The ransomware threat is declining as actors pivot to infostealing, according to a new report from IBM X-Force, which also says that attacks on cloud services and critical infrastructures are growing – and the AI threat is looming. 

IBM X-Force has monitored over 150 billion security events every day in more than 130 countries. The result is the 2024 Threat Index report. The findings will surprise few cybersecurity observers, but the quantified details are disturbing.

General criminality

Headline details include a decline in ransomware (down 11.5%, but with a codicil); a rise in attacks using valid credentials (up 71%); the appearance of new infostealers; Europe maintaining its status as the most attacked region (32% of all attacks); and a continuing focus on critical infrastructures (nearly 70% of attacks globally).

The ransomware figure needs some explaining. A Delinea report in January 2024 indicated a ransomware growth of more than 100% in 2023 compared to 2022. The difference is a question of definition: Delinea equates ransomware with extortion, while IBM equates it specifically with encryption attacks. As more companies are refusing to pay decryption ransoms, attackers are switching to stolen data blackmail as a more effective method of extortion. Of course, this argument does not apply to manufacturing companies, where encryption-instigated downtime may be more damaging than data blackmail (this factors into the high percentage of critical infrastructure attacks). Fundamentally, to IBM, if it does not include encryption, it is not ransomware.

Noticeably, IBM reports that ‘data theft and leak’ attacks increased by 32% over the same period, more than offsetting the decline in encryption ransomware. In short, extortion attacks are still growing, but the actors are switching to ‘theft and leak’ as the means employed. Extortion incidents more than doubled in 2023, and the share of all incidents that were extortion increased from 21% in 2022 to 24% in 2023.

“X-Force has observed threat groups who have previously specialized in ransomware showing increasing interest in infostealers. And a number of prominent new infostealers recently debuted and demonstrated increased activity in 2023, such as Rhadamanthys, LummaC2 and StrelaStealer,” notes the report.

This coincides with a 71% increase in the volume of attacks using valid credentials. These represent 30% of all the incidents X-Force responded to in 2023, and this is the first year that abuse of valid accounts has been the most common entry point into victim environments.

Again, this all makes sense given the extortionists’ switch to data theft and leak, and the longer dwell time being employed by encrypting ransomware. The early days of smash and grab ransoms – get in, encrypt data, and leave a ransom note – have been replaced by more silent data exfiltration and more destructively targeted encryption (and sometimes both).

Noticeably, 32% of incidents involved the abuse of legitimate tools for malicious purposes (‘living off the land’). All these factors could be related to the criminal migration from pure encrypting ransomware to a stealthier form of extortion by data theft and leak.

Geopolitical effect

Cyberwarfare can be described as an attempt to use cyber techniques to disturb the equilibrium of a nation, its economy, and its population. It is different to, and short of, actual cyberwar. There is no evidence of cyberwar, but ample evidence of, and an increase in, cyberwarfare driven by the general global geopolitical tensions and the conflicts in Ukraine and Gaza. Cyberwarfare is often, but not always delivered by state-affiliated, groups. The IT Army of Ukraine, for example, includes many independent activists.

IBM particularly notes that Hive0051 (which overlaps with Gamaredon) accelerated its development efforts since the start of the Ukraine war; resulting in an improved multichannel approach to DNS fluxing, obfuscated multistage scripts, and the use of fileless PowerShell variants of the Gamma malware. “As of October 2023, the X-Force observed a significant increase in Hive0051 activity.”

Other notable effects of the Ukraine war include an increase in the number of DDoS attacks delivered against western allies — with varying degrees of success. IBM points to the summer 2023 Microsoft outage claimed by Anonymous Sudan, which is linked to the pro-Russia Killnet DDoS group.

The Israel-Hamas conflict largely resulted in pro-Palestinian hacktivism targeting Israeli finance, government, travel, and transportation interests. In addition, however, X-Force also detected multiple lure documents using Israel/Hamas themes ultimately aimed at delivering the ITG05 exclusive Headlace backdoor. “X-Force tracks ITG05 as a likely Russian state-sponsored group consisting of multiple activity clusters, sharing overlaps with industry-identified threat actor groups APT28, UAC-028, Fancy Bear and Forest Blizzard,” says IBM. The lures leverage authentic documents from academic, finance and diplomatic centers; and target organizations in at least 13 countries.

