Key Points

  • State-affiliated threat groups “APT29” and “APT41” have been at the forefront of Russian and Chinese espionage activity, which will likely continue in the medium-term future (6-12 months).
  • Data vendor “IntelBroker,” acting admin of BreachForums, has significant oversight of activities being conducted by various threat actors on the largest English-language cybercriminal forum.
  • In Q3 2024, ransomware service provider “RansomHub” emerged as the most dominant ransomware group, taking the mantle from “LockBit” and “ALPHV.”
  • Hacktivist gang “KillSec,” originally aligned with the “Anonymous” hacktivist collective, has recently shifted towards financially motivated ransomware activity.

Our report spotlights five major threat actors dominating the cybersecurity landscape in 2024 that every professional should know about. By examining their methods, motivations, and recent attacks, we equip enterprises with the insights needed to strengthen their defenses against these actors. Whether they’re nation-state actors, cybercrime groups, or hacktivists, understanding who these groups are and how they operate is the first step in fortifying your cybersecurity posture.

The ReliaQuest Threat Research team examined customer incident data, industry reports, and cybercriminal forums, focusing on the threat actors’ historical activity, expected future activity, dark web interest, and their proven ability to evade defenses and execute successful attacks. Through our analysis, we’ve pinpointed the most critical threat actors and groups demanding proactive countermeasures.

In this spotlight, we explore ransomware service provider “RansomHub,” data vendor “IntelBroker,” advanced persistent threat (APT) groups “APT41” and “APT29,” and hacktivist gang “KillSec.”

All these groups have recently executed high-profile attacks, causing substantial impact to targeted organizations. To help you better defend against similar threats, we’ll walk you through each adversary’s tactics, techniques, and procedures (TTPs) and provide actionable recommendations to counter their activities.

RansomHub

First seen in February 2024, RansomHub is a global ransomware-as-a-service (RaaS) group that has targeted a wide variety of sectors and geographies, including critical national infrastructure (CNI). The group enforces strict targeting rules for affiliates, expelling members who attack prohibited organizations like those in the Commonwealth of Independent States (CIS), Cuba, North Korea, or China.

RansomHub has likely stepped into a void left behind by the shutdown of several previously prominent ransomware groups, including “LockBit” and “ALPHV,” positioning itself as the current most active and significant threat in ransomware activity.

For initial access, RansomHub affiliates often compromise internet-facing systems and user endpoints via phishing emails, password spraying, and exploiting high-risk remote code execution (RCE) and privilege escalation vulnerabilities. Once inside, they use tools like AngryIPScanner, Nmap, and PowerShell to scan and map out networks, identifying sensitive systems for maximum impact. PowerShell commands often go undetected because they use native Windows functions and execute scripts in memory, bypassing traditional detection methods.

Affiliates disguise ransomware executables with harmless file names, placing them on the targeted individual’s desktop or in their downloads folder. To complicate detection, they clear system logs, disable antivirus software using Windows Management Instrumentation (WMI), and shut down endpoint detection and response (EDR) systems with proprietary tools. For persistence, RansomHub affiliates create new user accounts, reactivate disabled ones, and deploy tools like Mimikatz to harvest credentials and escalate privileges. They move laterally using legitimate tools like Remote Desktop Protocol (RDP), PsExec, Anydesk, Connectwise, Cobalt Strike, and Metasploit, blending seamlessly with legitimate IT activities and complicating incident response.

Data exfiltration methods vary but often involve tools like PuTTY, Amazon Web Services (AWS) S3 buckets, HTTP POST requests, WinSCP, Rclone, Cobalt Strike, and Metasploit. The ransomware itself doesn’t handle data exfiltration but relies on these tools to steal data before encryption. RansomHub uses the Elliptic Curve Encryption algorithm Curve 25519 to lock files with a unique public/private key pair for each compromised individual. The ransomware binary stops various processes and encrypts user files and network shares.

