Global Cyber Threat Intelligence (CTI) Semi-annual Cyberthreat Trends Report 2024 PDF Free Download
1 / 24/24
100%
Global Cyber Threat Intelligence (CTI)
Semi-annual Cyberthreat Trends Report 2024
October2024
| Copyright © 2024 Deloitte Development LLC. All rights reserved.2
Table of contents
6
5
4
3
2
1Executive overview
High-level presentation of top threat actors, threat vectors, incidents, and overall assessment
Cross-industry threat vectors
Trending and emerging high-level threat vectors with a global impact
Notable cybersecurity events
Timeline of the top notable cybersecurity events globally between January and June 2024
Threat vector highlights
Spotlight on the ransomware and malware threat landscape
Executive report summary
Summary of cybersecurity events by type, threat actor type, and targeted industry as observed by Deloitte CTI
Threat actors
High-level overview of categories, heatmap, and trending and emerging threat actors with a global impact
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
The following report highlights overarching cybertrends and emerging issues from 01 January to 30 June 2024.
Executive overview | Semi-annual cyberthreat trends 2024
3
Most impactful threat actor
Kimsuky's financial activities actively exploit cryptocurrency
platforms and non-fungible tokens (NFTs). The group crafts
sophisticated phishing emails that exploit weak Domain-
based Message Authentication Reporting and Conformance
(DMARC) policies to facilitate cyber espionage.
Most trending threat actor
Despite authorities disrupting its operations in December
2023, ALPHV and its affiliates continued to be active well
into 2024, with an exit strategy that left the affiliates unpaid.
One affected health care company confirmed the total cost
of the ALPHV breach exceeded US$870 million.
Top threat vector
There is an observable shift in the ransomware
ecosystem with increased attacks and broader
targets that more often include small-and
medium-sized businesses.
Top industry targeted
Deloitte CTI observed that the most targeted industry
thus far in 2024 is Government and Public Services
(GPS). This observation aligns with current trends
regarding advanced persistent threat (APT) groups
targeting critical infrastructure networks and
governmental election campaigns.
Kimsuky ALPHV
Ransomware Government and Public Services
Category Nation-state
Motive Political and financial gain
Likelihood Very likely
Impact Severe
Category Cybercriminal
Motive Financial gain
Likelihood Likely
Impact Severe
Tactic TA0040
Likelihood High
Impact Probable
Motive Espionage and intellectual
property gain
Highlights
Assessment
•Law enforcement disrupted ransomware groups ALPHV and LockBit, leading to an
observed decrease in both groups' criminal activity. Several other ransomware
groups have emerged and appear to have similarities with previously known
groups.[2]
•Cybercriminals continue to use artificial intelligence (AI) in their activities. Recent
spam campaigns feature deepfake technologies to mimic the voices and
appearance of prominent individuals.[3]
•Access-as-a-service (AaaS) offerings through initial access brokers (IAB) are
trending in underground forums, impacting all industry verticals. Malware-as-a-
service (MaaS) offerings have also increased during the first half of 2024.
•Deloitte CTI assesses with high confidence that the ransomware ecosystem will be
more fragmented and diverse than in recent years. This shift notably expands the
target pool, with threat actors increasingly focusing on small-and medium-sized
businesses.
•Deloitte CTI assesses with moderate confidence that living-off-the-land (LotL) and
fileless malware techniques are becoming the preferred modus operandi for
sophisticated threat actors. Their activities will be increasingly difficult to prevent
and detect.
•Deloitte CTI assesses with high confidence that nation-state threat actors will
escalate attacks on global critical infrastructure, banking systems, and
cryptocurrency platforms. These campaigns will focus on espionage, disruption,
sabotage, and financial theft, posing significant risks to national security and global
economic stability.
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
During the first half of 2024, Deloitte CTI observed several overarching, cross-industry threat vectors, not specific to threat actor type. This slide illustrates the
global impact of ransomware, malicious AI use cases, globally trending malware, and observations from underground forums and marketplaces.
Cross-industry threat vectors | Trends
4
Details
•During the first half of 2024, large ransomware-as-a-
service (RaaS) families disbanded, and smaller
groups, such as RansomHub and Hunters
International, emerged.
•Recent years have marked a distinct rise of a few
dominant RaaS families, including ALPHV, BlackBasta,
Hive, and LockBit, alongside other smaller families in
the wild. After law enforcement disrupted both
groups, LockBit and ALPHV dominated the headlines
at the start of the year.[2] As the fallout of the
disruption plays out, there has been a shift in
ransomware tactics in 2024.
•Law enforcement agencies have broken the
profitable RaaS affiliate cycle, and now these
cybercriminals are assessing their options and
shifting tactics.
•Smaller-scale threat actors are now finding
alternative revenue streams by monetizing previously
leaked data from ransomware attacks.[4]
Likelihood Probable
Impact High
Details
•Politically motivated threat actors have employed
sophisticated AI tools in influence operations
targeting the January 2024 elections in Taiwan. These
operations involved creating deepfake audios,
photos, and videos, using AI to manipulate videos to
skew the original message, and using deepfake
technology to imitate the voices of prominent
individuals to carry out spam campaigns.[5]
•APT groups actively leverage AI-based tools such as
large language models (LLMs) to conduct
sophisticated attacks. LLMs are now used in social
engineering, reconnaissance, defense evasion, and
customized phishing attacks globally.[6]
•Financially motivated threat actors compromise
prominent X (formerly Twitter) accounts and use AI-
generated videos and malicious advertising to
promote websites that use malicious scripts to drain
crypto wallets. Drainer-as-a-service operators provide
drainer scripts to affiliates in exchange for a
percentage of the stolen funds.[7],[8]
Likelihood Roughly even chance
Impact Moderate
Details
•The most prevalent malware strains observed in the
first half of 2024 are remote access trojans (RATs),
information stealers (infostealers), and droppers. The
popularity and prevalence of these strains are very
likely attributed to the rise of MaaS offerings on
underground forums and the low costs associated
with the malware.[1]
•Deloitte CTI observed that these malware strains
often serve as a gateway for threat actors to
compromise a target network before launching
subsequent attacks. APTs and cybercriminals alike
use these malware strains in the initial phases of an
attack, subsequently pivoting tactics to achieve their
respective outcomes.
•Threat actors leveraged old techniques, such as
fileless malware and LotL techniques, to deliver
various malware payloads during the first half of
2024.[1]
Likelihood Likely
Impact Significant
Details
•The key trend Deloitte CTI observed in the
underground forums is an increased amount of
doxed individuals' information for sale.
•Threat actors use phishing attacks and impersonate
companies to use social engineering techniques to
insert themselves into a network.
•Financially motivated threat actors were targeting tax
services during the US tax season.
•Nation-state-sponsored threat actors have targeted
critical infrastructure globally, including banking and
cryptocurrency platforms.
•AaaS offerings through IABs are trending in
underground forums, affecting all industry verticals.
MaaS offerings have also increased in the first half of
2024.
Likelihood Roughly even chance
Impact Moderate
Ransomware AI Malware trends Underground trends
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
07 February
Volt Typhoon
compromises and maintains
access to critical US infrastructure
The US Cybersecurity and
Infrastructure Security Agency (CISA)
released a statement on Volt Typhoon.
The nation-state-affiliated threat actor
successfully used LotL techniques to
infiltrate several critical infrastructure
organizations and has likely positioned
itself to disrupt critical functions.[9]
21 February
US health insurance ransomware
hack
The ALPHV ransomware group
encrypted a large US health insurance
provider's third-party systems and
demanded a US$22 million ransom.