The imminent threat from and to AI

Everybody accepts an imminent threat from ML/Ai technologies — but it has not yet manifested. “X-Force hasn’t been able to confirm the use of gen-AI in current malicious campaigns,” says the report. It notes the existence of WormGPT (supposedly shut down by its developers in August 2023), and FraudGPT — “a euphemism for the services offered by CanadianKingpin12 (CK12), a cybercriminal service broker and associate of a likely self-organized group called the Cashflow Cartel (CFC)”. IBM did not experiment with either service and makes no comment on their viability.

However, it does note that it has seen 800,000 posts in the cyber underworld mentioning AI and GPT during 2023. Criminal interest is growing, and the question is not if but when the AI threat will become real. IBM suggests that history has the answer. It notes that ransomware, BEC, and cryptojacking all took off when the platforms of use had market dominance, or at least one-third of market share.

“These patterns suggest that for cybercriminals to see ROI from attacking AI platforms and for developing easy-to-use tools on the criminal underground, the technology they’re targeting must be ubiquitous across most organizations in the world,” 

It continues, “Once AI market dominance is established—when a single technology approaches 50% market share or the market consolidates to three or less technologies—we assess it will trigger the maturity of AI as an attack surface. The result will be that cybercriminals will then further mobilize and increase their investment in attacking AI.”

This doesn’t mean that defenders can sit and wait. There is one threat vector that doesn’t require platform dominance: the software supply chain. Thousands of organizations are developing their own AI/ML in-house applications. The usual route is to use pre-trained, open source models downloaded from repositories such as Hugging Face, and to supplement these with other specialized open source tools. The problem here is AI/ML open source is even less protected than standard app open source libraries. 

“Securing the model development stage of the AI pipeline is critical to minimize the risk of supply chain attacks — these are the likeliest type of attacks and top concern we view with regard to the models themselves, due to many organizations’ heavy reliance on pretrained, open-source ML models from online model repositories,” Andy Piazza, global head of threat intel at X-Force told SecurityWeek. “These types of open-source ML models often lack comprehensive security controls. Also, attackers have the same access to these online repositories and can deploy a backdoor or malware into them. Once uploaded back into the repository, they can become an entry point to anyone that downloads the infected model. If these models are infected, it can be incredibly difficult to detect.”

Noticeably, Protect AI has a community of almost 16,000 bug hunters looking for vulnerabilities in AI/ML open source software.

The X-Force Threat Index is an analysis of last year’s incidents, primarily drawn from its own telemetry, designed to provide indications on what to expect in the coming year. While containing more information, three of the most important categories could be described as ‘general criminality’, ‘geopolitical influences’, and ‘AI threat development’. 

The first shows the criminals’ continuous adaptation to maximize the financial return on their efforts, together with the primary effects of those efforts. Criminals are often supplemented by state-affiliated groups. Critical infrastructures are the primary target, and Europe and the UK within Europe are the most attacked regions.

The second demonstrates the growth of geopolitical influence on cyber activity in a time of global tension. This is primarily driven by state-affiliated groups and political activists, but is supplemented by criminal gangs using the situation for their own financial gain. Critical infrastructures are always a primary target for politically motivated attacks. 

The third primarily demonstrates the bubbling of a future threat. AI is expected to be a major new threat vector, although we don’t yet know when the tsunami will appear. Nevertheless, it is worth remembering a comment from Chris Evans, CISO at HackerOne, in conversation with SecurityWeek: “The biggest threat to me and my organization over the next year is the one that comes out of left field and slams us from the side we weren’t expecting.”

Related: Refocusing on Cybersecurity Essentials in 2024: A Critical Review

Related: Five Cybersecurity Predictions for 2024

Related: Hunter-Killer Malware Tactic Growing: Stealthy, Persistent and Aggressive

Related: Tech Companies Sign Accord to Combat AI-Generated Election Trickery