IOCTA 2024 report: Law enforcement deals major blows against EU cybercrime, disrupt ransomware networks (2024)

A new report by Internet Organised Crime Threat Assessment (IOCTA) highlights that in 2023, law enforcement agencies delivered significant setbacks to the cybercriminal underground by arresting numerous ransomware-as-a-service (RaaS) affiliates and operators, while also disrupting cybercriminal infrastructure. The disclosure comes as ransomware attacks, child sexual exploitation (CSE), and online fraud were recognized as the most prevalent forms of cybercrime in the European Union (EU) during the year.

Titled ‘Europol’s Internet Organised Crime Threat Assessment (IOCTA) 2024,’ the report determined that several worldwide law enforcement actions shook the cybercriminal underground through continued arrests of ransomware affiliates and operators. Law enforcement also carried out coordinated disruption operations against cybercriminals’ digital infrastructures.

“Cybercriminals are keen to leverage Artificial Intelligence, which is already becoming a common component in their toolbox and is very likely to see even wider application,” Catherine De Bolle, executive director at Europol, wrote in the report. “Law enforcement agencies are expected to build a robust capacity to counter the growing threats stemming from this, both in terms of human resources and technical skills.”

Europol’s assessment of evolving threats and trends in the cybercrime landscape, with a focus on how it has changed over the last 12 months. Recent law enforcement operations have prompted ransomware groups to splinter and rebrand under different guises. Furthermore, continuous takedowns of forums and marketplaces on the dark web have shortened the lifecycle of criminal sites. This instability, combined with the surge of existing scams, has contributed to the fragmentation and multiplication of cyber threats.

The IOCTA report identified that the cybercriminal landscape was characterized by a mix of lone hackers and organized networks, offering a broad spectrum of expertise and capabilities. While some cyber criminals operated within the EU, others based their operations abroad, hiding their illegal activities and finances in third countries. It also recognized that 2023 saw law enforcement agencies (LEAs) deal heavy blows to the cybercriminal underground through the successive arrests of ransomware-as-a-service (RaaS) affiliates and operators and well-coordinated disruption of cybercriminal infrastructure.

Different RaaS providers compete for their services and co-opt them into their operations, as some affiliates are suspected of having developed their ransomware variants to lessen their dependence on RaaS providers and their susceptibility to law enforcement (LE) disruption. Recent LE operations and the leak of ransomware source codes (e.g. Conti, LockBit, and HelloKitty) have led to a fragmentation of active ransomware groups and available variants. Due to their reorganization, the distinction between ransomware brands and the threat actors behind the operations is increasingly challenging.

Additionally, LockBit was the most prolific RaaS provider on the market in 2023. Cl0p is an advanced group with access to zero-day exploits while Akira is a newcomer in the ransomware scene that might become an increasing threat. IcedID, Pikabot, Smokeloader, SystemBC, and Danabot are some of the available and widely used alternatives to QakBot. Redline Stealer is becoming one of the go-to malware-as-a-service (MaaS) for data theft.

Data shows that the ransomware landscape has become more fragmented, which is likely caused by the continued international efforts to stifle criminal groups as well as the source code leaks of Conti (2022), LockBit (2023), and HelloKitty (2023) that have occurred in recent years. “The leaked codes, combined with rapidly improving AI tools, likely facilitate an accelerated development of new ransomware variants. These factors create incentive and opportunity for ransomware groups to splinter and rebrand, not only to obstruct investigations and attribution but also to take advantage of the chaos to grab a bigger share of the criminal market,” it added.

After the disruption of Hive’s services, BlackCat/ALPHV promoted their OpSec to attract affiliates previously working with Hive. One of BlackCat’s selling points was that its infrastructure is hosted outside the EU and North America, in addition to having a strict no-logs policy. A similar pattern emerged after the takedown of BlackCat/ALPHV onion sites in December 2023, as LockBit tried to enroll their affiliates and developers. Although BlackCat/ALPHV did not immediately cease their operations, the damage done to their reputation was significant. As of March 2024, BlackCat/ALPHV seem to have shut down their operations and are suspected to have pulled an exit scam on their affiliates.

The IOCTA report identified that most ransomware operators choose their targets based on the size, likelihood of a pay-out, and the effort required to compromise the target’s systems. “This means that attackers seek out publicly accessible systems and services within the infrastructure (reconnaissance) and assess which of them can be compromised most easily. Gaining initial access can be done through stolen credentials or by exploiting vulnerabilities in the public-facing technologies.”

It pointed out that ransomware groups and affiliates usually employ IABs (initial access brokers), who are essentially penetration testers specialized in certain technologies and applications. Usually, the IABs (and their specialization) that ransomware operators have available to them determine the viable attack surface and therefore influence the target selection process. Some technologies are very common, while others are more sector-specific, which is why patterns of some ransomware groups targeting certain sectors might emerge.

The report noted that similar to previous years, ransomware operators are continuing to deploy multi-layered extortion tactics. “Although attackers still tend to encrypt the compromised systems, the risk of publishing or auctioning the stolen data has become the most relevant pressure point against victims, since many organizations have started to back up their systems on a regular basis.”

IOCTA disclosed that there were several shifts in the malware-as-a-service (MaaS) landscape in 2023. “After the takedown of the Qakbot malware infrastructure, cybercriminals reacted quickly and turned to other well-established or up-and-coming dropper/loader service providers. Notable alternatives to QakBot currently used by cybercriminals are IcedID, SystemBC, Pikabot (newly emerged in 2023), DanaBot, and Smokeloader (heavily used by 8base group in their campaigns), which offer similar capabilities to obfuscate and deliver malicious payload to infected systems,” the report added.

Furthermore, it identified that other malware Legitimate penetration testing frameworks like Cobalt Strike, Metasploit, and Mimikatz are widely abused by cybercriminals for establishing persistence and for privilege escalation within compromised systems. Cobalt Strike has been the go-to solution for some time because of its diverse arsenal of capabilities. It is used as a back door – and control-and-command (C2) center for executing commands, delivering additional payloads, and traversing infiltrated networks. The more recent AI-leveraged PentestGPT and similar AI-powered frameworks can also be used with malicious intent to facilitate the initial compromise of information systems.

Looking ahead, the IOCTA report identified that the wider adoption of AI tools and services by cybercriminals creates novel threats, involving both the abuse of legitimate tools and services and their malicious versions created ad-hoc by offenders. The growing number of LLMs (large language models) without prompt filtering which emerged recently is set to multiply and there will likely be more and more AI-generated advertisem*nts luring in potential victims to online fraud, while malicious LLMs will become even more prominent within the umbrella of crime-as-a-service (CaaS).

The report also highlighted that it is likely that new RaaS brands will emerge, but their longevity will largely depend on the experience and sophistication of the criminal actors behind the operations. Since many ransomware groups operate in countries with limited judicial cooperation, the LEAs approach of disrupting and taking down criminal services to sow distrust towards their brands will be the way forward.

Earlier this month, Europol announced coordinated global action, termed Operation Morpheus, against the criminal misuse of Cobalt Strike. The agency reported the dismantling of 593 Cobalt Strike servers that were being used criminally. The operation saw collaboration between law enforcement and the private sector to address the abuse of this legitimate red teaming tool, which criminals utilized to infiltrate victims’ IT systems.