The victim paid the ransom, and the
estimated damages from the incident
exceeded $870 million [11]. In a
statement from the insurance
provider, this attack will likely affect a
"substantial portion of Americans."[12]
17 March
Telecommunications provider
customer data leak
A US multinational
telecommunications provider
announced that a data set from 2019
or earlier has been leaked.[14] It is
estimated that data from 73 million
customers has been released onto the
dark web. The Shiny Hunters threat
group conducted the initial breach in
2021; now, a threat actor called
"MajorNelson" has leaked the
dataset.[15]
24 April
ArcaneDoor campaign used zero-
day to breach various
government networks
Cisco Systems Inc. warned that a
state-backed hacking group, Storm-
1849, has been exploiting two zero-
day vulnerabilities, CVE-2024-20353
and CVE-2024-20359, in a cyber-
espionage campaign named
ArcaneDoor, targeting government
networks since November 2023.[18]
An Australian health care technology
company confirmed that it had been
the victim of a large-scale ransomware
attack, followed by 6.5 terabytes of
data being listed for sale on a Russian
hacking forum. The data listed
contains private personal information
and limited medical data for its
customers.[21] The company has
since declared insolvency due to the
incident.[22]
19 February
Lazarus Group behind cyber-
espionage campaign into global
Defense sector
German and South Korean intelligence
agencies identified North Korea-
affiliated Lazarus Group behind
ongoing cyber campaigns aiming to
steal military technologies to boost
North Korea's own capabilities.[10]
29 February
Threat actors exploiting
Ivanti Connect Secure and Policy
Secure Gateway vulnerabilities
CISA and its investigative partners
warned that threat actors have been
leveraging multiple vulnerabilities
affecting Ivanti's Connect Secure and
Policy Secure gateways, allowing threat
actors to bypass detection, inject web
shells, and steal stored credentials
from their victims' devices.[13]
02 April
Diaxin Team ransomware
gang behind Hospitality IT outage
A US-based international hotel
company confirmed that a cyberattack
was behind its IT outage.[16] The
Daixin Team ransomware group
claimed responsibility for the attack
and obtained 3.5 million customer
records.[17]
07 May
Australia added to the list of
governments targeted by PRC-
backed hacking group
Australia was added to the list of
countries targeted by a cyber-
espionage campaign the Chinese
regional threat group APT31 carried
out.[19] The US Department of Justice
(DoJ) stated that this campaign aimed
to gather information that may affect
or benefit regional Chinese
interests.[20]
29 May
Europol's "Operation Endgame"
executes largest ever operation
against botnets, targeting IcedID,
SystemBC, Pikabot, Smokeloader,
Bumblebee and Trickbot
Europol's threat response operation,
dubbed "Operation Endgame," was
carried out from 27 to 29 May to
disrupt the global malware dropper
ecosystem. Europol has advised that
this stage of the operation has been
widely successful and is still
ongoing.[23]
24 May
Australian health care customer
data stolen and sold on Russian
forum
January to June 2024
Incidents | Top notable cybersecurity events between January to June 2024
55
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat vector highlight | Ransomware threat trends
6
•Three prominent ransomware groups, BlackSuit, Hunters International, and RansomHub, formed after the apparent disbanding of other
families: Royal, Hive, and Knight Ransomware, respectively.
•BlackSuit (Royal Ransomware): The 2023 "#StopRansomware" advisory [25] detailed how the Royal Ransomware group was preparing
for a rebrand or spinoff variant due to the similarities between it and the newly formed BlackSuit group. The similarities include
command-line parameters and encryption mechanisms.[25],[26]
•Hunters International (Hive): In January 2023, the US Federal Bureau of Investigation (FBI) announced it had dismantled Hive
ransomware, gained decryption keys, and provided them to victims; however, in October, security researchers noted substantial code
overlaps between Hive ransomware and emerging group Hunters International, some of these overlaps include the operating strategies
and encryption techniques.[27],[28]
•RansomHub (Knight Ransomware): In February 2024, Knight ransomware shut down. The malware code was suspected to have been
sold to the actor who launched RansomHub. Some observed similarities include the code being written in Go, the ransom notes using
similar phrasing, and both payloads restarting the endpoints in safe mode before encryption. RansomHub has been known to provide a
90 percent commission rate; therefore, it is likely to recruit seasoned affiliates from other RaaS platforms. Security researchers have also
observed the group listing previously advertised leak data from other ransomware groups.[11],[30]
•Deloitte CTI has observed a significant shift in the ransomware threat landscape due to increased law enforcement pressure,
infrastructure disruptions, and a growing mistrust among cybercriminals.
•RaaS operators primarily depend on affiliates or third parties to gain initial access and deploy their ransomware, with affiliates seeking
the highest payout and the most reputable program. Deloitte CTI has observed a surge in ransomware activity from new and emerging
groups, alongside a trend of affiliates refining their tactics to boost profits. This trend includes remonetizing stolen data through
partnerships with third parties and data leak sites (DLS) such as Dispossessor and Rabbit Hole Leaks. These platforms signify a shift
toward a sustained exploitation model, where threat actors continually leverage stolen data for financial gain.[4]
•During the first half of 2024, RaaS continued to proliferate, increasing the accessibility of ready-to-use ransomware and tools to less
skilled people. This activity, combined with takedowns of major RaaS operators, has led to increased attacks and broader targets that
increasingly include small-and medium-sized businesses. These businesses typically rely on third-party software, making them more
susceptible to software supply chain attacks, and have reduced security resources compared to market-dominant companies.[24]
•Details about law enforcement actions and their impact on the ransomware threat landscape are explored further in this report.
Proliferation of RaaS and law enforcement involvement
Emergence of new groups from disbanded families
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat vector highlight | Ransomware threat trends (continued)
7
The FBI seizes ALPHV's darknet website.The
US DoJ released astatement detailing its
"disruption campaign," and that aconfidential
source helped to access more than 500
decryption keys.[30]
ALPHV’s affiliates compromise ahealth care
organization, impacting arange of critical
services across the United States.The group
demanded aransom payment of US$22
million, and the company paid nine days
later.[31]
Atargeted law enforcement operation, known as
"Operation CRONOS," leads to the arrest of two
LockBit members, the seizure of 34 servers, over
200 cryptocurrency wallets, and the recovery of
over 2,000 decryption keys.[35]
In February, law enforcement seized LockBit's servers.Although
the group's administrator reassured affiliates that operations
would continue, further disruptions followed.[36] A few months
later, authorities unmasked and sanctioned the LockBit
administrator, severely hampering the group's ability to conduct
malicious activity and exposing data on affiliates.[37]
Meanwhile, in March, ALPHV's leak site appeared offline,
displaying afake law enforcement seizure banner.In an alleged
exit scam, aformer affiliate known as RansomHub accused the
group of disappearing with its share of aUS$22 million
ransomware payout [32]. These events have significantly
undermined trust within the cybercriminal community, prompting
affiliates to seek alternative programs and methods to secure
payments.
LockBit establishes anew Tor site and adds
victims.LockBit also calls for more frequent
attacks on the .gov domain and states that
authorities obtained only 2.5 percent of
decryption keys.[36]
ALPHV stages afake law enforcement seizure
banner on its website to attempt an alleged
exit strategy.The group also announces it
intends to sell the malware source code for
roughly US$5 million.[32]
RansomHub RaaS group claims to have 4TB of
stolen data from the same health care
organization and demands another ransom,
accusing ALPHV of disappearing with its share.
