A Halloween Story: 10 Cyber Ghouls We Eyeballed In Q3 2024

Just in time for a mug of pumpkin spice, Intel 471 brings you a tale of cyber horrors never so nice. With whispers and murmurs we eyeballed this quarter, we hope to shine a light on a dark cyber corner. Alas, October isn’t time to sleep for a defender, when marauding fraudsters trick and take treats but never surrender. They have tricks up their sleeves — popping locks with an endless supply of new CVEs. As the bone-chilling trends our researchers reveal, their one common parasitic trait is your data they steal. But if you buckle up and take a second to listen to these blood curdling tales of ransomware victims, you’ll have a much better chance of catching that one incy-wincy little bug… the one they could use to destroy your whole system.

10 Cyber Threat Trends to Make Your Hair Stand Up

In the third quarter of 2024, ransomware remained one of the most impactful threats to all sectors. Defenders were faced with a record number of vulnerabilities as nation-state actors, money lusting cybercriminals, and hacktivists with an ax to grind continued to make their marks on the digital threat landscape. Here are the spooktacular cyber threat intelligence (CTI) statistics:

1. Intel 471 reported nearly 1,100 ransomware breach events in the third quarter of 2024, amounting to approximately 12 victims per day. The median ransom payment to the most parasitic gangs has increased from approximately $200,000 in early 2023 to $1.5 million in mid-2024, according to Chainalysis.

2. The top three countries most impacted by ransomware attacks were the US (52.02%), Canada (6.11%) and the U.K. (4.52%). The number of ransomware victims claimed this quarter increased by about 16% compared to Q1 2024, with RansomHub Ransomware-as-a-Service (RaaS) emerging as the scariest of the villains — with Play, LockBit, Meow Team, Aikira and Hunters International also serving up tricks.

3. Ransomware gangs may seem as hard to eliminate as the undead, but they’re not invincible. This quarter saw the powers-that-be cast legal sorcery and spells on key members of Evil Corp, a group that bedeviled banks for years with Dridex malware for PCs, before targeting enterprise systems with the initial access tool SocGholish and the LockBit RaaS. Thanks to Operation Cronos, LockBit is now a “ghost” of its former self. The UK’s National Crime Agency recently cuffed more key members behind LockBit and thanked Intel 471 for supporting its successful operation against both cybercriminal groups.

4. In Q3 2024, there were more ghoulish bugs than you could shake a broomstick at. The total number of Common Vulnerabilities and Exposures (CVEs) surged to 8,556, up year on year from 6,931. Defenders often don’t know which blood suckers to drive a stake through the heart of first, but they can use Intel 471 CTI and Attack Surface Protection to eliminate the ones that matter most to them.

5. Every day, Intel 471’s Vulnerability Intelligence team identifies vulnerabilities they assess will likely be exploited before attackers use them to break into systems. Organizations use this CTI to see when CVEs become weaponized or productized in widely available hacking frameworks, which makes them riskier and more important to remediate. The team’s selection was on the mark once again. In the third quarter of 2024, the team tracked around 150 vulnerabilities, of which 11% were productized, 51% were weaponized, and 19% had proof-of-concept code (PoC) available. Of the vulnerabilities in Q3, 28% were classified as high risk and 42% were medium-risk vulnerabilities. Like a zombie nightmare, the frightening reality is that there are simply too many vulnerabilities that haunt us at night.

6. And in a twist to the usual horror story, it was actually cybercriminals who were spooked this quarter after Telegram CEO Pavel Durov was arrested in France and emerged on bail to clarify the company may hand over user IP addresses and phone numbers to authorities. Some criminals considered leaving Telegram for Session, Signal and other platforms. But an Intel 471 analysis of the secure messaging landscape found that, despite its apparent policy shift, Telegram remains no more risky than other platforms for actors with robust operational security (OpSec). Meanwhile, it still offers the same unmatched automation, reach, and customization that made it attractive for cybercriminals to distribute malware tools in the first place.

7. Initial access brokers (IABs) are thriving in the seedy underbelly of cybercrime forums. Intel 471 observed nearly 1,200 instances of IABs offering to sell compromised credentials and network access on underground marketplaces. While the majority of these offers were for wholesale access, we observed actors listing just over 200 offers for “specified access.” Both types of access are a threat, but specified access, which increased 15% on a quarterly basis, is a higher risk because the actor has provided evidence of access, access rights, and parts of a network they can pivot to. Organizations in the U.S., UK, and India were most impacted by access offers.

8. Over Q3, we collected nearly 14,500 unique malware payloads in the patented Intel 471 Malware Emulation and Tracking System (METS), which provides continuous surveillance of malicious command and control (C2) infrastructure to capture commands that deliver payloads, plugins, modules to infected computers.

9. In the quarter, from the payloads we collected, 66.1% of malware was loaders, 19.2% was infostealers, a key tool for credential theft, and 13.8% was malware installs.

10. Finally, loose knit hacktivist groups continued causing problems, and in Q3 took aim at democratic processes. Recent activity by Pro-Russian group CyberArmyRussia suggested its affiliates are conducting operations in support of state-sponsored activity, allowing Russia to conduct cyber operations while maintaining plausible deniability. Intel 471’s 2024 Cyber Threat Report provides critical insight into evolving hacktivism and emerging adversary strategies, including a look at shifting alliances.