The State of the Underground in 2021

By Cybersixgill

The headline story of 2021 was ransomware. While also a hot topic in 2020, in 2021 ransomware was even bigger, solidifying its standing as the highest impact cyberthreat in that countless organizations worldwide were disrupted and even debilitated by attacks. The damages caused by ransomware attacks were as devastating as its victims were diverse – affecting organizations both large and small across many different verticals, including software vendors, schools, governments, broadcasters, a major meat processing plant, and a critical US oil pipeline.

Indeed, only seven months into the year, the FBI reported that it had already “received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.”

The cybercriminal underground provides the perfect environment for the development, expansion, and proliferation of ransomware attacks and their extortionist aftermaths. First, it provides a platform for the planning and execution of the attacks, where ransomware groups can advertise calls on cybercriminal forums for affiliates (operational partners) to support their operations. In addition, operators can purchase access to a vast array of compromised systems in illicit initial access markets, which provide the first entry point from which to launch their attacks. Secondly, after executing the attack and infiltrating their victims’ systems, ransomware groups use their dark web-hosted dedicated leak sites (DLS) to extort victims, threatening to publicly share their stolen confidential data should they refuse to comply with the hackers’ ransom demands.

Cybersixgill’s sources demonstrate a tremendous expansion in the underground ransomware economy during 2021. Throughout the year, access to 4,286,150 compromised endpoints was sold on the underground, a whopping 457% compared to 2020. Evidently, vendors on access markets increased their supply capacity to match the exploding demand. Similarly, in 2021 we collected 3,264 posts on ransomware groups’ dedicated leak sites (each post roughly signifying an attack), which was more than double the total collected in 2020 (1,509).

In addition to the dramatic rise in ransomware, analysis of the underground activity throughout 2021 produced another major insight of value: while the total number of posts in forums and on messaging channels rose considerably (45% and 338%, respectively), the number of posts and participating actors decreased significantly in the ten most popular underground forums. This seems to suggest that the underground has become increasingly decentralized. Accordingly, analysts can no longer rely on the top forums as the lone source of their intel. In order to gain a comprehensive understanding of underground developments and compile an accurate intelligence picture, analysts must expand their investigative search to include as many sources as possible.

Looking ahead to 2022

While many may assume that ransomware will follow its upward trajectory in 2022, such a projection is an oversimplification, and in our mind, not entirely accurate.

In 2021, two significant developments generated difficult headwinds for large ransomware groups. First, in mid-May, multiple underground forums banned activity advertising ransomware or affiliated partnership programs, cutting ransomware operators off from their main platform for recruitment, partnerships, and promotion of their activities.

Second, the US Federal government took aggressive action against several prominent ransomware groups and cryptocurrency exchanges that processed ransomware payments.

If anything, this showed that ransomware attackers have become victims of their own success. While profiting from exorbitant ransom payments, they now suffer the repercussions of their notoriety. Accordingly, we assess that in 2022 ransomware groups will be more selective when choosing their targets, largely eschewing attacks on sensitive or prominent targets (and perhaps avoiding targeting US-based organizations altogether) in favor of lower-profile targets, so as to avoid the wrath of a federal response. Some ransomware groups may choose to shut down their dedicated leak sites—designed to generate publicity—instead choosing to carry out their ransom attacks and negotiations over private channels. Overall, we assess that ransomware groups will adopt a more discreet modus operandi instead of aiming for splashy attacks.

This ought to encourage remote access markets to up their game. If ransomware operators demand a broader menu of potential targets, the markets will be driven to step up accordingly to provide the supply.

Furthermore, we expect that the increased distribution and decentralization of the underground ecosystem will persist. The largest forums can be too noisy, inundated with spam and raucous chatter, and due to their popularity, often attract the scrutiny and attention of law enforcement officials, researchers, and otherwise curious observers. It is therefore reasonable to expect that the threat actors of the underground will branch out to new forums and messaging channels, perhaps seeking out platforms that are more focused on a single subject matter in place of the larger, broad-based forums that deal with everything – from hacking to recipes for cooking.

Concerning the rapidly evolving cyberthreat landscape and continued impact of the COVID-19 pandemic on digital security to support the remote workforce, one thing remains certain: cybercriminals are fast innovators, quickly adapting and retooling their tactics to maximize their profits at their victims’ expense. It is therefore imperative that organizations maintain vigilance, staying aware of the developments in the underground to enable proactive cyber defense. Fortunately, no matter where malicious actors choose to set up shop – be it new sites, messaging apps, forums or other platforms – Cybersixgill will be there with eyes in the underground, making sure you know what’s out there.

Cybersixgill secures $35 Million in Series B Funding

Cybersixgill announced today the company has raised  $35 million in Series B funding led by More Provident and Pension Funds and REV Venture Partners. Additional participating investors include CrowdStrike Falcon Fund, Elron Ventures, SonaeIM, and OurCrowd.

This latest investment brings the company’s total investment to $56 million. The company stated it will use the funds to build on customer momentum, continue innovation of Cybersixgill’s threat intelligence solutions, expand global footprint and grow sales and marketing. 

“We are extremely pleased to be working with world-renowned cybersecurity investors and tech leaders committed to fueling innovation and delivering the best cybersecurity solutions on the market,” said Sharon Wagner [pictured above], CEO of Cybersixgill. “As cybercrime rises faster and the velocity of ransomware attacks increases, the need for accurate and timely threat intelligence has never been greater. Through automation and machine learning, we have built the largest threat intelligence data lake that arms our customers with the earliest signals to stop attacks and secure their overall cybersecurity posture.”

According to Cybersixgill, the company has experienced accelerated growth, quadrupling its revenue and doubling its global footprint in the last three years. Cybersixgill’s solutions harness the power of automatic collection and extraction of threat intelligence sourced from social media, instant messaging, and clear, deep, and dark webs to create a threat and risk intelligence data backbone that provides the context needed for customers to implement preemptive security responses that stop breaches in their tracks.

“We are thrilled to be investing in the outstanding team at Cybersixgill. This financing round will enable them to further strengthen their leading threat intelligence solutions whilst aggressively expanding their customer base,” said Kevin Brown, Founder Partner, REV. 

Founded in 2014, Cybersixgill brings agility to cyber threat intelligence, with fully automatic threat intelligence solutions to help organizations proactively detect and protect against phishing, data leaks, fraud, malware, and vulnerability exploitation – enhancing cyber resilience and minimizing risk exposure in real-time. The company has hundreds of customers in North America, EMEA, and APAC, including global enterprises, financial institutions, MSSPs, government and law enforcement agencies.