RansomHub sets a12-day deadline to
negotiate before the data would be sold to the
highest bidder.[33]The health care company
confirms the breach costs exceed US$870
million, including identity theft protection
services and complimentary credit monitoring
for affected customers.[34]
ALPHV timeline LockBit timeline
The FBI announced it had recovered 7,000
LockBit decryption keys, urging past ransomware
victims to contact them.[38]In the following
months, LockBit exaggerated numerous claims
on its DLS, including falsely claiming to have
stolen 33TBS of data from the US Federal
Reserve.[39]
Deloitte CTI has observed the number of active ransomware
groups more than doubled year-on-year, increasing from 29
distinct groups in the first quarter of 2023 to 45 distinct groups in
the first quarter of 2024.There is also an uptick in activities from
less established groups such as Hunters International, 8base, and
RansomHub, now occupying the top spots in monthly victim
counts.[40],[41]Deloitte CTI attributes the emergence of these
new groups and the rise of mid-tier groups to the decline of
prolific competitors and changing affiliate alignments, filling the
gaps left by the disruption of LockBit and ALPHV operations.The
ransomware threat landscape evolved from threat actors
focusing solely on immediate financial gain to prioritizing a
broader approach that involves the repeated exploitation of
corporate data.
05
June
08
April
20 Feb
13 Dec
24 Feb
21 Feb
01
March
02 May
Australia, the United Kingdom, and the United
States sanctioned Dmitry Yuryevich Khoroshev
(AKA "LockBitSupp").Within days, LockBit adds
over 60 victims to its new DLS.[37]LockBit's new
website is seized five days later, with a
countdown to 07 May for further information.
New and emerging ransomware trends
Impact of law enforcement actions
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat vector highlight | Malware
8
LotL techniques and fileless malware attacks
Deloitte CTI has observed aresurgence in the use of LotL techniques and fileless malware in the first half of 2024.These techniques involve leveraging legitimate tools in the target environment, such as PowerShell,
batch files, registry run keys, and Windows Management Instrumentation.[43]These methods are attractive because they exploit the inherent trust and allow-listed status of inbuilt tools within enterprise
environments, enabling attackers to conduct network reconnaissance, escalate privileges, move laterally, steal data, and establish backdoors with minimal detection.Deloitte CTI has observed that sophisticated threat
actors, including APTs such as Volt Typhoon, and ransomware groups such as Akira, ALPHV and Black Basta, increasingly utilize these techniques.[1],[44],[45]
Concurrently, Deloitte CTI has observed an uptick in fileless malware strains such as njRAT,RevengeRAT,and SocGholish.[1],[46]This trend highlights the persistence and adaptability of threat actors in response to
the effectiveness and prevalence of endpoint detection and response tools in enterprise environments.Deloitte CTI assesses with moderate confidence that the rise in LotL techniques and fileless malware has led to
adecline in custom malware, indicating threat actors are seeking less resource-intensive means of gaining initial access.[43]Compared to developing custom malware exploits, these techniques require relatively little
effort and enable threat actors to remain undetected within avictim's network for prolonged periods.
0
1500
3000
4500
6000
7500
9000
AgentTesla Cobaltstrike njRAT RevengeRAT Metastealer Stealc Avemaria Xworm AZORult Gh0strat
Top 10 malware strains Deloitte CTI observed between January and June 2024
Re-emerging techniques
Persistent threats from initial access malware
Deloitte CTI has observed malware strains that facilitate initial access, such as RATs, infostealers,and
droppers, which have remained the most persistent cyberthreats in the first half of 2024.[1] These
malware variants act as agateway for threat actors to compromise target networks and install additional
malware, including viruses, ransomware, and spyware.To counter the rising threat posed by initial access
variants, law enforcement agencies led by Europol, launched "Operation Endgame," the largest global
operation of its kind.Starting in May 2024,Operation Endgame focused on disrupting and dismantling
prolific botnet infrastructure that ransomware threat actors commonly utilize to distribute malware
droppers such as Bumblebee, IcedID, PikaBot,SmokeLoader,SystemBC,and TrickBot.Since May,
Operation Endgame has successfully taken down 100 servers that criminals used and seized over 2,000
malicious domains.[23]
Concurrently, Deloitte CTI observed the accessibility and low cost of initial access malware strains on
underground marketplaces have significantly lowered the barrier to entry for cybercriminals, enabling
less-sophisticated cybercriminals to initiate attacks.For example, the top five RAT strains observed are
offered on underground marketplaces for as little as US$10.Additionally, some malware authors have
developed comprehensive sales ecosystems, providing user manuals, 24/7 customer support, and
tailored purchase plans to suit various budgets and goals.[42]These trends underscore the growing
sophistication and commercialization of the malware ecosystem, exacerbating the persistent threat of
malware.
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Deloitte's CTI team performs internal threat research and gathers open-source intelligence, including cyber events from forums and
news media dedicated to cyberthreat activities. The following graphs summarize observed activity between January and June 2024.
Executive report summary
9
Cyber events observed by threat actor type Cyber events observed by type
Cyber events observed targeting specific industries
Unattributed
LSHC
ER&I
FSI
C
TMT
GPS
0 50 100 150 200 250
0
50
100
150
200
250
300
Cybercriminals Nation State Hacktivists Unattributed
0 20 40 60 80 100 120 140 160
MALWARE DISTRIBUTION
CYBER ESPIONAGE
OTHERS
RANSOMWARE
PHISHING
DATA EXFILTRATION
SUPPLY CHAIN
MALVERTISING
CRYPTOMINING/CRYPTOJACKING
DDOS
BOTNET
BRUTE FORCE
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actors |Overview
10
Nation-state linked
Cybercriminals
Hacktivists
Insider threats
Likelihood Likely, significant long-term impact
Motivation Political, espionage, financial
Top Actors Kimsuky, Lazarus Group, Sandworm, Volt
Typhoon
Likelihood Likely, significant immediate impact
Motivation Financial
Top Actors ALPHV, Black Suit, Hunters International,
RansomHub, 8base
Likelihood Roughly even chance, moderate impact
Motivation Political
Top Actors Anonymous Sudan, Killnet
Likelihood Malicious: Roughly even chance, severe impact
Unintentional: Likely, significant impact
Motivation Financial, revenge, fear (blackmail)
Top Actors Not applicable
•The beginning of 2024 marked sophisticated threat actors' continued cooperation and
blurred motivations.
•Nation-state APT groups increasingly use hacktivist personas to mask their activities and
shape the information environment. Sandworm used three Telegram personas to spread
misinformation and amplify its information operations regarding the Russo-Ukrainian war.[47]
•Lazarus Group and Kimsuky continue to exploit cryptocurrency, NFTs and smart contract
ecosystems, totaling approximately US$3 billion in cryptocurrency theft linked to North Korea
since 2017.[48]
•Threat groups are increasingly impersonating companies by using social engineering
techniques to access their victims' environments.
•Cybercriminals have been targeting tax services and continued to target banking and
cryptocurrency platforms for monetary gain.
•Ransomware groups remained prevalent in the first half of 2024. North American and
European organizations were the most targeted thus far in 2024.[49]
•Hacktivists are becoming more nuanced and nefarious, and the threat will likely grow in line
with global geopolitical tensions.
•Hacktivist groups have developed their own dark web marketplaces and are engaging in
RaaS operations.
•KillNet remains active and has claimed hundreds of attacks between 2022 and 2024;
however, it is important to note that these attacks resulted in minimal impact on the
targeted organizations.
•Attribution of hacktivist activity is difficult due to false claims.[50]
•Insiders pose a significant threat due to their access and working knowledge of an
organization. For example, reporting emerged in 2024 about an ex-employee accessing
patient information after being terminated. The company had not revoked the employee's
access at the time of termination.[51]
•This case highlights the importance of personnel security policies. These policies should
include removing or deactivating the employee's user account simultaneously, or just before
they are notified of being terminated.
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actors | Trending and emerging between January and June 2024
This heatmap highlights the most trending
and impactful threat actors over the last
year in both the frequency and spread of
campaigns and newly emerging ones.
