Threat protection startup Deep Instinct Ltd. today released a new report that details some disturbing changes in the world of ransomware as the fight against cybercrime has continued to ramp up throughout the year.

The 2022 Bi-Annual Cyber Threat Report finds significant changes in threat actor structure as some of the most prevalent actors have changed or splintered. Ransomware gangs, including LockBit, Hive, BlackCat and Conti, have either returned in new forms after being knocked offline or, in the case of Conti, former affiliate groups have emerged with their own operations.

Malware campaigns are in flux, according to the report, which highlights changes to Emotet, Agent Tesla, NanoCore and others. Emotet, which surged earlier this year, is now using highly obfuscated VBA macros to avoid detection.

A move by Microsoft Corp. to disable macros by default in Microsoft Office files was found to result in a sizable decrease in the use of documents for malware distribution. Threat actors were found to be “shifting gears” and implementing other methods to deploy their malware, such as LNK, HTML and archive email attachments.

Significant vulnerabilities remain an ongoing issue, with the likes of SpoolFool, Follina and DirtyPipe highlighted as exploiting both Windows and Linux systems despite efforts to enhance security. The researchers also say exploited in-the-wild vulnerabilities also surge every three to four months and that they’re expecting a new spike in the last two months of the year.

Data exfiltration attacks were found to be extending to third parties, with threat actor groups demanding ransom payments for leaked data. Sensitive data exfiltration remains a popular target because there are fewer remediation options for companies affected. The number of active leak databases created by ransomware groups is now found to total 17.

The report predicts that insiders and affiliate programs will continue to rise in popularity as malicious threat actors look for the weakest link. Some threat actors choose to go after weak targets or simply pay an insider for access. The infamous Lapsus$ gang is a prime example of a group that regularly does the latter.

With the Russian invasion of Ukraine ongoing, the Deep Instinct researchers predict that “protestware” will continue to rise. They also warn that there’s a high chance of major end-of-year attacks as well, given that there have not been vulnerabilities in 2022 similar to Log4j or the Exchange issues in 2021.

Image: Pixabay