Turning Tides
Navigang the Evolving World of Cybercrime
H1 2023
CRIMEWARE TRENDS
AND HIGHLIGHTS
AUGUST | 2023
In the rst half of 2023, Arete observed several
disnct trends and shis in the cyber threat landscape.
Leveraging the data collected during each incident
response engagement, we can see the rise and fall of
ransomware variants, notable trends in ransom demands
and payments, industries targeted by ransomware
aacks, and what may be coming next.
Looking back over the past few years, Arete has
seen a paern of acon-reacon developing within
cybersecurity. In response to several high-prole aacks
in the past three years, many organizaons invested
in security tools, training, and services to reduce risk.
To evade these standard security tools and common
defense strategies, threat actors shied their operaons
to target dierent types of operang systems with
increasingly complex taccs.
The threat landscape connues to evolve with the
widespread introducon of AI tools, lower barriers
of entry into cybercrime, new vulnerabilies, and the
socioeconomic eects of the Russia-Ukraine war.
Ransomware operaons thriving today are pushing the
envelope in development and extoron techniques.
Arion, reorganizaon, and re-branding within
cybercriminal groups have made aribuon more
challenging than ever.
However, as threat actors evolve, so do the threat
hunters and organizaons tracking them. Global
law enforcement agencies have carried out several
impacul arrests and seizures on mulple high-prole
cybercriminal groups in the rst half of 2023. We have
seen a signicant increase in collaboraon between
law enforcement agencies and civilian cybersecurity
organizaons, resulng in unprecedented informaon
sharing on indicators and taccs, allowing for more
accurate aribuon, restoraon, and potenal
disrupon of ransomware threat actor acvies.
Execuve Summary
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
3
• Mainstay actors prevail and new players arrive on the scene
• Professional services is the most targeted industry
• The percentage of incidents where a ransom is paid fell to 19%
• Cybercrime-as-a-Service on the rise
• Leaked source code skyrockets accessibility
• Arcial Intelligence changes the game
• Threat actors move to exltraon-only operaons
• Targeng of Linux and macOS systems increases aack surface
• Cascading eects of the Russia-Ukraine War connue
• Global law enforcement targets cybercriminals
* Disclaimer: Unless otherwise noted, all data within this report is based on Arete incident response cases.
Overview
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
4
In the rst half of 2023 (H1 2023), we saw LockBit rise to the top spot, accounng for 30.3% of Arete’s observed
ransomware cases. New variants appeared on the scene, including Akira and Luna Moth. Despite the emergence
of new variants over the past two years, Arete data indicates that dominant and well-established actors sll
maintain their top posions.
H1 2023 Highlights From Arete’s
Incident Response Cases
Figure 1: Top Ransomware Variants Observed in H2 2022 and H1 2023
0%
20%
30%
10%
ALPHV/BlackCat
Phobos
Hive
Lockbit
Black Basta
Royal
Bian Lian
29.87%
14.29%
12.99%
12.99%
9.09%
7.79%
6.49%
H2 2022
0%
10%
20%
5%
15%
ALPHV/BlackCat
Lockbit
Black Basta
Royal
Akira
Luna Moth
Phobos
18.71%
12.90%
6.45%
H1 2023
18.71%
12.90%
12.26%
6.45%
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
5
Figure 2 shows the top ransomware variants observed over the past 4 quarters and is color-coded according to
each variant’s current state of acvity.
LockBit and ALPHV/BlackCat retained spots in the top
three over the past four quarters, showcasing their
connued dominance. Lockbit has made connuous
development eorts throughout its tenure, including
improvement to its ransomware builder, releasing
new builders to their aliates, and working to target
other operang systems. Lockbit can now target
Linux systems, and a developmental Lockbit macOS
encryptor was spoed in the wild. Arete has observed
updated versions of LockBit, including LockBit Green
and LockBit Black.
BlackCat ulizes a unique method requiring command
line arguments to encrypt les on vicm systems.
To aid in propagaon, the group uses stolen admin
credenals together with the embedded PsExec ulity,
eliminang the need to propagate the ransomware
manually. This, together with addional techniques
and benets to aliates, could contribute to its
ongoing status as one of the top three most prevalent
threat actor groups.
Another variant observed over the past three quarters
is Royal ransomware, which, like BlackCat, requires
command line arguments to run correctly in a vicm
system. Royal has been acve since September 2021
and was rst observed in an Arete engagement during
Q4 2022. In Q1 2023, we observed a spike in cases,
but the frequency subsequently dropped in Q2.
In Q2 2023, we observed the emergence of Akira,
a new ransomware group that quickly became the
number two most observed variant. In June 2023, a
cybersecurity rm released a free Akira decryptor
requiring unencrypted and encrypted le pairs to
decrypt correctly. We expect to see Akira release an
updated version of their ransomware, eliminang the
aw that allowed the creaon of the free decryptor.
However, like some other ransomware operaons,
they may decide to move to an extoron-only model
at some point.
See page 10 for taccs, techniques, and procedures (TTPs),
and detailed insights on the top ve variants observed.
H1 2023 Highlights From Arete’s
Incident Response Cases
Figure 2: Top Ransomware Variants Observed from Q3 2022 to Q2 2023
Q3 2022 Q4 2022 Q1 2023 Q2 2023
ALPHV/BlackCat ALPHV/BlackCat
ALPHV/BlackCat ALPHV/BlackCat
Luna Moth
CI0p
Luna Moth
Phobos
Phobos
Phobos
Phobos
Black Basta Black Basta
Black Basta
Royal
Royal
Lockbit
Lockbit
Lockbit Lockbit
Akira
Hive
Hive
Vice Society
BianLian
BianLian BianLianMakop
DARK BLUE
INACTIVE
LIGHT BLUE
STEADY OR DECLINING ACTIVITY
PINK
TRENDING UP
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
6
H1 2023 Highlights From Arete’s
Incident Response Cases
In the rst half of 2023, Arete saw a disnct rise in
targeng against the professional services sector, an
almost 12% increase from the second half of 2022.