Significant Activity

Meteoric Ascent in 2024

RansomHub shot to prominence in early 2024 after law enforcement dismantled major cybercrime groups like ALPHV (“BlackCat”) and LockBit. The power vacuum left by these takedowns gave RansomHub the opportunity to recruit seasoned affiliates from the disbanded groups and quickly become a dominant force. Among these experienced affiliates is the “Scattered Spider” group, known for its custom tools and advanced social engineering skills, which helped RansomHub become the most active ransomware group in Q3 2024 (see Figure 1). This new alliance has already made waves in the ransomware landscape, which we analyze in more detail in our recent Threat Spotlight report.

Most active ransomware groups in Q3 2024

Figure 1: Most active ransomware groups in Q3 2024

Continuation of Big Game Hunting

A RansomHub attack can hit hard. Beyond the immediate financial loss from paying the ransom, victims may face major downtime, loss of productivity, and hefty recovery costs. For the critical infrastructure, health care, and financial sectors, operational disruption can be severe. In September 2024, an attack on Planned Parenthood of Montana resulted in the theft of approximately 100GB of sensitive data. The organization was also reportedly forced to take parts of its network offline in an attempt to contain damages. The damage doesn’t stop there: An attack can devastate an organization’s reputation, causing customers and stakeholders to lose trust in its ability to protect sensitive information. This can lead to long-term harm and lost business, with some companies never fully recovering. RansomHub targets high-value organizations, engaging in “big game hunting” against large enterprises—a trend previously seen with other prominent ransomware groups. Thanks to its increasing sophistication, even companies with big security budgets need to remain extra vigilant of these seasoned cybercriminals.

September Surge: EDRKillShifter and Zerologon Exploits

In September 2024, RansomHub was reported to be using the “EDRKillShifter” tool to facilitate defense evasion. This loader tool exploits vulnerable drivers and terminates security protections on targeted endpoints. EDRKillShifter strengthens RansomHub’s ability to facilitate persistence by employing techniques that ensure its continuous presence within the system, even after initial compromises are discovered and mitigated. EDRKillShifter dynamically disrupts security processes in real-time and adapts its methods as detection capabilities evolve. Researchers also identified the Zerologon vulnerability (CVE-2020-1472) as a conduit for initial access. The use of EDRKillShifter poses a substantial threat, as it allows RansomHub to effectively neutralize critical security measures, making it easier for the threat group to carry out its attacks undetected.

Fortify Your Security Posture By:

  • Planning Your Recovery: Keep multiple copies of sensitive or proprietary data and servers in a secure, segmented, and physically separate location such as a hard drive, storage device, or cloud storage. In the event of a ransomware attack, this will dramatically improve recovery efforts and minimize damage.
  • Hardening Virtualization Software: RansomHub is known to have exploited ESXi environments to create virtual machines (VMs). Ensure ESXi software is up to date to prevent privilege escalation and ransomware deployment. Implement vCenter network access control by creating a network allowlist with the vCenter Server Appliance Firewall to only allow trusted traffic to access the VSphere environment.
  • Implementing Network Segmentation: Segment networks to restrict adversary lateral movement and prevent the spread of ransomware.

IntelBroker

Active since October 2022, IntelBroker is a highly active and financially driven threat actor, who serves as the administrator of the prominent English-language cybercriminal forum BreachForums. Originally from Serbia, IntelBroker is notorious for sharing and selling stolen databases, creating the open-source, C#-based ransomware “Endurance,” and engaging in malware development and access sales. High-profile breaches of Europol, Los Angeles International Airport, Apple, and Space Eyes showcase their advanced capabilities, although their vague posts on BreachForums make pinpointing their specific techniques challenging.

IntelBroker’s BreachForums profile

Figure 2: IntelBroker’s BreachForums profile

IntelBroker has continued targeting prominent organizations and made international headlines in October 2024 by posting a breach that referenced technology company Cisco. This breach reportedly contained an undisclosed amount of sensitive data, but over 1,100 organizations are said to have been impacted, demonstrating their ability to carry out far-reaching attacks.