Deloitte CTI analysts conducted a
probability-based risk assessment to
provide contextual risk quantification for the
threat actors that meet these criteria. The
team used specific, scenario-based
questionnaires to assess the threat for each
actor. Deloitte CTI customized the value for
each scenario based on its criticality.
"Emerging" means the threat actor has
begun activity during the past 12 months.
"Re-emerging" means that the threat actors
have been inactive for more than six
months before the reporting period and
have recently become active again.
Figure 3: Top trending malware heatmap in 2023 [1]Figure 3: Top trending malware heatmap in 2023 [1]
0
20
40
60
80
100
120
010 20 30 40 50 60 70 80 90 100
Akira
Blackwood
Anonymous
Sudan
Black Basta
BlackSuit Kimsuky
Impact
Likelihood
Lazarus
Group
ALPHV
Hunters
International
RansomHub
8base Sandworm
11
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Malware | Trending and emerging between January and June 2024
12
0
10
20
30
40
50
60
70
80
010 20 30 40 50 60 70 80
Impact
Likelihood
Cobalt strike
Gamarue
SocGholish
AgentTesla
Figure 3: Top trending malware heatmap in 2023 [1]
NSPX30
njRat
RevengeRat StealC
This heatmap highlights the most trending and
impactful threat actors over the last year in
both the frequency and spread of campaigns
and newly emerging ones. Deloitte CTI analysts
conducted a probability-based risk
assessment to provide contextual risk
quantification for the threat actors that meet
these criteria. The team used specific,
scenario-based questionnaires to assess the
threat for each actor. Deloitte CTI customized
the value for each scenario based on its
criticality.
"Emerging" means the threat actor has begun
activity during the past 12 months. "Re-
emerging" means that the threat actors have
been inactive for more than six months before
the reporting period and have recently
become active again.
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
13
Akira
•Akira is a ransomware threat actor group that security researchers first observed late March 2023.
Akira operates as a RaaS scheme for personal gain and uses double-extortion techniques.
•Akira has targeted organizations across multiple sectors, including consulting, education, financial
manufacturing, real estate, and pharmaceuticals. Typically, the group has targeted small-to medium-
sized businesses, where the ransom demanded ranges from US$200,000 to $4 million.
•Akira predominantly uses compromised credentials, possibly obtained from its affiliates or from
phishing or spearphishing campaigns. Akira also exploits poorly configured remote desktop protocol
connections to gain access to accounts, including those with multi-factor authentication enabled. To
establish persistence, the group installs remote management software.
•In January, the group added a US-based logistics company to its DLS. According to the post, 43GB of
sensitive files that featured personal and client data was exfiltrated. The targeted organization did not
make a public statement regarding the incident.[52]
•Before 2024, Akira affected over 250 organizations and claimed roughly US$42 million from ransom
demands.[1],[53]
64
65
Risk Score
Threat Score
Category Cybercriminal
Motive Financial gain
Likelihood Likely
Impact Severe
ALPHV
•ALPHV is a cybercriminal threat actor that security researchers first observed in 2021. The group
operates under a RaaS model and is financially motivated. The group engages in "big game hunting"
(i.e., leveraging ransomware to target high-value organizations or entities) operations across multiple
countries.
•Targeted sectors include financial services, logistics, commercial, construction, energy, manufacturing,
pharmaceutical, retail and technology.
•Despite FBI involvement in December 2023, the group has continued to target victims and has added
multiple victims to its DLS in 2024.
•In February, the group's affiliates accessed a US health care organization's environment by utilizing
compromised credentials to remotely access the organization's Citrix portal. Over a week later,
malware was activated to encrypt the organization's system, and the group demanded a ransom
payment of US$22 million, which the organization paid.[1],[11]
79
65
Risk Score
Threat Score
Category Cybercriminal
Motive Financial gain
Likelihood Likely
Impact Severe
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
14
Anonymous Sudan
•Anonymous Sudan, first observed in January 2023, claims to be a Sudanese hacktivist group motivated
by religious and political beliefs. Despite the group's claims, security researchers believe Anonymous
Sudan is a pro-Russian hacktivist group, with most of its attacks focusing on Australia, Europe, Israel,
and the United States. In contrast to the religious persona behind the attacks, security researchers
have observed Anonymous Sudan teaming up with Russian threat actors Killnet and REvil to carry out
attacks, alluding to the possibility of Anonymous Sudan being a masked subsidiary of Killnet, driven by
pro-Russian beliefs.[54],[55]
•Anonymous Sudan performs HTTP flood distributed denial of service (DDoS) attacks to overwhelm a
targeted server with requests, taking target infrastructure offline. The group uses paid infrastructure
rather than leveraging botnets to carry out these attacks. The output produces more traffic than
personal devices by leveraging a cluster of rented servers. This activity highlights the group's wealth of
financial resources, leading security experts to believe it is not the grassroots hacktivist group it claims
to be.[1]
•In 2024, the leader of Anonymous Sudan announced its latest campaign, "InfraShutdown," which
provides tailored DDoS attack campaigns with military-grade privacy and targets financial systems,
telecommunication networks, and critical infrastructure. It is noted as being a significant escalation in
the group's capabilities.[56]
Black Basta
•Black Basta is a ransomware threat group that has targeted organizations across various industries in
North America, Europe, and Oceania. The group has been active since February 2022, although its
operations became publicly known a few months afterward in April 2022.
•Black Basta follows the double-extortion model to pressure its victims into paying the ransom. The
group has two Tor sites: Black Basta Blog and Basta News.[1]
•In 2024, security researchers have observed the group actively exploiting CVE-2024-1708 (path-
traversal vulnerability) and CVE-2024-1709 (authentication bypass using an alternate path or channel),
both of which are vulnerabilities within ConnectWise’s ScreenConnect Software. These vulnerabilities
can allow threat actors to gain unauthorized access and control over the affected systems.[57]
•Security researchers SR Labs developed a decryptor for victims who have had their files encrypted with
Black Basta ransomware between November 2022 and December 2023. The group has since changed
its encryption process in December 2023, so the numerous victims in 2024 cannot utilize the created
tool.[58]
•At the end of March alone, security researchers observed the group listing 17 individual victims on its
DLS; the victims were from a variety of sectors and locations.[59] In May, the group also claimed an
attack on one of the largest national distributors of fuel in the United States, and claimed to have
stolen 730GB of data, including corporate data, user, and employee data. The group also posted
various documents as proof on its DLS, including ID cards, payroll payment requesters, and data
sheets.[60]
41
10
Risk Score
Threat Score
74
45
Risk Score
Threat Score
Category Hacktivist
Motive Political gain and nationalism
Likelihood Likely
Impact Significant
Category Cybercriminal
Motive Financial gain
Likelihood Likely
Impact Severe
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
15
BlackSuit
•The BlackSuit ransomware group has been operating since May 2023. CISA advised in November 2023
that BlackSuit shares multiple coding characteristics similar to Royal Ransomware, a group of
suspected Russian origin. These similarities include the encryption mechanisms and command-line
parameters.[25],[26]
•The group selects targets across all industry verticals globally.
•The group primarily uses phishing or vulnerability exploitation in VPN products for initial access.
•The BlackSuit ransomware blog is only accessible through the Tor browser, and the posts are written
exclusively in English.