This is primarily due to the rise in acvity from the
extoron group Luna Moth, which disproporonately
targeted law rms. Luna Moth's acvity subsequently
declined in the second half of Q2, and we expect to see
a decrease in the targeng of the professional services
sector in Q3 due to Luna Moth's drop in acvity.
Interesngly, from the various industries we track in our
data, the top ve industries impacted by ransomware
stayed the same from the second half of 2022 to the
rst half of 2023. These industries have each retained
a spot in the top ve since 2019. Organizaons in
these industries oen house valuable data, including
customer informaon, intellectual property, nancial
records, and operaonal secrets that threat actors can
exploit for monetary gain or compeve advantage.
These industries also consist of crical operaonal
facilies like manufacturing plants, hospitals, and
transportaon networks that may make them more
willing to pay ransoms to restore operaons and avoid
disrupon. These industries will likely remain in the
top ve as threat actors connue to follow the money
and leverage their successful experience in aacking
these organizaons.
Figure 3: Top 5 Industries Impacted by Ransomware in H2 2022 and
H1 2023
Professional Services
Manufacturing
Public Services
High Technology
Healthcare
Industries
11%
15%
24%
23.66%
26%
12%
14%
16%
19.82%
38%
H2 2022
H1 2023
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
7
While the overall ransom demands from cybercriminals
connue to trend upwards, Arete's data shows that a
ransom was paid in just 19% of cases in the rst half
of 2023. This may be due in part to the industry-wide
increase in exltraon-only aacks.
Arete has also enhanced our ability to restore clients to
normal operaons without ransom payments. Arete's
restoraon engineers build tailored restoraon and
remediaon plans for our clients. These tailored plans
allow Arete to assess the impact of a ransomware event
properly, determine the validity of the organizaon's
backups, idenfy recoverable data via means other
than backups, and create a meline for restoraon.
This data-driven analysis helps create the best path
forward and oen eliminates the need to pay a ransom.
The facilitaon of a ransom payment is always a last
resort for Arete, and we are proud to have avoided the
need for our clients to pay a ransom in over 80% of our
cases this year.
Ransom Demands and Payments
The facilitaon of a ransom payment is
always a last resort for Arete, and we are
proud to have avoided the need for our
clients to pay a ransom in over 80% of our
cases this year.
$600,000
Percentage of me a ransom is paid
19%
H2 2022
H1 2023
29%
Median Ransom Demand
$302,000
H2 2022
H1 2023
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
8
Inial Access Vectors
The rst half of 2023 saw a shi in dominant inial
access vectors. Notably, third-party access tools
accounted for 34.5% of inial access in the second half
of 2022 and just 9.3% in H1 2023. Remote Desktop
Protocol (RDP) held the top spot in H1 2023, observed
in 24.5% of cases, up from just 8.1% in H2 2022.
A primary contributor to these shis is threat actors'
increased use of inial access brokers. Inial access
brokers always pursue the latest vulnerabilies,
taccs, and tools. As their role in the cyber ecosystem
connues to expand, we will likely see frequent shis
in which vectors are used most oen.
For detailed informaon about these inial access
vectors, see the appendix.
Figure 4: Inial Access Vectors Observed in H2 2022 and H1 2023
Soware / Hardware Vulnerability
Third Party Remote Access Tools
Stolen User Credenals
Malicious Email
Remote Desk Protocol
Method of Intrusion
Soware / Hardware Vulnerability
Third Party Remote Access Tools
Phishing Email
Malicious Email
Remote Desk Protocol
Virtual Private Network
Method of Intrusion
H2 2022
8.05%
8.05%
12.64%
34.48%
36.78%
H1 2023
9.26%
11.11%
12.96%
24.07%
20.37%
36.78%
The following list represents the post-exploit toolsets
our analysts observed in incident response and
managed detecon and response engagements in H1
2023. Documentaon and analysis of malware help us
understand cyberaacks' nature, scope, and impact
during an invesgaon. This insight can give network
defenders a more accurate picture of the threat
landscape and help them understand how to reduce
the risk of a signicant incident by ensuring their
endpoint and network appliances properly detect and
block these threats.
For informaon about each of these toolsets, please
see the appendix.
Inial Access Vectors
Agent Tesla Gozi RedLine
AZORult Hancitor SocGholish
Babadeda IcedID Smoke Loader
BlueFox Jupyter SystemBC
Brute Ratel Metasploit Vidar
Cobalt Strike Mimikatz WSH RAT
CoinHive Neshta XMRig
Emotet NETSupport RAT Xtreme RAT
Expiro PoisonIvy Xworm
FlawedAmmyy RAT Qbot Zloader
FloodFix Quasar RAT
9
| ©2023 Arete Advisors, LLC. All Rights Reserved.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
10
Notable Taccs, Techniques, and Procedures (TTPs)
• LockBit aliates use various tools during intrusions
to achieve network reconnaissance, remote access,
credenal dumping, and exltraon. Aliates
also use batch scripts, PowerShell, Metasploit,
and Cobalt Strike to gain inial access and move
laterally through a vicm’s network to idenfy and
target high-value assets for encrypon.
• In LockBit 3.0, ransom notes tles were changed
from ‘Restore-My-Files.txt’ to ‘[id].README.txt’.
• LockBit 3.0 has leveraged the iControl CVE-
2021-22986 and Fornet CVE-2018-13379
vulnerabilies, enabling remote code execuon
on a system or le downloads containing sensive
informaon, including usernames or passwords,
without authencaon.
• In a recent case, Arete idened LockBit ulizing
double encrypon for the rst me.