IntelBroker scouts for victims by gathering publicly available information and scanning for vulnerabilities. They use social engineering tactics to dig deeper into organizational structures and employee details. Security researchers report that IntelBroker exploits known and zero-day software and hardware vulnerabilities to infiltrate systems. They have been publicly associated with the following exploits:

  • CVE-2024-1597: Exploited this Confluence data center vulnerability in an intrusion against T-Mobile
  • CVE-2024-21894: Enabled IntelBroker to steal data from several US government agencies
  • CVE-2023-23897: Used this critical unauthenticated local file inclusion vulnerability affecting the open-source automation server Jenkins to breach an IT service provider

After the initial compromise, IntelBroker deploys backdoors to maintain persistent access and exfiltrate data. They harvest credentials from valid accounts to escalate privileges and move laterally within the network.

IntelBroker exfiltrates sensitive data like personal information, financial records, and intellectual property, using encrypted channels to avoid detection. This stolen data is either sold for large financial sums or posted for free, likely because a buyer willing to pay the desired fee cannot be found. They have also been linked to ransomware deployments, including Endurance ransomware, which acts as wiper malware, corrupting and deleting files. IntelBroker often threatens to leak the stolen data if ransoms aren’t paid, frequently posting breaches for free on BreachForums to pressure victims.

Significant Activity

IntelBroker’s New Waves of Attacks

When IntelBroker announced on BreachForums in October 2024 that they’d attacked Cisco, they claimed over 1,100 organizations were affected. They boasted of stealing a large volume of data, including source code, hard-coded credentials, confidential internal documents, API tokens, and storage buckets, all of which they offered for sale at an undisclosed price. Cisco later clarified that the compromised data came from a public-facing DevHub environment, not their core systems. Allegedly, no sensitive personal information or financial data was compromised, but as a precaution, Cisco disabled access to the site.

A few months earlier, in August 2024, the US Cybersecurity and Infrastructure Security Agency (CISA) released details of a critical vulnerability in the Jenkins open-source automation server, tracked as CVE-2024-23897. IntelBroker reportedly exploited this vulnerability to attack another major IT services provider. These incidents demonstrate IntelBroker’s skill in exploiting high-risk vulnerabilities, even successfully targeting enterprise companies with significant security budgets. The consequences of such breaches can be severe, including identity theft, financial loss, and reputational damage for the affected organizations.

Endurance: IntelBroker’s Evolving Malware Tool

IntelBroker has demonstrated advanced malware skills with the development of the open-source ransomware Endurance, which evades traditional antivirus and intrusion detection systems. In November 2022, IntelBroker reportedly used Endurance to target the US Federal Government. Constantly updated with new features, Endurance stays ahead of evolving security defenses, showcasing IntelBroker’s adaptability. The ransomware’s open-source nature also serves as a gateway for budding threat actors to enter cybercrime. While reports on Endurance’s use have been limited in 2024, it remains a significant tool in IntelBroker’s arsenal, capable of destructive purposes.

IntelBroker’s Network of Cyber Power

As a BreachForums administrator since October 2022, IntelBroker taps into a vast network of cybercriminals. This role allows them to share resources with other adversaries and coordinate large-scale attacks, although their exact methods remain unclear. Likely, much of the coordination occurs directly on BreachForums or using the site as a hub for other communication channels. IntelBroker can also use BreachForums to influence forum members by sharing stolen databases for free, empowering them with valuable data, and likely privately sharing their TTPs. Despite law enforcement crackdowns, including the arrests of previous moderators, IntelBroker and BreachForums remain resilient, continuing to operate and facilitate cybercriminal activities.

Fortify Your Security Posture By:

  • Patching Smart: Adopt a risk-based approach to prioritize and fix the most critical vulnerabilities first. Start with a comprehensive asset inventory and vulnerability assessment, then focus on high-risk vulnerabilities with known exploits. Use automated patch management tools to streamline the process and reduce human error. Regularly reassess your risk posture and adjust patching priorities accordingly.
  • Stopping Data Leaks: Implement data loss protection (DLP) technologies to monitor, detect, and block unauthorized data movement. Set policies to alert and prevent actions like copying sensitive files to external drives or cloud services.
  • Hardening Your Systems: Apply secure configuration baselines and hardening guidelines to all systems and applications. Disable unnecessary services, enforce strong password policies, and use configuration management tools to ensure consistent security.