•The group's encryption has been noted as extremely rapid; local logical drive details are obtained upon
launch. In turn, the ransomware quickly processes through available folders and files on all reachable
volumes. The ransom notes are written to all folders that contain encrypted items and are written as
"README.BlackSuit.txt."[26]
•In 2024, BlackSuit targeted multiple organizations globally in the food wholesale, media,
pharmaceuticals, professional services, and technology sectors, and leaked over 700GB of data. The
group appears to exclude members of the Commonwealth of Independent States (CIS).[1]
Blackwood
•Blackwood is a suspected regional Chinese threat actor that has conducted targeted cyber-espionage
operations against individuals and companies in China, Japan, and the United Kingdom since at least
2018.[1]
•The group operates a malicious implant identified as NSPX30 that can hijack the update process of
legitimate applications. NSPX30 originates from a "Project Wood" backdoor, first compiled in 2005. In
January 2024, security researchers observed the delivery of NSPX30 via adversary-in-the-middle attacks
that hijacked legitimate software prompts.[61]
•Blackwood also abuses legitimate security solutions components to load malicious components via
dynamic link library (DLL)-sideloading. After the initial compromise, the DLL injects processes through
"Rundll32.exe" and employs debugger detection and security settings checks to avoid detection, such
as verifying the presence of antivirus software, assessing firewall status, and identifying debugging
tools.[62]
•The threat group attempts to re-compromise victims' systems if they lose access, underscoring the
targeted nature of their operations.[1]
50
45
Risk Score
Threat Score
12
35
Risk Score
Threat Score
Category Cybercriminal
Motive Financial gain
Likelihood Roughly even chance
Impact Severe
Category Espionage
Motive Political Advantage
Likelihood Unlikely
Impact Minor
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
16
Hunters International
•Hunters International emerged in the last quarter of 2023, following the disruption of the Hive
ransomware group. Security researchers have associated Hunters International with using customized
versions of Hive ransomware, particularly encryption techniques and operating strategies.[27]
•Hunters International uses double extortion and opportunistically targets organizations globally across
all industry verticals. In 2024, the group has targeted various organizations primarily in the United
States and across sectors.
•As of mid-November 2023, all of Hunters International's reported victims experienced data exfiltration,
with only some having their data encrypted.
•Unlike other ransomware groups, Hunters International does not specify a specific payment method or
exact ransom amount. Instead, group members directly engage the victims in a negotiation process
facilitated by a chat portal accessible with the login credentials supplied in the ransom note.[1]
•The group's encryptor appends the ".LOCKED" extension to targeted files, and security researchers
have observed the group placing files in directories named "Contact Us.txt." These text files provide
victims with instructions on contacting the group on the dark web to initiate a negotiation process.[63]
Kimsuky
•Kimsuky is a suspected state-sponsored North Korean threat group with cyber-espionage motivations
and has been active since 2012. According to law enforcement agencies, the group is considered a
subordinate unit of the Reconnaissance General Bureau, North Korea's main intelligence agency.
•The group has targeted government entities, think tanks, nuclear power centers, military agencies, and
North Korea-related individuals in Asia, and has expanded its campaigns to Europe, Russia, and the
United States.[1]
•From December 2023 to February 2024, security researchers observed the group distributing phishing
emails that appeared to have been sent from organizations that had not implemented strict DMARC
email policies. The DMARC protocol consists of an email authentication tool that helps to protect the
email channel at the domain level. Kimsuky modified the email headers to make them appear more
legitimate and utilized free email addresses that matched the impersonated person in the "reply-to"
field to make the victims believe they were responding to legitimate employees from the impersonated
organization.[64],[65]
69
45
Risk Score
Threat Score
85
46
Risk Score
Threat Score
Category Cybercriminal
Motive Financial gain
Likelihood Likely
Impact Severe
Category Nation-state
Motive Political gain and nationalism
Likelihood Very Likely
Impact Severe
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
17
Lazarus Group
•Lazarus Group is a suspected East Asian nation-state threat actor, first observed in 2009. Its sponsor
primarily tasks it with obtaining strategic information that facilitates espionage activity. The group works
closely with other threat actors, such as BlueNoroff and Andariel, which are likely subgroups of Lazarus
Group.
•Targeted sectors include banking institutions, cryptocurrency exchanges and other financial services,
and casinos.
•The group uses multiple operations to achieve its aim, including distributing fake job offers via email in
phishing schemes. It has also impersonated legitimate job recruiters by setting up illegitimate accounts.
•Lazarus Group has used custom malware to target various operating systems, typically featuring
persistence mechanisms and applying anti-detection techniques.
•In April 2024, the South Korean National Police Agency announced that Lazarus Group, along with two
other suspected North Korean threat actor groups, launched coordinated attacks against multiple
defense companies in South Korea to steal information about that technology that strengthens
national defense. The attacks compromised approximately ten national defense companies and
defense contractors.[66]
RansomHub
•RansomHub emerged in February 2024 and operates as a RaaS, where the affiliates receive payment
before the operators. RansomHub accused ALPHV operators of undercutting their affiliates.[33]
•The group has targeted organizations worldwide and across the retail, technology, construction,
financial, health care, and pharmaceutical sectors. However, it is important to highlight that the group
has stated it does not target organizations in countries that are part of the CIS.[1]
•RansomHub manages its own DLS, which lists victims. It typically lists the type of data that has been
exfiltrated and includes a countdown indicating when it will make the exfiltrated data public if no
ransom payment is received. The group also provides a set of stolen files in the listing and claims to sell
the exfiltrated information for a set amount to one interested party.[1]
•In early 2024, the group listed a US health care organization and personal patient data from the attack
on its DLS, demanding a ransom. ALPHV originally targeted this organization.[11]
•In February 2024, Knight ransomware shut down, and the malware code was suspected to be sold to
the actor who launched RansomHub. Some observed similarities include the code being written in Go,
the ransom notes using similar phrasing, and both payloads restarting the endpoints in safe mode
before encryption.[67]
95
96
Risk Score
Threat Score
52
45
Risk Score
Threat Score
Category Nation-state
Motive Political gain and nationalism
Likelihood Almost certain
Impact Severe
Category Cyber criminal
Motive Financial gain
Likelihood Likely
Impact Significant
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Threat actor profiles | Trending and emerging
18
Sandworm
•Sandworm (aka APT44) has been a threat actor active since at least 2009 and has been attributed to
the Russian General Staff Main Intelligence Directorate military agency. Sandworm specifically operates
as the Main Center for Special Technologies, aka "Unit 74455," which is subordinated alongside the
85th Main Special Services Center, aka "Unit 26165" and publicly known as APT28, to the Information
Operations Troops identified as "Unit 55111."[1]
•In March 2024, security researchers observed Sandworm targeting approximately 20 Ukrainian
industrial control systems across the heat supply, energy, and water sectors. The group utilized new
malware, including LOADGRIP and BIASBOAT. Both are developed using C, with LOADGRIP's main
functionality being to launch the payload by injection using the iptrace application programming
interface.[68]
•In this campaign, Sandworm utilized tactics including compromising software and technology suppliers
of the organizations it targeted, pushing weaponized installers, and abusing the trust between the
suppliers and the targeted organizations, which allowed the group to directly access systems via pre-
established channels that were present for maintenance and support activities.[68]
•Sandworm managed multiple pro-Russia hacktivist group personas on Telegram to announce its
disruptive operations and data leaks; these channels also provide evidence of its claims.[1]
8base
•8base is a ransomware group that has been active since at least March 2022. Most of its targeted
organizations are small-to medium-sized and are typically based in North America (i.e., the United
States and Canada) and Europe (i.e., mainly the United Kingdom) and are within the financial, health
care, manufacturing, professional services, and technology sectors.[1]
•8base manages its own Telegram channel and an X account to build popularity and promote the
group's operations while putting additional pressure on its victims [1].
•Security researchers believe that a former member of FIN7 leads 8base. The group has multiple
overlaps with the RansomHouse threat group, particularly the phrasing on its DLS banners, terms of
service, frequently asked questions sections, and ransom notes RansomHouse used.