• In several recent LockBit cases, Arete idened
mulple ransomware notes in client environments,
raising concerns over the plausibility of decrypon.
Despite these concerns, the threat actor was able
to successfully decrypt the les in cases with
mulple ransom notes idened.
• In a recent case, Arete observed a change with
the decrypon tool provided by the threat actor,
which required the tool to be deployed ulizing the
command line. In previous cases, the decrypon
tool was easily deployed by running the tool as an
administrator. This seems to be an isolated incident,
and we have not seen any further changes in the
threat actor’s decrypon tool.
Threat Actor Insights
LockBit has remained at the forefront of the cybercrime
sector over the last several years due to its constant
development eorts and connued iteraons of its
ransomware encryptor. The group commonly ulizes
a double-extoron technique and, in some cases, even
triple extoron, in which they launch DDoS aacks on
the vicm’s network. Addionally, they leverage a data
leak site (DLS) for posng vicm data. Operaonally,
LockBit members recruit experienced aliates tasked
with gaining inial access to vicm networks in
exchange for a percentage of the paid ransom. The
LockBit 3.0 ransomware is connuously evolving, and
in April 2023, samples designed to encrypt on Apple’s
macOS arm64 architecture were discovered on Virus
Total, which raised concerns about the evolving risk of
ransomware on macOS systems. Lockbit 3.0 is already
capable of encrypng on Windows, Linux, and VMware
ESXi virtual machines and aims to expand the group of
potenal targets to include organizaons migrang to
virtual environments.
Lockbit 3.0 is already capable of encrypng
on Windows, Linux, and VMware ESXi virtual
machines and aims to expand the group of
potenal targets to include organizaons
migrang to virtual environments.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
11
ALPHV/Blackcat emerged in late 2021, targeng
organizaons across various sectors and regions.
ALPHV/Blackcat diers from other variants because
it has unique features and techniques that make it
more challenging to detect and stop. It is known to
distribute various payloads, including Cobalt Strike,
Trickbot, and Qakbot. The group has demonstrated
connuous innovaon, regularly incorporang new
discovery techniques, defense evasion, and various
post-compromise acvies.
ALPHV/Blackcat diers from other variants
because it has unique features and techniques
that make it more challenging to detect and stop.
Notable Taccs, Techniques, and Procedures (TTPs)
• Tools used by BlackCat, according to Arete's
incident response engagement datasets, include
CobaltStrike, Mimikatz, Megasync, LaZagne, and
WebBrowserPassView.
• Based on command line switches seen in Windows
and Linux variants, Arete notes that BlackCat
builds vicm-specic samples.
• ALPHV/Blackcat uses various entry points to
infect the vicm's network, including phishing
emails, compromised credenals, and remote
desktop protocol (RDP) brute force aacks.
• It also ulizes other malware infecons as stepping
stones to launch its ransomware payload.
• To increase potenal reach and impact, ALPHV/
Blackcat targets both Windows and Linux devices,
as well as network-aached storage (NAS)
devices, which are oen used to store backups
and sensive data.
Threat Actor Insights
According to a threat assessment by Arete's Threat
Fusion Center, Black Basta uses various methods to
aack its vicms, including:
• Sending phishing emails that contain malicious
aachments or links that download and run Black
Basta's soware
• Using stolen passwords or hacking tools to access
the vicm's network remotely
• Dropping an image le named dlaksjdoiwg,jpg that
replaces the desktop wallpaper
• Using encrypon techniques to lock the vicm's
data and hide their acvies
• Installing the GHOSTRAT remote access trojan to
execute the payload
Black Basta emerged in late 2021 and oen ulizes
a double extoron technique. Black Basta is a
cybercriminal organizaon that oers Ransomware-as-
a-Service (RaaS) to other hackers, meaning that anyone
can use Black Basta's soware and infrastructure to
launch ransomware aacks and share the prots with
Black Basta's operators.
Black Basta is a cybercriminal organizaon
that oers Ransomware-as-a-Service to other
hackers, meaning that anyone can use Black
Basta's soware and infrastructure to launch
ransomware aacks and share the prots with
Black Basta's operators.
Threat Actor Insights
| ©2023 Arete Advisors, LLC. All Rights Reserved.
12
Royal ransomware has been acve in the cybercrime
ecosystem since September 2021. Rather than
operang as a RaaS, which has recently dominated the
threat landscape, Royal is believed to loosely operate
as a closed group. When the group emerged, it ulized
other variants' data encryptors before developing
its proprietary encryptor. While the group does not
appear to target a single sector or organizaonal
size disproporonately, they do not shy away from
encrypng large organizaons with ransomware.
While Royal does not appear to target a single
sector or organizaonal size disproporonately,
they do not shy away from encrypng large
organizaons with ransomware.
According to a threat assessment by Arete's Threat
Fusion Center, Royal uses various methods to aack its
vicms, including:
• Sending phishing emails that contain malicious
aachments or links that download and run Royal
ransomware's soware
• Using stolen passwords or hacking tools to access
the vicm's network remotely
• Using malicious adversements that redirect the
vicm to a website that downloads and runs Royal
ransomware's soware
• Deploying CobaltStrike to maintain persistence on
a system
• Exltrang credenals, laterally spreading across
the system's domain, and encrypng devices
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
13
Threat Actor Insights
Akira encrypts and exltrates data to a remote
server and extorts vicms by threatening to post
sensive informaon on their data leak site.
Akira
The rst ransomware aack by Akira occurred in early
April 2023, and the group quickly amassed vicms
throughout the rst half of 2023. Akira encrypts
and exltrates data to a remote server and extorts
vicms by threatening to post sensive informaon
on their data leak site (DLS). The ransomware appends
a ".akira" extension to encrypted les and uses a
password-protected TOR site for communicaon and
negoaons with its vicms.