While information related to IntelBroker’s TTPs is limited, these steps can help you further minimize the risk of a damaging attack by IntelBroker and similar financially motivated initial access brokers (IABs).

APT41

APT41 (aka Wicked Panda, BARIUM, Wicked Spider) is a Chinese state-affiliated threat group active since 2012. It is a versatile threat group, engaged in both cyber-espionage—likely supporting Chinese government interests—and financially motivated attacks. The overlap in tools and methods between APT41 and the “Winnti Group,” an umbrella organization allegedly linked to China’s intelligence agencies, exemplifies the complexity of attributing activity to China-nexus threat groups.

In July 2024, APT41 was linked to a significant campaign that successfully compromised multiple organizations in the global shipping, logistics, media, technology, and automotive sectors. This campaign had a broad impact, affecting many organizations worldwide. APT41 is likely one of a handful of threat groups spearheading Chinese espionage efforts.

The threat group gains initial access through spearphishing campaigns, supply-chain compromises, and exploiting vulnerabilities in public-facing applications. Once inside a network, it deploys custom malware to execute commands, install persistent backdoors and web shells, and create scheduled tasks to ensure its malware executes at every system reboot to guarantee long-term system access.

To escalate privileges, APT41 uses tools like Mimikatz for credential dumping and exploits privilege escalation vulnerabilities. For defense evasion, it disables endpoint detection solutions with tools like EDRKillShifter and obfuscates malicious code. To gain access to credentials, it uses keyloggers, brute-force attacks, and extensive network discovery. APT41’s lateral movement techniques involve exploiting remote services and using pass the hash (PtH) techniques.

For enhanced efficiency in its espionage efforts, APT41 uses automated tools to systematically collect sensitive data, including intellectual property and credentials. The group maintains communication with compromised systems through secure, encrypted channels, managing its command-and-control (C2) infrastructure via a mix of dedicated servers, compromised websites, and cloud services. For exfiltration, APT41 compresses and encrypts data to avoid detection and then transfers it to external servers.

Significant Activity

APT41’s Advanced Tactics in Action

With the backing of state resources, APT41’s cyber capabilities are significantly amplified, providing it with substantial financial, technical, and logistical support. This enables it to carry out large-scale, sophisticated, and persistent operations. With secure funding, it can sustain long-term campaigns, maintain persistent access, and conduct extensive reconnaissance, waiting for the perfect moment to strike. The group’s financial resources also fuel extensive research and development, allowing APT41 to develop custom malware, zero-day exploits, and advanced attack techniques tailored to its targets. For instance, in July 2024, researchers detailed an advanced APT41 campaign that impacted multiple global industries. The group maintained persistent access to exfiltrate sensitive data over an extended period. Researchers spotted custom tools like “AntsWord” and “BlueBeam” web shells, which were used to download the dropper “DustTrap.” This multi-stage plugin executes malicious payloads in memory, facilitating C2 with compromised systems.

Espionage, Financial Gain, and the Global Gambling Heist

APT41 is unique among Chinese threat groups for its dual focus on cyber espionage and financially motivated attacks. This duality broadens the group’s target range and operational scope, enabling it to target a wider range of organizations. APT41 likely operates on a contractual basis for the Chinese government, which turns a blind eye to the group’s activities as long as it avoids Chinese targets. In an intrusion reported in October 2024, APT41 was associated with an attack on the gaming industry, marking a pivot from espionage to financially motivated activity. This makes attributing and remediating its activity more challenging, as its motives often blur the lines.

