Trellix Advanced Research Center identifies LockBit as top perpetrator of ransomware attacks


A new report points to a rise in cyber threats from China, as well as attacks on critical infrastructure and online fraud through CEO phishing.

Chinese hackers attack critical infrastructure

Trellix, a pioneer in innovative XDR technologies and expert in cyber security, has released the latest threat report for the cyber space. The report, authored by the Trellix Advanced Research Center, documents the state of cyber security in the fourth quarter of 2022 and is based on telemetry data from the world’s largest network of endpoint security solutions, as well as data from open and closed source reports.

John Fokker, Head of Threat Intelligence at Trellix Advanced Research Center, suggests that the fourth quarter of 2022 has seen a new intensity in the use of attack vectors. State-sanctioned attacks and the use of criminal leak sites have increased dramatically due to grey area conflicts and hacktivism. Faced with an increasingly unstable business environment, companies need to use their limited security resources as effectively as possible.

Trellix’s new report provides an overview of various threats, such as ransomware and APT actors, and analyses risks associated with email attacks and the misuse of legitimate security tools. The key findings of the report are: an increasing threat of cyber-attacks and the need to take effective protective measures to guard against them; the importance of continuous monitoring and analysis of threat intelligence; and the need to increase security awareness and training for employees to minimise risks.

The LockBit 3.0 group is no longer the most active ransomware group, but is considered the most aggressive in extorting ransom payments. Although surpassed by Cuba and Hive in terms of activity in Q4 2022, the LockBit group still claims to have harmed the most victims. They use different methods, including already known vulnerabilities from 2018.

China is the leading state in state-sponsored attacks: The fourth quarter of 2022 saw the most activity from APT attackers associated with China, such as Mustang Panda and UNC4191. About 71 per cent of all detected attacks with a state background were carried out by these actors. North Korea, Russia and Iran follow in the other places. Public reports also confirm that these four countries are considered the primary source of APT attacks.

Cyberattacks have critical infrastructure as their main target

Critical infrastructure in the focus of cyber criminals: The various areas of critical infrastructure are particularly vulnerable to cyber attacks. In about 69 percent of the cases, the attacks by APT attackers originate from specific states. The transport and logistics sector as well as the energy, oil and gas industries were particularly targeted. Ransomware groups, on the other hand, specialised in the financial and healthcare sectors, while fake emails were used as a weapon primarily in the telecommunications industry, government agencies and the financial sector.

Compromise cases result from CEO mail forgeries

Fraudsters use fake CEO emails as a gateway for BEC attacks. Trellix finds that fake messages with common wording are used in 78% of cases, and that the number has increased by 64% compared to the previous year. Free email services make it easier for attackers to send.

The Trellix sensor network draws on a variety of sources

To detect state-sponsored and criminal cyber activity, the February 2023 Threat Report uses proprietary data from the Trellix sensor network, analytics from the Trellix Advanced Research Center, and information from open and closed source sources and threat actor leak websites. Evidence is provided by the telemetry-based detection and reporting of indicators such as files, URLs, IP addresses or suspicious emails by the Trellix XDR platform.

Leave A Reply