Trellix Reveals Growing AI Use in Ransomware Ecosystem

Trellix, the company delivering cybersecurity’s broadest AI-powered platform, released The CyberThreat Report: November 2024, its latest research from the Trellix Advanced Research Center. The report provides insight into the regions and industries at risk, the evolving methods used by adversarial actors, and offers recommendations for CISOs and security operations teams tasked with protecting their organization.

Cyber Technology Insights:  Deep Instinct Boosts Zero-Day Security for Amazon S3

“The last six months delivered AI advancements, from AI-driven ransomware to AI-assisted vulnerability analysis, evolving criminal strategies, and geopolitical events, which have reshaped the cyber landscape. Resilience planning has never been more important for cybersecurity teams”

The research examines an increasingly complex ransomware ecosystem where groups have adopted advanced tools with embedded AI to spread ransomware. Further findings include the accelerated use of endpoint detection and response (EDR) evasion, password spray, infostealer, and backdoor tools and techniques to execute attacks. Trellix telemetry reveals China-affiliated threat actor groups remain a prevalent source of nation-state advanced persistent threat (APT) activities, with Mustang Panda generating more than 12% of detected APT activity alone.

“The last six months delivered AI advancements, from AI-driven ransomware to AI-assisted vulnerability analysis, evolving criminal strategies, and geopolitical events, which have reshaped the cyber landscape. Resilience planning has never been more important for cybersecurity teams,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “We’ve seen significant events, including state-sponsored attacks on critical infrastructure, the growth of AI-driven ransomware, and the rise of hacktivism tied to global conflict. The increased use of generative AI by cybercriminals has also posed new challenges. The industry must continue monitoring for transformative use of AI by cybercriminals to strengthen defenses.”

An evolving ransomware ecosystem
With several arrests, the indictment of LockBit leaders, and action to dismantle infrastructure by global law enforcement, the Trellix Advanced Research Center observed a diversification of ransomware groups, expanded use of AI-powered tools to deliver ransom demands, and a focus on tools built specifically to evade endpoint detection and response (EDR) solutions.

• Group diversification: The top five most active groups account for less than 40% of all attacks, demonstrating less concentrated activity among major actors. This highlights the need for organizations and governments to remain adaptable, continuously updating their strategies to address the evolving tactics of ransomware groups.
• RansomHub: RansomHub emerged as the most active among ransomware groups, accounting for 13% of Trellix detections. Its rise, and the activity of other smaller groups, further illustrates the fluid nature of ransomware. LockBit remains active, generating the second most detections (11%), followed by groups Play (7%), Akira (4%) and Medusa (4%).
• EDR evasion: Trellix found a thriving market for EDR evasion tools on the dark web. They are built to avoid detection by the tools most organizations rely on to identify and respond to known threats.RansomHub adopted one such tool named EDRKillShifter to disable EDR capabilities before executing their attacks.
• AI-powered tools: The cybercriminal underground has become a hub for malicious actors to sell new AI-based tools to execute crime. Trellix observed the sale of a number of these tools on the black market, including the Radar Ransomware-as-a-Service program, which conceals the way AI is used but seeks to recruit forum users to join its affiliate network.
• Sectors and regions: Healthcare, education, and critical infrastructure remain prime targets, and the global spread of ransomware persists, focusing on the U.S. and other developed economies. The U.S. received 41% of all Trellix ransomware detections, outpacing the next most targeted country (the U.K.) nine-fold.

The broader cyber threat landscape
The Trellix Advanced Research Center examined industry cyber threat data, with analysis pointing to a rise in attacks from North Korea-aligned group Kimsuky, which doubled the activity of other APT groups. The study of industry reports of cybersecurity events also revealed a targeted distribution across critical sectors, with the government bearing the brunt of attacks (13%), followed by the financial sector (7%) and manufacturing (5%).

Cyber Technology Insights: Lenovo Unveils ThinkShield Firmware for OS-Level Security

To participate in our interviews, please write to our CyberTech Media Room at news@intentamplify.com

Source – Businesswire