Targeting Emerging Technologies

APT41 skillfully exploits emerging technologies and platforms, outpacing traditional defenses. With the rise of blockchain and cryptocurrencies, it’s targeted exchanges and wallets through software vulnerabilities and phishing attacks to steal credentials. In its 2024 attack on the gaming industry, APT41 reportedly adapted its tactics and tools based on the security team’s responses, managing to maintain persistence on the compromised network for almost nine months. The group also targets mobile platforms, exploiting vulnerabilities in popular mobile operating systems and apps. Its advanced malware bypasses security on Android and iOS, steals sensitive information, tracks activity, and even controls devices remotely. By compromising mobile technology, APT41 gains access to valuable personal and corporate data, boosting its espionage and financial theft operations.

Fortify Your Security Posture By:

  • Establishing Advanced Logging and Monitoring: Turn on detailed logging (Windows Event Logs, Sysmon, application-specific logs) to spot APT41’s use of legitimate processes like PsExec, PowerShell, and WMI for lateral movement.
  • Application Allowlisting: Restrict unauthorized software to block APT41’s use of custom malware (e.g., BACKDOOR.MESSAGETAP, DEADLYSIGN) and legitimate tools like Cobalt Strike and Metasploit.
  • Implementing PAM: Use privileged access management (PAM) solutions to monitor privileged accounts to detect suspicious activities and stop APT41 from using legitimate administrative tools and credentials for lateral movement.

APT29

APT29 (aka Cozy Bear, Midnight Blizzard, or The Dukes) has been active since at least 2008 and is linked to the Russian Foreign Intelligence Service (SVR). This threat group specializes in espionage against government and government-affiliated entities worldwide. Its exceptional sophistication was exemplified in March 2020 when it compromised SolarWinds Orion software. It installed a backdoor in an update pushed to thousands of customers, including government agencies and Fortune 500 companies, giving it undetected access to networks and a staging point for future attacks. In 2024, APT29 showcased its skill in supply-chain compromise once again by targeting commonly used remote monitoring and management (RMM) software provider TeamViewer. Given its track record, it’s highly likely that the group will continue compromising organizations by exploiting widely used, but vulnerable, software providers in the medium-term future (three to six months).

APT29 uses spearphishing emails and supply-chain attacks to gain initial access, as demonstrated in its infamous phishing attack against the Democratic National Committee in 2016. Once inside, APT29 runs malicious code via PowerShell scripts, scheduled tasks, and user interactions. For persistence, it modifies registry keys, creates scheduled tasks, and uses dynamic-link library (DLL) side-loading. It then escalates privileges by exploiting vulnerabilities and using tools like Mimikatz for credential dumping.

APT29 moves laterally within networks using RDP and PtH to deepen its access and exfiltrate data. It evades detection by obfuscating code, disguising files, and tampering with security tools. Extensive reconnaissance helps APT29 tailor attacks with detailed system and network information. It harvests sensitive data using encrypted channels and web services for C2, employing domain fronting to mask C2 traffic and blend in with legitimate web usage, ensuring stealthy data exfiltration.

Understanding the risk posed by APT29 is crucial, especially with the upcoming US elections and the group’s history of targeting the DNC. The potential impact of APT29 shouldn’t be overlooked, as its sophisticated cyber espionage tactics could disrupt democratic processes and compromise election integrity.

Significant Activity

The Power of State Support

APT29’s ties to the SVR highlight its role in state-sponsored cyber activities that shape international relations and national security. With substantial state backing, advanced technological tools, and highly skilled operatives, APT29 crafts sophisticated malware, exploits zero-day vulnerabilities, and executes complex, long-term espionage campaigns. It conducts very targeted attacks, tailoring its tools and techniques to specific organizations. In an attack reported in October 2024, APT29 allegedly exploited vulnerable JetBrains and Zimbra servers, impacting organizations across multiple sectors globally and gaining access to sensitive data. This method, which the group has employed since April 2021, underscores the group’s sophistication and ability to remain undetected for extended periods.