Notable Taccs, Techniques, and Procedures (TTPs)
• According to Arete's incident response
engagement data, Akira targets educaon,
professional services, retail, hospitality, healthcare,
and manufacturing organizaons.
• To date, Akira has primarily targeted enes in
Canada and the United States.
• Arete has observed Akira oen using the same
verbiage during negoaons. The threat actor
sends a list of the ve deliverables they will provide
aer payment, including decrypon assistance and
evidence of data removal, along with an opon to
pay for all ve of the deliverables listed or just
some of them. Aer payments are made, Arete
has observed Akira sending the same "security
report" regardless of the vicm.
• The decryptor Akira provides is known to be
unreliable and problemac, randomly skipping les
or decrypng a le without removing the .akira
extension. In late June 2023, researchers at Avast
developed a decryptor for Akira and released it
as a public download. Arete assesses that Akira
will likely adjust its encrypon schema to migate
future vicms' ability to use this public tool.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
14
Opening the Floodgates:
Lower Barrier of Entry into Cybercrime
In September 2021, a Babuk aliate leaked the group's
C++ source code, giving emerging actors an eecve
tool for targeng Linux operang systems and paving
the way for VMware ESXi aacks. While originally
slow to be adopted, in the rst half of 2023, a slew of
emerging threat actors used the source code to target
Linux environments. These threat actors include:
• TRM Locker • RA Group
• Rook • Lock4
• Dataf Locker
In February 2022, a Con aliate disgruntled by
the group's stance on the Russia-Ukraine war leaked
the ransomware operaon's informaon, including
negoaons, hierarchy, and source code. Following
these leaks, the group inevitably ceased operaons,
and the individuals behind Con ransomware
joined other ransomware groups or stood up their
own operaons. The leaked source code has been used
to enable various ransomware operaons, including:
• Pun Team ransomware
• Scarecrow ransomware
• BlueSky ransomware
The well-known Ransomware-as-a-Service (RaaS) model has dominated the cybercrime industry over the last
few years and into H1 2023, and Cybercrime-as-a-Service has grown in parallel. Cybercrime-as-a-Service has
lowered the barrier of entry into cybercrime by giving threat actors access to various resources that allow them
to work their way through the aack lifecycle eecvely.
The threat actors behind ransomware operaons can:
• Engage with inial access brokers to purchase access to vicm organizaons.
• Leverage exploit code purchased from vulnerability marketplaces.
• Purchase access to remote access trojans (RATs).
• Purchase access to post-exploitaon command & control (C2) frameworks.
• Opt or buy into an exisng ransomware aliate program.
Cybercrime-as-a-Service has led to a disnct increase in inial access brokers and credenal shops and has
increased the ability of even inexperienced actors to exploit vicm organizaons eecvely.
Opening the Floodgates:
Lower Barrier of Entry into Cybercrime
Following the leaked Con source code, an angry
LockBit developer leaked the group's builder in
September 2022. The leak allowed aspiring cyber-
criminals to easily download the builder, alter the
ransom note to their liking, and encrypt vicm
environments, as long as they gained inial access.
The builder's ease of access and granularity enabled
many unknown actors to target vicms in the
wild without sophiscated capabilies. However,
one large ransomware group, dubbed Bl00dy
ransomware, connues using the builder throughout
their campaigns.
The addion of these leaked tools into the cyber-
crime ecosystem empowered emerging actors to
create their own ransomware operaons rather
than becoming an aliate for an exisng group.
This inux of new actors has increased diculty in
aribuon following a security incident. Arete has
developed an extensive repository of threat actor
TTPs, and detecon mechanisms, including Yara and
SennelOne countermeasures, to detect and aribute
threat actor acvity. However, actors cannot wholly
rely on leaked source code to enable their operaons,
as it is the nal stage of the aack lifecycle.
Arete has developed an extensive repository
of threat actor TTPs, and detecon
mechanisms, including Yara and SennelOne
countermeasures, to detect and aribute
threat actor acvity.
15
| ©2023 Arete Advisors, LLC. All Rights Reserved.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
16
The AI Revoluon and Cybercrime
ChatGPT, the revoluonary product from OpenAI,
encompasses a large dataset of human conversaons
and can generate and address human-like responses.
Since its launch in January 2023, it has garnered
massive global aenon and grown signicantly. A
free version is available for all users, but OpenAI also
launched a paid version with unrestricted availability.
Although ChatGPT has filters intended to prevent
the tool from generating harmful content, users
have discovered workarounds and methods to
bypass these filters and leverage the tool to enable
cybercrime operations. Because of its immense
capabilities, ChatGPT has become a preferred
tool for script kiddies and attackers. It can assist
in identifying vulnerabilities, reverse-engineering
shellcode, and even generating code for malware.
Multiple threads in underground forums have
addressed the utilization of ChatGPT for fraudulent
activities. In a hacking forum called 'Breached,'
Arete has observed discussions among threat
actors regarding the use of ChatGPT in creating and
sharing malware code.
Discovered by cybersecurity rm SlashNext on July
13, 2023, WormGPT is a blackhat version of ChatGPT.
It is designed to generate malicious content, including
phishing emails, malware code, fake news, and
social media posts. WormGPT is based on the GPT-J
language model, developed in 2021 by EleutherAI,
an open-source AI research group. Depending on the
user's input and preferences, the tool generates texts
in dierent languages, formats, and styles and creates
code snippets for various programming languages,
including Python, Java, C#, PHP, and HTML.
WormGPT is described on dark web forums as a
"sophiscated AI model" and a "best GPT alternave
for blackhat" designed especially for cybercrime.
WormGPT has no ethical boundaries or safety
mechanisms to prevent it from responding to harmful
or illegal requests and is allegedly trained with data
sources, including malware-related informaon. Sll,
the specic datasets remain known only to WormGPT's
author. This tool poses a severe threat to online
security and privacy, as it can create convincing texts
that can trick users into revealing sensive informaon,
downloading malicious soware, or falling for scams.
