thorough study of research by various cybersecurity teams worldwide, Group-IB experts annually identify and confirm common patterns that form a full picture of the development of cyberthreats in the world. This forms the basis of future forecasts set out in the report that help companies around the world build effective cybersecurity strategies based on relevant threats.
More analytics on Group-IB’s research hub

About Group-IB

Group-IB, with its headquarters in Singapore, is one of the leading solutions providers dedicated to detecting and preventing cyberattacks, investigating high-tech crimes, identifying online fraud, and protecting intellectual property. The company’s Threat Intelligence and Research Centers are located in the Middle East (Dubai), Asia-Pacific (Singapore), and Europe (Amsterdam). 

Group-IB’s Unified Risk Platform is an ecosystem of solutions that understands each organization’s threat profile and tailors defenses against them in real time from a single interface. The Unified Risk Platform provides complete coverage of the cyber response chain. Group-IB’s products and services consolidated in Group-IB’s Unified Risk Platform include Group-IB’s Threat Intelligence, Managed XDR, Digital Risk Protection, Fraud Protection, Attack, Surface Management, Business Email Protection, Audit & Consulting, Education & Training, Digital Forensics & Incident Response, Managed Detection & Response, and Cyber Investigations. Group-IB’s Threat Intelligence system has been named one of the best in its class by Gartner, Forrester, and IDC. Group-IB’s Managed XDR, intended for proactively searching for and protecting against complex and previously unknown cyber threats, has been recognized as one of the market leaders in the Network Detection and Response category by KuppingerCole Analysts AG, the leading European analyst agency, while Group-IB itself has been recognized as a Product Leader and an Innovation Leader. Gartner has named Group-IB a Representative Vendor in Online Fraud Detection for its Fraud Protection. In addition, Group-IB was granted Frost & Sullivan’s Innovation Excellence award for Digital Risk Protection (DRP), an Al-driven platform for identifying and mitigating digital risks and counteracting brand impersonation attacks, with the company’s patented technologies at its core. Group-IB’s technological leadership and R&D capabilities are built on the company’s 19 years of hands-on experience in cybercrime investigations worldwide and over 70,000 hours of cybersecurity incident response accumulated in our leading DFIR Laboratory, High-Tech Crime Investigations Department, and round-the-clock CERT-GIB. 

Group-IB is an active partner in global investigations led by international law enforcement organizations such as Europol and INTERPOL. Group-IB is also a member of the Europol European Cybercrime Centre’s (EC3) Advisory Group on Internet Security, which was created to foster closer cooperation between Europol and its leading non-law enforcement partners.

Group-IB's experience in threat hunting and cyber intelligence has been fused into an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyberattacks. Group-IB's mission is to protect its clients in cyberspace every day by creating and leveraging innovative solutions and services.

For more information, please contact:
Twitter | LinkedIn |Facebook |Instagram |Telegram