Technological Advancement and Adaptability

APT29 excels at rapidly adapting to new technologies and developing innovative cyber tools, ensuring it remains a potent threat. Its ability to evolve and exploit emerging technologies keeps it ahead of countermeasures, making it a formidable force in cyber espionage. A recent example of APT29’s technological capabilities was its 2023 campaign targeting cloud-based Microsoft products. APT29 exploited vulnerabilities in cloud collaboration platforms, which are now essential tools for remote work, to gain access to sensitive data. This campaign highlights APT29’s ability to leverage new technologies to infiltrate critical systems.

Fortify Your Security Posture By:

  • Applying Advanced Threat Detection: Use intrusion detection systems (IDS) and intrusion prevention systems (IPS) to monitor network traffic for malicious activity, like open port scans. Set up alerts via network monitoring tools for unusual patterns of data exfiltration and C2. Enable automated responses to block threats in real time. Given APT29’s ability to rapidly adapt and exploit vulnerabilities, automated defenses can prevent APT29 from establishing a foothold in your systems.
  • Regular Threat Hunting: Proactively search for APT29 indicators of compromise (IoCs) and TTPs using threat intelligence feeds and advanced analytics. Use advanced analytics to then correlate this threat intelligence with internal network data to identify patterns and anomalies indicative of APT29 activity. This proactive approach enables early detection of potential breaches, allowing for swift and effective response measures.
  • Implementing Defense in Depth: Implement a multi-layered security strategy—including network segmentation, advanced endpoint protection, patch management, multifactor authentication, email security, and continuous monitoring. These layers work together to enhance resilience against APT29’s sophisticated tactics. If one control fails, several lines of additional defenses stand ready to mitigate the threat.

KillSec

Founded in 2021, KillSec (aka Kill Security) has rapidly made a name for itself in the hacktivist and ransomware scenes. Initially aligned with the “Anonymous” movement through high-profile website defacements, the group has since expanded its portfolio to include data breaches and ransomware attacks. Given Russia’s fast-deteriorating relations with the West, the threat from Russia-aligned hacktivists like KillSec is more significant than ever, particularly those capable of destructive attacks.

KillSec gains initial access by exploiting vulnerabilities in unpatched software and weak points, deploying sophisticated exploits to breach defenses. This allows it to sidestep traditional security measures and install ransomware or other malicious payloads on systems. Its ransomware, written in C++, encrypts files using AES-256, rendering them inaccessible without a decryption key. Compromised individuals receive a ransom note demanding payment to obtain the decryption key and retrieve their sensitive data, increasing the likelihood of compliance.

During attacks, KillSec defaces websites to tarnish organizations’ public image and uses compromised credentials for targeted data breaches. This causes immediate reputational damage and long-term harm to the entities’ credibility and security posture. It uses automated tools to exfiltrate data through secure channels, often encrypting it to avoid detection. It then uses the stolen data for extortion, threatening to release it unless a ransom is paid.

KillSec’s ability to exploit vulnerabilities and target diverse industries with high extortion demands makes it a formidable threat. Its advanced techniques and the lack of decrypting tools for its ransomware further complicate recovery efforts for affected organizations.

Significant Activity

KillSec Debuts Hacktivist-Run RaaS

In June 2024, KillSec unveiled its latest offering on its Telegram channel: its very own RaaS platform. This new platform is designed to empower aspiring cybercriminals with innovative tools and user-friendly features. The standout feature of the platform is an advanced locker written in C++, renowned for its power and speed. The locker encrypts files on the compromised user’s machine, making them inaccessible without a decryption key, which is only provided after the ransom is paid. The service boasts a user-friendly panel accessible via the Tor network and includes a chat feature for direct support from KillSec. Upcoming enhancements include a stressor tool, phone call capabilities to intimidate targets, and an advanced infostealer. While it’s still unclear how widely KillSec’s RaaS is adopted, its development marks the significant progress hacktivist groups are achieving in making sophisticated cyber tools accessible to a broader audience. With KillSec’s RaaS platform, even fledgling hacktivist actors can now launch ransomware attacks.