This new and emerging threat requires more research
and analysis to understand its full capabilies and
potenal impacts.
Cyber criminals can leverage AI tools to create phishing
scams, social engineering aacks, and spamming. In the
near term, it is likely that new versions of AI soware
will connue to be developed, leading to increasing
funconality for threat actors. This, coupled with
threat actors connuing to expand their knowledge
of manipulang the soware, will lead to threat actors
increasingly ulizing AI in their day-to-day operaons.
Because of its immense capabilies, ChatGPT
has become a preferred tool for script kiddies
and aackers.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
17
Historically, threat actors have leaned heavily on their
reputaons to inmidate their vicms. And while
actors like LockBit and ALPHV/BlackCat connue
to be mainstays, the ease of rebranding has caused
new and lesser-known actors to place less emphasis
on their reputaon. Groups can easily create new
ransom notes and encrypted le extensions using
ransomware builders, build new communicaon
infrastructure, and create new logos for their
branding. This rebranding trend could lead to false
claims, unreliable proof-of-deleon, or re-extoron.
As Ransomware-as-a-Service (RaaS) operations
connue to be plagued by dissased or sloppy
aliates, we will likely see a shi in the RaaS-
dominated cybercrime ecosystem. Inially, RaaS
groups will likely emphasize veng aliates before
onboarding. Large ransomware operaons could
use their resources to eecvely create a veng
and onboarding process comparable to that of top-
er human resources departments. Addionally,
threat actors will likely consider using new tools to
develop their own ransomware operaon rather
than becoming an aliate of an exisng RaaS. Even
inexperienced actors could use tools, including
arcial intelligence, inial access brokers, commodity
RATs, and leaked ransomware source code, to create
their own ransomware operaon without signicant
development capabilies.
Rebranding trends could lead to false claims,
unreliable proof-of-deleon, or re-extoron.
The AI Revoluon and Cybercrime
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
18
Acve since March 2022, Luna Moth launched
phishing campaigns impersonang popular online
learning plaorms Zoho MasterClass and Duolingo.
The phishing emails claim that the recipients have
been charged for a subscripon and oer a PDF
aachment with a phone number to call for more
informaon. If the recipients open the aachment and
call the number, they are greeted by a human operator
who pretends to be a customer service representave
and convinces them to install a remote administraon
tool (RAT) on their device. This RAT gives the aacker
complete control over the device and allows them to
access and exltrate any data available.
Luna Moth does not use any sophiscated or custom-
made tools but rather leverages commercially available
RATs, including Atera, Splashtop, Syncro, and AnyDesk,
as well as publicly available tools SoPerfect Network
Scanner, SharpShares, and Rclone. These tools are
stored on compromised machines under false names
to avoid detecon. The group also uses VPN services
and TOR to hide their identy and locaon.
Once Luna Moth steals the data, they contact vicms
via email or phone and demand a ransom, usually
ranging from $100,000 to $1 million, depending on
the amount and sensivity of the data. They threaten
to publish the data on their website or sell it to other
criminals if the ransom is not paid within a specic
meframe. The group also provides proof of the
data breach by sending samples of the stolen les or
screenshots of their website.
Luna Moth’s aacks are simple but eecve, exploing
human psychology and trust rather than technical
vulnerabilies. The group targets small and medium-
sized businesses that may not have adequate security
measures or backups in place and may be more
likely to pay a ransom to avoid reputaonal damage
or legal consequences. The group also operates
opportuniscally, stealing any data they can access,
regardless of its value or relevance.
Luna Moth’s novel extortion campaign demonstrates
that cyberattacks do not require ransomware to
be successful.
The Migraon to Exltraon-Only Operaons
Luna Moth’s aacks are simple but eecve,
exploing human psychology and trust
rather than technical vulnerabilies.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
19
A serious ransomware threat is looming over
crical infrastructure, as cybercriminals linked to
notorious Russian ransomware group Cl0p are
exploing a security aw in MOVEit Transfer, a tool
used by hospitals, health systems, corporaons,
and government agencies to share large les over
the internet. Cl0p, also known as TA505, has been
using a structured query language (SQL) aack
vector to infect internet-facing MOVEit Transfer web
applicaons with malware and then steal data from
underlying databases.
The MOVEit vulnerability was disclosed by U.S.-
based company Progress Soware, the developer of
MOVEit Transfer, on June 5, 2023. The exploitaon
of the vulnerability has aected several organizaons
worldwide, including Brish Airways, the BBC, Boots,
Ofcom, Transport for London, Ernst & Young, and
several U.S. federal agencies. Cl0p has released the
names of several vicms and some of their stolen data
on its website since June 13, 2023, in an aempt to
pressure these organizaons to pay ransom demands.
This aack is known as a supply-chain aack, as it
targets widely used soware that serves as a gateway
to many other organizaons. The MOVEit aack is
a remote code execuon aack in which aackers
can exploit and upload a webshell to exltrate data
from vulnerable servers. This vulnerability is one of
the latest examples of ransomware groups becoming
more sophiscated and aggressive in their taccs,
targeng crical infrastructure and sensive data.
There was no data encrypon during these aacks.
Instead, Cl0p was able to exltrate large amounts of
data from vicm organizaons eecvely. Following
the mass exltraon of data, Cl0p extorted the vicms
of the MOVEit aack via direct emails and posngs on
their DLS. This series of cyberaacks is an example of
the trending shi to exltraon-only operaons.
The Migraon to Exltraon-Only Operaons
The MOVEit vulnerability is one of the latest
examples of ransomware groups becoming
more sophiscated and aggressive in their
taccs, targeng crical infrastructure and
sensive data.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
20
Ransomware aacks have been a signicant threat to
Windows and Linux users for years, but macOS users
have largely avoided this threat thanks to Apple’s
security features and lower market share. However,
in 2023, a new ransomware threat on macOS was
discovered, indicang that the threat landscape may
be changing for Apple users.