•On 27 May 2024, the group listed seven new victims on its DLS. These victims included four Japanese
companies, a Canadian organization, and two US organizations. The group claimed to have exfiltrated
confidential and personal data, including accounting documents, certificates, confidentiality
agreements, human resources data, invoices, personal files, and receipts. Including four Japanese
organizations as victims is unusual for the group as it has not previously shown a pattern of activity
within that region.[1],[69]
57
93
Risk Score
Threat Score
52
45
Risk Score
Threat Score
Category Nation-state
Motive Political gain and nationalism
Likelihood Very Likely
Impact Significant
Category Cyber criminal
Motive Financial gain
Likelihood Likely
Impact Significant
Emerging Re-Emerging
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Sourcing Statement
19
Impact
Negligible Minor Moderate Significant Severe
Likelihood
Almost no chance
(1-5%) Low Low Low Low-Medium Medium
Very Unlikely
(5-20%) Low Low Low-Medium Medium Medium
Unlikely
(20-45%) Low Low-Medium Low-Medium Medium Medium-High
Roughly even chance
(45-55%) Low Low-Medium Medium Medium-High Medium-High
Likely
(55-80%) Low Low-Medium Medium Medium-High High
Very likely
(80-95%) Low-Medium Medium Medium-High High High
Almost certain
(95-99%) Medium Medium-High High High High
Tradecraft: Deloitte CTI applies the Intelligence Community Directive 203 Analytic Standards to its products and reports, as well as other intelligence community-based
tradecraft, such as combating biases, techniques for analysis (i.e., alternatives, competing hypothesis), and sourcing disclosures.
Methodology: Risk ratings are based on weighted factors, including threat actor sophistication, campaigns, frequency of employment, regional spread, and motivation.
Collection: Deloitte CTI combines its proprietary collection with subscriptions to ensure maximum coverage and collection for helping prevent threats, including a malware
repository, threat library, and underground and dark web accesses.
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Sources
20
Section HeaderSection Header
1. Deloitte internal sources.
2. Staff, "Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant," Office of Public Affairs, U.S. Department of Justice, 19 December 2023. [Online]. Available: https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-
alphvblackcat-ransomware-variant. [Accessed: 09 May 2024]; Staff, "U.S. and U.K. Disrupt LockBit Ransomware Variant," Office of Public Affairs, U.S. Department of Justice, 20 February 2024. [Online]. Available: https://www.justice.gov/opa/pr/us-and-
uk-disrupt-lockbit-ransomware-variant. [Accessed: 09 May 2024].
3. Swenson and W. Weissert, "New Hampshire investigating fake Biden Robocall meant to discourage voters ahead of Primary," AP News, 22 January 2024. [Online]. Available: https://apnews.com/article/new-hampshire-primary-biden-ai-deepfake-
robocall-f3469ceb6dd613079092287994663db5. [Accessed: 10 May 2024]; Deloitte CTI, "Threats to Global Elections Part 3: Artificial Intelligence and Election Influence," 24 April 2024, A-TR-EN-01-27102.
4. Walter, J., "Ransomware Evolution | How Cheated Affiliates Are Recycling Victim Data for Profit," SentinelOne, 24 April 2024. [Online]. Available: https://www.sentinelone.com/blog/ransomware-evolution-how-cheated-affiliates-are-recycling-victim-data-
for-profit/. [Accessed: 09 May 2024].
5. A. Yu, M. Clark, and M. Shahi, "Taiwan's election: PRC interference and its implications for the 2024 election landscape," Center for American Progress, 01 February 2024. [Online]. Available: https://www.americanprogress.org/article/taiwans-election-
prc-interference-and-its-implications-for-the-2024-election-landscape/. [Accessed: 10 May 2024].
6. Deloitte CTI, "LLM Part 2: Nation-State Threat Actors Leveraging LLMs to Boost Cyber Operations," 27 March 2024, A-TR-EN-01-27015.
7. Gatlan, S., "Mandiant's X account hacked by crypto Drainer-as-a-Service gang," Bleeping Computer, 10 January 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/mandiants-x-account-hacked-by-crypto-drainer-as-a-service-
gang/. [Accessed: 09 May 2024].
8. Gatlan, S., "Web3 security firms CertiK's X account hacked to push crypto drainer," Bleeping Computer, 05 January 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/web3-security-firm-certiks-x-account-hacked-to-push-
crypto-drainer/. [Accessed: 09 May 2024].
9. Staff," PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure," CISA, 07 February 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a. [Accessed: 28 May
2024].
10. Staff, "Warning of North Korean cyber threats targeting the Defense Sector, "Bundesamt fur Verfassung, 19 February 2024. [Online]. Available: https://www.verfassungsschutz.de/SharedDocs/publikationen/DE/cyberabwehr/2024-02-19-joint-cyber-
security-advisory-englisch.pdf?__blob=publicationFile&v=2. [Accessed: 28 May 2024].
11. Lions, J., "UnitedHealth CEO: 'Decision to pay ransom was mine'," The Register, 30 April 2024. [Online]. Available: https://www.theregister.com/2024/04/30/unitedhealth_ceo_ransom/. [Accessed: 01 May 2024].
12. Staff, "UnitedHealth Group Updates on Change Healthcare Cyberattack," UnitedHealth Group, 22 April 2024. [Online]. Available: https://www.unitedhealthgroup.com/newsroom/2024/2024-04-22-uhg-updates-on-change-healthcare-cyberattack.html.
[Accessed: 10 May 2024].
13. Staff, "Threat Actors Exploit Multiple Vulnerabilities in Ivanti Connect Secure and Policy Secure Gateways," CISA, 29 February 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-060b. [Accessed: 10 May 2024].
14. Staff, "AT&T Addresses Recent Data Set Released on the Dark Web," AT&T, 30 March 2024. [Online]. Available: https:/addressing-data-set-released-on-dark-web.html. [Accessed: 28 May 2024].
15. Abrams, L., "AT&T confirms data for 73 million customers leaked on hacker forum, " Bleeping Computer, 30 March 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/atandt-confirms-data-for-73-million-customers-leaked-on-
hacker-forum/. [Accessed: 28 May 2024].
16. Staff, "Omni Hotels & Resorts update on recent cyber attack," Omni Hotels & Resorts, 03 April 2024. [Online]. Available: https://www.omnihotels.com/cyber-attack-update. [Accessed: 16 June 2024].
17. Gatlan, S., "Daixin ransomware gang claims attack on Omni Hotels," Bleeping Computer, 15 April 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/daixin-ransomware-gang-claims-attack-on-omni-hotels/. [Accessed: 29 April
2024].
18. Staff, "ArcaneDoor -New espionage-focused campaign found targeting perimeter network devices," Cisco Talos Intelligence Group, 24 April 2024. [Online]. Available: https://blog.talosintelligence.com/arcanedoor-new-espionage-focused-campaign-
found-targeting-perimeter-network-devices/. [Accessed: 16 June 2024].
19. Croft, D., "6 Australian senators, MPs confirm being targeted by APT31 in IPAC cyber attack," Cyber Daily, 07 May 2024. [Online]. Available: https://www.cyberdaily.au/government/10525-six-australian-senators-mps-confirm-being-targeted-by-apt31-in-
ipac-cyber-attack. [Accessed: 28 May 2024].
20. Staff, "Seven Hackers Associated with Chinese Government Charged with Computer Intrusions Targeting Perceived Critics of China and U.S. Businesses and politicians," Office of Public Affairs, U.S. Department of Justice, 25 March 2024. [Online].
Available: https://www.justice.gov/opa/pr/seven-hackers-associated-chinese-government-charged-computer-intrusions-targeting-perceived. [Accessed: 17 June 2024].
