Trellix Finds LockBit Ransomware Gang Most Apt to Leak Stolen Data

Trellix, the cybersecurity company delivering the future of extended detection and response (XDR), today released The Threat Report: February 2023 from its Advanced Research Center, examining cybersecurity trends from the final quarter of 2022. Trellix combines telemetry collected from its extensive network of endpoint protection installs and its complete XDR product line with data gathered from open and closed source intelligence reports to deliver report insights.

“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “Grey zone conflict and hacktivism have both led to an increase in cyber as statecraft as well as a rise in activity on threat actor leak sites. As the economic climate changes, organizations need to make the most effective security out of scarce resources.”

The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors, and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:

LockBit 3.0 Most Aggressive with Ransom Demands: While no longer the most active ransomware group according to Trellix telemetry – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organization’s leak site reported the most victims. This data makes LockBit the most aggressive in pressuring their victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.

Nation-State Activity Led by China: APT actors linked to China, including Mustang Panda and UNC4191, were the most active in the quarter, generating a combined 71% of detected nation-state backed activity. Actors tied to North Korea, Russia, and Iran followed. The same four countries ranked the most active APT actors in public reports.

Critical Infrastructure Sectors Most Targeted: Sectors across critical infrastructure were most impacted by cyberthreats. Trellix observed 69% of detected malicious activity linked to nation-state backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top sectors targeted by ransomware actors, and telecom, government, and finance among the top sectors targeted via malicious email.

Fake CEO Emails Led to Business Email Compromise: Trellix determined 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases, resulting in a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.

The Threat Report: February 2023 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Center, open and closed source intelligence, and threat actor leak sites. The report is based on telemetry related to detection of threats, when a file, URL, IP-address, suspicious email, network behavior or other indicator is detected and reported by the Trellix XDR platform.