The ransomware showcasing the ability to target
macOS environments was later aributed to the
notorious LockBit ransomware group. In April 2023,
security researchers found samples of LockBit
encryptors for macOS on VirusTotal, a malware
analysis repository. The samples were uploaded in
November and December 2022 but went unnoced
unl MalwareHunterTeam spoed them.
The LockBit encryptors for macOS were designed to
target both newer Macs running Apple processors
(arm64 architecture) and older Macs running
PowerPC chips. However, the researchers found
that the encryptors were not very eecve, as they
were unsigned, did not account for Apple’s security
restricons (TCC/SIP), and had bugs that caused
them to crash. The encryptors also did not have any
network communicaon or ransom note funconality.
The researchers concluded that the LockBit
encryptors for macOS were more of an experiment
than a viable threat. Sll, LockBit could improve
and iterate on these tools in the future. The fact
that LockBit was developing a macOS version of its
ransomware could signal a trend toward more Mac-
targeted ransomware, especially as more businesses
and instuons adopt Macs.
LockBit was not the only ransomware group to show
interest in macOS in 2023. In May 2023, ransomware
group Akira was found to have published data from a
macOS vicm on its website. Akira uses a combinaon
of phishing emails, remote access tools, and PowerShell
scripts to compromise and encrypt devices.
These incidents suggest that macOS users should not
be complacent about the risk of ransomware aacks.
While macOS has some built-in security features
that make it harder for ransomware to run, such as
Gatekeeper, FileVault, and XProtect, these features
are not foolproof and can be bypassed by determined
aackers. Moreover, macOS users may be more
vulnerable to phishing emails and social engineering
taccs, as they may have a false sense of security and
lower awareness of cyber threats.
Ransomware aacks are a severe threat to any device
user, regardless of the operang system. MacOS
users should not assume they are immune from this
threat but rather take proacve measures, like those
on page 26, to secure their data and devices from
ransomware aackers.
Focus on Increasing Aack Surface
Ransomware aacks are a severe threat to
any device user, regardless of the operang
system.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
21
Over the past two years, cybercriminals have targeted
VMware ESXi servers due to a soware vulnerability
known as CVE-2021-21974, with over 3,200 servers
compromised globally.
A ransomware variant dubbed ESXiArgs appeared to
be the rst to leverage the vulnerability to run exploit
code remotely. ESXiArgs was inially idened as
encrypng les with the .vmxf, .vmx, .vmdk, .vmsd,
and .nvram extensions on compromised ESXi servers
and creang a .args le, but recently the group started
encrypng more extensive amounts of data.
Arete observed the latest version of Royal
Ransomware specically targeng VMware ESXi
virtual machines. Addionally, LockBit released a
new iteraon of their ransomware builder, allowing
threat actors to target Linux environments acvely.
This new variant, LockBit Green, allows ransomware-
as-a-service (RaaS) aliates to encrypt VMware ESXi
hypervisors.
Threat actors are likely targeng the ESXi machines
because, aer the deployment of the payload, they
can encrypt mulple hosts via a single command.
Arete observed the latest version of Royal
Ransomware specically targeng VMware
ESXi virtual machines.
Focus on Increasing Aack Surface
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
22
Ironically, along with increasing risks of mobilizaon,
Russian hackers are now facing uncertainty about the
country's "safe haven" status that they enjoyed so far.
War-related expenses and the economic impact of
imposed sancons prompted the Russian government
to propose a new law that enables the conscaon of
proceeds from cybercriminal operaons.
The mass exodus of cybercriminals from Ukraine
and Russia also provided a unique opportunity for
internaonal law enforcement agencies to track
and arrest cybercriminals in countries that have
extradion treaes with the United States. Since the
beginning of the war in Ukraine, several high-prole
arrests have been announced publicly, including
suspected JabberZeus top manager Vyacheslav "tank"
Penchukov and a suspected "Evil Corp" second-in-
command Igor Turashev.
As a result of increased law enforcement acon, we
have seen an inux of cybercriminal groups deciding
to break up into smaller independent teams or
re-brand in the rst half of 2023. Every month, some
groups disappear (or announce "rerement), and
"new" groups enter the market, which has increased
the challenge of accurate aribuon.
With rising mul-dimensional pressure on cyber-
criminal groups, we'll likely connue to observe the
shi from large Ransomware-as-a-Service (RaaS) and
private groups toward compartmentalized cellular
structure operaons, which enable smaller teams to
operate independently while making the enterprise
more resilient to idencaon and inltraon.
The cellular structure can make it harder for these
groups to coordinate large-scale acons, and there's
a greater risk of cells being inltrated or turning
against each other. Nevertheless, it has proven to be
eecve for many cybercriminal organizaons. In the
long run, this structural change may also slow down
the speed of innovaon since smaller cells will be less
likely to have sucient resources to make signicant
investments in research and development.
The Connued Impact of the Russia-Ukraine War
on Cybercrime
As a result of increased law enforcement
acon, we have seen an inux of
cybercriminal groups deciding to break up
into smaller independent teams or re-brand
in the rst half of 2023.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
23
The increase in high-prole ransomware events
led Congress to form CISA's Joint Ransomware
Taskforce (JRTF). In November 2022, the White
House sponsored the second Internaonal Counter
Ransomware Iniave Summit.
Hive, a notorious ransomware gang that targeted
dozens of organizaons worldwide, including
hospitals, schools, and businesses, faced a signicant
blow from law enforcement agencies. In coordinaon
with internaonal partners, the FBI seized the website
Hive used to communicate with its vicms and publish
stolen data. More than 30 global private sector and
U.S. government agencies contributed to the success
of this operaon.
