EMMANUEL TZINGAKIS, Technical Lead, African and Venture Markets at Trend Micro, discusses the importance of threat intelligence and how this has an impact on ransomware gangs and hackers on a global level.
The threat landscape has expanded in recent years as our world has become more interconnected. This has resulted in cybercriminals seeking out more opportunities to exploit vulnerabilities for profit.
Cybercriminals are far more organised than ever before and what we would typically call a “gang” is made up of a team of people that look a lot like their own legitimate business with departments for recruitment and finance. As a result, attacks have moved away from simple virus disruptions to costly incidents that involve ransomware, encryption and Denial-of-Service.
Trend Micro has been tracking and monitoring the evolution of these organised crime groups to turn the tide against these illicit enterprises and create a safer digital world. To have a true impact and combat the threat of cybercriminals, we share this threat intelligence with other security vendors, as well as academics and law enforcement agencies.
This “better together” way of thinking has seen us train up hundreds of law enforcers over the past decade or more and has contributed to the dismantling of highly successful criminal organisations.
International collaboration with INTERPOL
One of our longest-standing law enforcement partnerships is with INTERPOL. From providing information about malicious actors to the threats and infrastructure used in their many attacks, our information provides valuable intelligence for their use. This strategic partnership aims to enhance cyber expertise within law enforcement agencies, empowering them to effectively investigate and counter cybercriminal activities.
A key part of Trend’s partnership with INTERPOL is the work we do together under the Africa Cyber Surge Operation. Started in 2022, the first round of the operation was so successful that a second campaign ran for four months in 2023, which saw law enforcement organisations from 25 countries participate.
During this time, Trend provided investigators with information about over 3,700 malicious command and control servers, 1,500 malicious IP addresses located in South Africa, Egypt, Seychelles, Algeria and Nigeria, and malicious traffic detections linked to scams, malware, phishing and command and control servers. From this and other shared insights, police made 14 arrests and identified a massive 20,674 suspicious cybercrime networks linked to losses of over $40 million.
Global police do a fantastic job of hunting down those responsible for cybercrime. However, resources and in-house expertise are often stretched. That’s why public-private partnerships are so important to the ongoing fight against ceaseless malicious online activity.
Operation Cronos locks out LockBit
More recently, we witnessed the takedown of one of the world’s most notorious ransomware gangs, LockBit, thanks to the cooperation between trusted partners and law enforcement agencies.
The Ransomware-as-a-Service (RaaS) group was responsible for between 25% and 33% of all ransomware attacks in 2023, claiming thousands of victims since it was first observed in September 2019. LockBit’s business model revolved around affiliates that would be responsible for the attacks with the group claiming a 20% cut of the ransomware payment.
In February this year, the UK’s National Crime Agency initiated Operation Cronos which saw the seizure of the group’s source code, its technical infrastructure used to carry out attacks and its leak site.
With these in hand, law enforcement announced arrests, sanctions and cryptocurrency confiscations. The operation was well publicised across LockBit’s network and site, which has helped to cast doubt on the gang’s once powerful reputation as a RaaS group.
Following Operation Cronos, Trend Micro received a sample of what is believed to be a new version of LockBit’s software. With this sample, we have been able to pass on intelligence to our law enforcement partners and bolster our defenses for customers.
These attacks will keep on coming unless we discomfort and disrupt the threat actors themselves. By sharing resources and intelligence, the cybersecurity industry has demonstrated it can cripple cybercriminals and their infrastructure. We are after all working towards the same goal: a safer online environment for all.