21. Swan, D., "MediSecure patient data up for sale on Russian hacking forum," Sydney Morning Herald, 24 May 2024. [Online]. Available: https://www.smh.com.au/technology/medisecure-patient-data-up-for-sale-on-russian-hacking-forum-20240524-
p5jggb.html. [Accessed: 28 May 2024].
22. Staff, "Combined Notice of Appointment and First Meeting of Creditors of Company Under Administration," ASIC, 03 June 2024. [Online]. Available: https://publishednotices.asic.gov.au/browsesearch-notices/notice-details/MediSecure-Ltd-
169902443/5bc4ff35-8840-480e-acab-ee53afca73ec?appointment=All¬icestate=All&companynameoracn=Medisecure&court=&district=&dnotice=. [Accessed: 06 June 2024].
23. Staff, "European Multidisciplinary Platform Against Criminal Threats, "Largest ever operation against botnets hits dropper malware ecosystem," Europol, 30 May 2024, [Online]. Available: https://www.europol.europa.eu/media-
press/newsroom/news/largest-ever-operation-against-botnets-hits-dropper-malware-ecosystem#empact. [Accessed: 05 June 2024].
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Sources (Continued)
21
Section HeaderSection Header
24. Nuth, T., "2024 Cybersecurity trends: What's Observable Already?," Qualys, 29 May 2024. [Online]. Available: https://blog.qualys.com/product-tech/2024/05/29/2024-cybersecurity-trends-whats-observable-already/. [Accessed: 06 June 2024].
25. CISA, "#StopRansomware: Royal Ransomware," CISA, 13 November 2023. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-061a. [Accessed: 02 May 2024].
26. Staff, "BlackSuit Ransomware: In-Depth Analysis, Detection, and Mitigation," SentinelOne, n.d. [Online]. Available: https://www.sentinelone.com/anthology/blacksuit/. [Accessed: 02 May 2024].
27. Staff, "Dark Web Profile: Hunters International," SOC Radar, 20 February 2024. [Online]. Available: https://socradar.io/dark-web-profile-hunters-international/. [Accessed: 03 May 2024].
28. Staff, "U.S. Department of Justice Disrupts Hive Ransomware Variant," U.S. Department of Justice, 26 January 2023. [Online]. Available: https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant. [Accessed: 03 May
2024].
29. Staff, "RansomHub Draws in Affiliates with Multi-OS Capability and High Commission Rates," Recorded Future, 20 June 2024. [Online]. Available: https://www.recordedfuture.com/ransomhub-draws-in-affiliates-with-multi-os-capability-and-high-
commission-rates. [Accessed: 03 July 2024].
30. Abrams, L., "How the FBI seized BlackCat (ALPHV) ransomware's servers," Bleeping Computer, 01 December 2023. [Online]. Available: https://www.bleepingcomputer.com/news/security/how-the-fbi-seized-blackcat-alphv-ransomwares-servers/.
[Accessed: 30 May 2024].
31. Greenberg, A., "Hackers Behind the Change Healthcare Ransomware Attack Just Received a $22 Million Payment," Wired, 04 March 2024. [Online]. Available: https://www.wired.com/story/alphv-change-healthcare-ransomware-payment/ [Accessed:
30 May 2024].
32. Staff, "Exit Scam: BlackCat Ransomware Group Vanishes After $22 Million Payout," The Hacker News, 06 March 2024. [Online]. Available: https://thehackernews.com/2024/03/exit-scam-blackcat-ransomware-group.html. [Accessed: 30 May 2024].
33. Arghire, I., "Second Ransomware Group Extorting Change Healthcare," Security Week, 09 April 2024. [Online]. Available: https://www.securityweek.com/second-ransomware-group-extorting-change-healthcare/. [Accessed: 30 May 2024].
34. Reed, J., "Change Healthcare attack expected to exceed $1 billion in costs," Security Intelligence, 08 May 2024. [Online]. Available: https://securityintelligence.com/news/change-healthcare-cyberattack-exceeds-1-billion-costs/. [Accessed: 20 June
2024].
35. Barry, C., "The rise and fall of LockBit ransomware," Barracuda, 21 February 2024. [Online]. Available: https://blog.barracuda.com/2024/02/21/the-rise-and-fall-of-lockbit-ransomware. [Accessed: 01 June 2024]
36. Hollingworth, D., "LockBit strikes back with ransomware spree," Cyber Daily, 14 May 2024. [Online]. Available: https://www.cyberdaily.au/security/10555-lockbit-strikes-back-with-ransomware-spree. [Accessed: 01 June 2024]
37. Bleih, A., "May 2024: LockBit Returns?," Cyberint, 07 May 2024. [Online]. Available: https://cyberint.com/blog/research/may-2024-lockbit-returns/. [Accessed: 01 June 2024].
38. Gatlan, S., "FBI recovers 7,000 LockBit keys, urges ransomware victims to reach out," Bleeping Computer, 05 June 2024. [Online]. Available: https://www.bleepingcomputer.com/news/security/fbi-recovers-7-000-lockbit-keys-urges-ransomware-
victims-to-reach-out/. [Accessed: 06 June 2024].
39. Ikeda, S., "LockBit's Claimed Hack on US Federal Reserve Turns Out to Be a Publicity Stunt; Stolen Data Came From Just One US Bank," CPO Magazine, 01 July 2024. [Online]. Available: https://www.cpomagazine.com/cyber-security/lockbits-claimed-
hack-on-us-federal-reserve-turns-out-to-be-a-publicity-stunt-stolen-data-came-from-just-one-us-bank/. [Accessed: 03 July 2024].
40. Staff, "Behavioral patterns of ransomware groups are changing," Help Net Security, 23 April 2024. [Online]. Available: https://www.helpnetsecurity.com/2024/04/23/ransomware-groups-activity-q1-2024. [Accessed: 06 June 2024].
41. Constantin, L., "Emerging ransomware groups on the rise: Who they are, how they operate," CSO Online, 24 May 2024. [Online]. Available: https://www.csoonline.com/article/2121702/emerging-ransomware-groups-on-the-rise-who-they-are-how-
they-operate.html. [Accessed: 06 June 2024].
42. Staff, "Agent Tesla," Any Run, n.d. [Online]. Available: https://any.run/malware-trends/agenttesla. [Accessed: 05 June 2024].
43. Staff, "Living-Off-the-Land (LOTL) Attacks: Everything You Need to Know," Kiteworks, n.d. [Online]. Available: https://www.kiteworks.com/risk-compliance-glossary/living-off-the-land-attacks. [Accessed: 05 June 2024].
44. Staff, "Volt Typhoon," MITRE ATT&CK, 28 March 2024. [Online]. Available: https://attack.mitre.org/groups/G1017/. [Accessed: 05 June 2024].
45. Yuceel, H.C., "Akira Ransomware Analysis, Simulation and Mitigation –CISA Alert AA24-109A," Picus Security, 22 April 2024. [Online]. Available: https://www.picussecurity.com/resource/blog/akira-ransomware-analysis-simulation-and-mitigation-cisa-
alert-aa24-109a. [Accessed: 05 June 2024].
46. Staff, "Living off the Land and Fileless Malware," Reliaquest, 21 May 2024. [Online]. Available: https://www.reliaquest.com/blog/living-off-the-land-fileless-malware. [Accessed: 05 June 2024].
47. Roncone, G., Black, D., Wolfram., J. et al. "APT44: Unearthing Sandworm," Mandiant, no date. [Online]. Available: https://services.google.com/fh/files/misc/apt44-unearthing-sandworm.pdf. [Accessed: 10 May 2024].