The website, hosted on the dark web, displayed a
message from the FBI in January 2023 announcing it
had been seized as part of an ongoing invesgaon.
The message also warned that anyone who accessed
the website may have been exposed to malware and
advised them to scan their devices for infecons.
The FBI stated that it took acon against Hive aer
idenfying its infrastructure and obtaining a court
order. The agency also said it is working with foreign
law enforcement agencies to idenfy and apprehend
the individuals behind Hive.
One of Hive’s most notable aacks was against
Memorial Health System, a hospital network in
Ohio and West Virginia, in August 2021. According
to Aorney General Merrick Garland, the aack
forced the hospital to turn away paents as Covid-19
surged. Other vicms of Hive include Canadian
energy company Inter Pipeline, soware provider
Kaseya, and Iowa-based agricultural cooperave New
Cooperave.
The seizure of Hive’s website is part of a broader
eort by the U.S. government and its allies to
combat the growing threat of ransomware, which has
caused signicant disrupon and damage to crical
infrastructure and public services.
2021
REvil aacks against the world's
largest meat processor, JBS, and
soware company Kaseya, impacted
over 1,500 businesses worldwide.
2021
Hive aack against the Memorial
Health System, a hospital network in
Ohio and West Virginia, forced
hospitals to turn away paents as
Covid-19 surged.
2021
Darkside aack against Colonial
Pipeline significantly impacted fuel
supply that is said to have increased
prices in the U.S. by $3 for the first
me in seven years.
2023
Vice Society aack against Los
Angeles Uniffed School District, the
second-largest school district in the
United States.
High-profile Ransomware Aacks
Law Enforcement Acons Against Cybercriminals
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
24
In collaboraon with law enforcement agencies
from 18 countries, the FBI cracked down on Genesis
Marketplace, one of the largest illicit marketplaces for
stolen credenals and related sensive informaon.
The operaon, which took place on April 27, 2023,
resulted in the arrest of 119 suspects and the seizure
of over $1.5 million in cryptocurrency and cash.
Genesis Marketplace was a dark web plaorm
specializing in selling digital ngerprints, which are
data collecons that idenfy a user’s device and
online behavior. The data included browser cookies,
IP addresses, user-agent details, device IDs, operang
system informaon, and login credenals for various
online services.
Genesis Marketplace had over 350,000 digital
ngerprints listed for sale, ranging from $5 to $200.
The plaorm also had over 250,000 login credenals
for various online services, including email, banking,
social media, gaming, and e-commerce. The plaorm
claimed to have over 55,000 acve users and generated
over $100 million in revenue since its incepon in 2017.
The market oered its customers a browser extension
that allowed them to impersonate the vicms whose
digital ngerprints they purchased. The customers
could then access the vicms’ accounts without
triggering security alerts or vericaon processes.
Genesis Marketplace also provided its customers with
tools to create their own digital ngerprints and sell
them on the plaorm.
The FBI said it iniated the invesgaon into Genesis
Marketplace in 2019 aer receiving a p from a
condenal source who provided access to its backend
server and database, which contained evidence of the
plaorm’s operaons and transacons. The FBI was
able to idenfy and locate the suspects involved by
tracing their online acvies and transacons. They
obtained search warrants for several locaons and
seized various devices and documents related to
Genesis Marketplace.
The FBI coordinated with law enforcement agencies
from Australia, Belgium, Canada, Colombia, Denmark,
France, Germany, Italy, Japan, Netherlands, Poland,
Romania, Spain, Sweden, Switzerland, Ukraine, the
United Kingdom, and Uruguay to execute the operaon.
The FBI stated that the operaon was a signicant step
in disrupng and dismantling Genesis Marketplace and
its infrastructure. The agency also said it is commied to
protecng consumers and businesses from cybercrime
and holding cybercriminals accountable.
Due to the U.S. Department of the Treasury sanconing
Genesis Marketplace for its part in stealing and selling
device credenals and related sensive informaon,
it has been added to Arete’s Sanconed and Restricted
Malware/Enes List.
Law Enforcement Acons Against Cybercriminals
The FBI coordinated with law enforcement
agencies globally to disrupt and dismantle
Genesis Marketplace and its infrastructure.
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
25
On May 9, 2023, the U.S. government executed a
successful operaon to disrupt and disable a covert
cyber espionage network operated by Russia’s Federal
Security Service (FSB). The FSB used the network,
dubbed Snake, to collect sensive intelligence from
high-priority targets worldwide, including government
networks, research facilies, and journalists.
Snake is considered the most sophiscated cyber
espionage tool in the FSB’s arsenal, employing
stealthy host components and encrypted network
communicaons. Snake also uses a peer-to-peer (P2P)
network of infected computers to relay operaonal
trac to and from the FSB’s ulmate targets, making
it harder to detect and trace.
The operaon, codenamed MEDUSA, was a joint
eort by the Cybersecurity and Infrastructure Security
Agency (CISA), the Federal Bureau of Invesgaon
(FBI), and the Naonal Security Agency (NSA). The
agencies leveraged their unique authories and
capabilies to idenfy, analyze, and disrupt Snake’s
infrastructure and operaons.
The operaon involved several steps:
• The CISA issued a Cybersecurity Advisory (CSA)
to provide network defenders with technical
informaon and migaon recommendaons
on Snake.
• The FBI obtained court orders to seize
domains and servers used by Snake as part of
its P2P network.
• The NSA provided intelligence and technical
experse on Snake’s acvies and targets.
• The FBI created and deployed a tool called
PERSEUS, designed to disable Snake’s malware
on compromised computers in the U.S.
• The CISA coordinated with internaonal
partners to share informaon and assistance
on Snake.
The operaon resulted in the disrupon of Snake’s
P2P network, the removal of Snake’s malware from
hundreds of computers in the U.S., and the exposure
of Snake’s targets and techniques. The agencies also
warned that Snake may sll pose a threat and urged
network defenders to remain vigilant and apply the
recommended migaons.
The operaon demonstrates the U.S. government’s
commitment and ability to counter malicious cyber
acvity from foreign adversaries. It also showcases
the importance of collaboraon and informaon
sharing among federal agencies and internaonal
partners. The agencies stated they will connue to
monitor and respond to any aempts by the FSB or
other actors to reconstute Snake or launch new
cyber operaons against the U.S. or its allies. Global
law enforcement agencies coming together to combat
cybercrime showcases their connued eorts to
disrupt cybercrime around the world.
Global law enforcement agencies coming
together to combat cybercrime showcases
their connued eorts to disrupt cybercrime
around the world.
Law Enforcement Acons Against Cybercriminals
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
26
The barrier of entry into cybercrime is lower than
ever, and along with these mainstay actors, Arete also
expects to see an inux of new or re-branded groups
as they move away from the aliate model towards
a more cellular structure. Emerging threat actors
will likely leverage arcial intelligence, inial access
brokers, commodity RATs, and leaked ransomware
source code to build their own operaons without
needing support from large aliate programs.
The connued downstream impact of the Russia-
Ukraine War has caused a shi in the cybercrime
ecosystem that Arete expects to connue throughout
the rest of 2023. In response to disgruntled
aliates and increased law enforcement acon,
cybercriminals seek to deect risk and disguise their
taccs to become increasingly elusive.
Arete also expects global governments and law
enforcement agencies to connue their successful
eorts in targeng cybercriminals. As threat
actors benet from an inux of new tools and
technologies, so do threat hunters and network
defenders. Organizaons are increasingly priorizing
cybersecurity as a risk management issue and
becoming more resilient against cyber threats, and
Arete is commied to helping organizaons migate
and respond to cyber incidents.
To increase cyber resiliency and secure data and
systems, Arete recommends that organizaons consider
implemenng the following proacve measures:
• Regularly update security soware and patch
against vulnerabilies.
• Limit user privileges to the least access required
to complete job requirements.
• Conduct end-user training to educate
employees on common social engineering
techniques.
• Implement an XDR (Extended Detecon and
Response) tool like SennelOne to detect
ransomware and other malware threats.
• Ulize an aack surface management toolset
to enumerate externally facing infrastructure
and idenfy associated vulnerabilies.
• Conduct annual penetraon tesng to idenfy
security gaps and weaknesses.
• Remain informed about the latest ransomware
trends and techniques.
• Dene an Incident Response Plan to streamline
recovery from ransomware aacks.
What to Expect
H1 2023 CRIMEWARE TRENDS AND HIGHLIGHTS | ©2023 Arete Advisors, LLC. All Rights Reserved.
27
Disclaimer: Unless otherwise noted, all data within this report is based on Arete incident response cases.
• hps://securityscorecard.com/research/deep-dive-into-ALPHV-blackcat-ransomware/
• hps://www.malwarebytes.com/blog/news/2022/09/lockbit-builder-leaked-by-disgruntled-developer
• hps://intel471.com/blog/lockbit-3-0-builder-code-leak-points-to-another-disgruntled-criminal-employee
• hps://www.sennelone.com/anthology/akira/
• hps://news.sophos.com/en-us/2023/05/09/akira-ransomware-is-bringin-88-back/
• hps://blog.cyble.com/2023/06/28/akira-ransomware-extends-reach-to-linux-plaorm/
• hps://www.cisecurity.org/insights/blog/the-con-leaks-a-case-of-cybercrimes-commercializaon
• hps://cybernews.com/news/pun-team-ransomware-emerges-from-leaked-cons-source-code/
• hps://ieeexplore.ieee.org/document/9153425
• hps://unit42.paloaltonetworks.com/bluesky-ransomware/
• hps://techmonitor.ai/technology/cybersecurity/babuk-source-code-ransomware-malware
• hps://www.jusce.gov/opa/pr/us-department-jusce-disrupts-hive-ransomware-variant
• hps://unit42.paloaltonetworks.com/luna-moth-callback-phishing/
• hps://www.sennelone.com/blog/LockBit-for-mac-how-real-is-the-risk-of-macos-ransomware/
• hps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
• hps://krebsonsecurity.com/2023/04/i-seizes-bot-shop-genesis-market-amid-arrests-targeng-operators-
suppliers/
• hps://www.cisa.gov/news-events/cybersecurity-advisories/aa23-129a
• hps://decoded.avast.io/threatresearch/decrypted-akira-ransomware/
• hps://www.cisa.gov/joint-ransomware-task-force
• https://www.whitehouse.gov/briefing-room/statements-releases/2022/11/01/fact-sheet-the-second-
internaonal-counter-ransomware-iniave-summit/
• hps://www.cnet.com/personal-nance/crypto/a-meline-of-the-biggest-ransomware-aacks/
Resources
Arete Advisors, LLC makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the contents of this report and expressly
disclaims liability for errors and omissions in the content. Neither Arete Advisors, LLC, nor its employees and contractors make any warranty, express or
implied or statutory, including but not limited to the warranes of non-infringement of third-party rights, tle, and the warranes of merchantability and
tness for a parcular purpose, with respect to content available from this report. Arete Advisors, LLC assumes no liability for any direct, indirect, or any other
loss or damage of any kind for the accuracy, completely, or usefulness of any informaon, product, or process disclosed herein, and does not represent that
the use of such informaon, product, or process would not infringe on privately owned rights. Informaon contained in this report is provided for educaonal
purposes only and should not be considered as legal advice.
Cyber Emergency Helpline 866 210 0955
Phone 646 907 9767
New Engagements
arete911@areteir.com
General Inquiries
markeng@areteir.com
www.areteir.com