48. Staff, "North Korean Hackers Stole $600 Million in Crypto in 2023," TRM, no date. [Online]. Available: https://www.trmlabs.com/post/north-korean-hackers-stole-600-million-in-crypto-in-2023. [Accessed: 10 May 2024]; Deloitte CTI, "Blockchain
Technology Threat Trends," 01 May 2024, A-TR-EN-01-27139.
49. Williams, S., "Record ransomware attacks in March 2024, report finds," SecurityBrief Australia, 26 April 2024. [Online]. Available: https://securitybrief.com.au/story/record-ransomware-attacks-in-march-2024-report-finds. [Accessed: 10 May 2024].
50. Waldman, A., "Recorded Future observes 'concerning' hacktivism shift," Tech Target, 06 May 2024. [Online]. Available: https://www.techtarget.com/searchsecurity/news/Recorded-Future-observes-concerning-hacktivism-shift. [Accessed: 10 May
2024].
51. Staff, "Geisinger provides notice of Nuance's data security incident," Geisinger, 24 June 2024. [Online]. Available: https://www.geisinger.org/about-geisinger/news-and-media/news-releases/2024/06/24/18/17/geisinger-provides-notice-of-nuances-
data-security-incident. [Accessed: 09 July 2024].
52. FalconFeeds.io, Tweet, Twitter, 17 January 2024. [Online]. Available: https://twitter.com/FalconFeedsio/status/1747511114932633848. [Accessed: 01 May 2024].
53. CISA, "#StopRansomware: Akira Ransomware," CISA, 18 April 2024. [Online]. Available: https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-109a. [Accessed: 01 May 2024].
54. Seals, T, "Killnet Threatens Imminent SWIFT, World Banking Attacks," Dark Reading, 17 June 2023. [Online]. Available: https://www.darkreading.com/cyber-risk/killnet-threatens-imminent-swift-world-banking-attacks. [Accessed: 31 January 2024].
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Sources (Continued)
22
Section HeaderSection Header
55. Kerner, M., "Ransomware trends, statistics and facts heading into 2024," TechTarget Security, 03 January 2024. [Online]. Available: https://www.techtarget.com/searchsecurity/feature/Ransomware-trends-statistics-and-facts. [Accessed: 29 January
2024].
56. Wrzenski, W., "Looking for cyber-attack services? Check Anonymous Sudan's new InfraShutdown service," Radware, 12 March 2024. [Online]. Available: https://www.radware.com/blog/ddos-protection/2024/03/looking-for-cyber-attack-services-check-
anonymous-sudans-new-infrashutdown-service/. [Accessed: 01 May 2024].
57. Kenefick, I., Dela Cruz, J., & Girnus, P., "Threat Actor Groups, Including Black Basta, are Exploiting Recent ScreenConnect Vulnerabilities," Trend Micro, 27 February 2024. [Online]. Available: https://www.trendmicro.com/en_au/research/24/b/threat-actor-
groups-including-black-basta-are-exploiting-recent-.html. [Accessed: 01 May 2024].
58. Mueller, T., Rieck, J, Wilkens, F., & et. al., "Black Basta Buster: Decrypting Files Without Paying the Ransom," SR Labs, 08 February 2024. [Online]. Available: https://www.srlabs.de/blog-post/black-basta-buster-decrypting-files-without-paying-the-ransom
[Accessed: 01 May 2024].
59. Dark Web Informer, Tweet, 28 March 2024. [Online]. Available: https://twitter.com/DarkWebInformer/status/1773040546338030027/photo/2. [Accessed: 01 May 2024].
60. Paganini, P., "Blackbasta group claims to have hacked Atlas, one of the largest US oil distributors," Security Affairs, 21 May 2024. [Online]. Available: https://securityaffairs.com/163489/cyber-crime/blackbasta-claims-atlas-hack.html. [Accessed: 22 May
2024].
61. Staff, "ESET Research discovers new China-aligned APT group Blackwood that used advanced implant to attack within China, Japan, and the UK," ESET Research, 24 January 2024. [Online]. Available: https://www.eset.com/int/about/newsroom/press-
releases/research/eset-research-discovers-new-china-aligned-apt-group-blackwood-that-uses-advanced-implant-to-attack-within-china-japan-and-the-uk/. [Accessed: 02 May 2024].
62. Staff, "Blackwood APT Group Has a New DLL Loader," Sonic Wall, 29 January 2024. [Online]. Available: https://blog.sonicwall.com/en-us/2024/01/blackwood-apt-group-has-a-new-dll-loader/. [Accessed: 02 May 2024].
63. Staff, "Hunters International Ransomware Report," Quorum Cyber, n.d. [Online]. Available: https://www.quorumcyber.com/malware-reports/hunters-international-ransomware-report/. [Accessed: 03 May 2024].
64. CISA, "North Korean Actors Exploit Weak DMARC Security Policies to Mask Spearphishing Efforts," CISA, 02 May 2024. [Online]. Available: https://media.defense.gov/2024/May/02/2003455483/-1/-1/0/CSA-NORTH-KOREAN-ACTORS-EXPLOIT-WEAK-
DMARC.PDF. [Accessed: 06 May 2024].
65. Lesnewich, G., Giering, C., "From Social Engineering to DMARC Abuse: TA427's Art of Information Gathering," Proofpoint, 16 April 2024. [Online]. Available: https://www.proofpoint.com/us/blog/threat-insight/social-engineering-dmarc-abuse-ta427s-art-
information-gathering. [Accessed: 06 May 2024].
66. Kim, J., "North Korea hacking teams hack South Korea defence contractors –police," Reuters, 23 April 2024. [Online]. Available: https://www.reuters.com/technology/cybersecurity/north-korea-hacking-teams-hack-south-korea-defence-contractors-
police-2024-04-23/. [Accessed: 06 May 2024].
67. Paganini, P., "RansomHub operation is a rebranded version of the Knight RaaS," Security Affairs, 06 June 2024. [Online]. Available: https://securityaffairs.com/164195/malware/ransomhub-raas-linked-knight-ransomware.html/. [Accessed: 01 May 2024].
68. Staff, "UAC-0133 (Sandworm) plans for cyber sabotage on almost 20 objects of critical infrastructure of Ukraine," Computer Emergency Response Team of Ukraine, 19 April 2024. [Online]. Available: https://cert.gov.ua/article/6278706. [Accessed: 03 July
2024].
69. X, "Tweet," Twitter –HackManac, 28 May 2024. [Online]. https://x.com/H4ckManac/status/1795093817864950177/. [Accessed: 03 July 2024].
| Copyright © 2024 Deloitte Development LLC. All rights reserved.
Connect with us
Adnan Amjad
Deloitte US Cyber & Strategic Leader
Partner
Deloitte & Touche LLP
aamjad@deloitte.com
Kush Singh
Deloitte US Detect & Respond Leader
Principal
Deloitte & Touche LLP
kussingh@deloitte.com
Steve Mahar
Deloitte US Client and Market Growth Leader
Managing Director
Deloitte & Touche LLP
smahar@deloitte.com
Clare Mohr
Deloitte US Cyber Intelligence Lead
Vice President for Solution Delivery -Threat
Intelligence
clmohr@deloitte.com
William Burns
Deloitte US Cyber Detect & Respond Advisory
Managing Director Adversary Pursuit
Organization
wburns@deloitte.com
David An
Deloitte US Cyber Intelligence
Solution Delivery Manager -Risk and Financial
Advisory
davidan3@deloitte.com
23
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor
should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may
affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person
who relies on this presentation.
All product names mentioned in this document are the trademarks or registered trademarks of their respective owners and are mentioned for
identification purposes only. Deloitte & Touche LLP is not responsible for the functionality or technology related to the Vendor or other systems
or technologies as defined in this work product.
As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/aboutfor a
detailed description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public
accounting.
Copyright © 2024 Deloitte Development LLC. All rights reserved.