Hacktivism’s Dark Turn from Protest to Profit

Hacktivism, once a symbol of digital protest, is evolving alongside the cybercriminal landscape. Today, many hacktivist groups are moving from defacing websites and leaking documents to more lucrative tactics like ransomware. This trend, especially among Russian-aligned hacktivists, is spreading globally among politically oriented hackers, facilitated by the widespread sharing of ransomware tools and services. The shift creates a murky overlap between activism and cybercrime, raising questions about the true motivations behind these groups and the fine line between protest and profit. In 2024, KillSec has leaned more toward cybercriminal activities, potentially acting as a blueprint to inspire other hacktivist groups to follow. This evolution significantly increases the risks associated with hacktivism.

Blurred Lines: KillSec and the Politics of Cybercrime

While most of KillSec’s attacks appear financially driven, it’s increasingly influenced by geopolitical events, leading to ideologically driven and potentially destructive attacks. Particularly over the past 12 months, hacktivist activity has surged, partly fueled by the Russia-Ukraine conflict. In Q4 2023, we identified 1,308 companies being targeted, which rose to 2,036 companies in Q3 2024, as shown in Figure 3 below.

Figure 3: Hacktivist tippers Q4 2023–Q3 2024

Figure 3: Hacktivist tippers Q4 2023–Q3 2024

Ransomware groups turning political complicates the landscape. In April 2022, internal conflict within the “Conti” group saw pro-Russia members align with Russian President Vladimir Putin’s regime, antagonizing pro-Ukraine members and ultimately leading to the group’s disbandment. This mix of criminal, political, and emotionally driven motives creates erratic behavior among threat actors, straddling both crime and activism.

Attributing cyber attacks is tough, especially with state-sponsored groups adopting cybercriminal and hacktivist tactics to maintain plausible deniability. The ongoing war between Ukraine and Russia will almost certainly continue into 2025, further complicating efforts to pinpoint the motivations of involved threat groups. Threat actors often mask their identities and intentions, making it hard to determine their true nature. Analysts must remain agile, recognizing that today’s threat groups often blend nation-state, hacktivist, and cybercriminal elements.

Crossing the Line? KillSec Targets Critical Infrastructure

KillSec has demonstrated a willingness to target sensitive CNI such as hospitals in its data breaches. In an attack on Belgian company Medicheck, KillSec published over 50,000 documents online, including stolen patient data. The breach significantly impacted the company, forcing a temporary halt to normal operations. It’s realistically possible that KillSec could aim for even more impactful attacks against similar targets in the future—potentially by using ransomware—as these organization with troves of highly sensitive data to protect are more likely to pay ransoms to avoid extended outages.

Fortify Your Security Posture By:

  • Implementing Defense in Depth: Establish a multi-layered security approach that incorporates, for instance, firewalls, intrusion detection systems, endpoint protection, and data backups to ensure that if one defense is breached by a ransomware attack, others will block it.
  • Restricting PowerShell: Use Group Policy Objects (GPOs) to limit PowerShell access to necessary users only, preventing ransomware actors from using it to write malicious scripts.
  • Decoy Strategies: Implement deception technology by deploying honeypots and honeytokens to mimic valuable assets. This will distract ransomware attackers and alert security teams early in the attack cycle.

Conclusion

The threat groups highlighted in this report aren’t going anywhere anytime soon and are highly likely to remain prominent threats in the medium-term future (6-12 months). RansomHub is likely to solidify its spot as the most active ransomware group for the remainder of 2024, especially after the demise of Lockbit and ALPHV. IntelBroker has posted several high-profile breaches in recent months, which will likely continue, although the full impact of these breaches is still unfolding. It’s realistically possible that APT29, the group behind Russia’s attempts to meddle in previous US elections, is gearing up for the 2024 elections. Meanwhile, APT41’s future is less clear due to its highly obfuscated activities, but it’s expected to leverage its advanced capabilities to target critical infrastructure, government entities, and private sector organizations worldwide. Its operations will likely focus on espionage to gather intelligence that benefits China’s strategic interests. KillSec is likely to continue its evolution from a hacktivist group to a financially motivated one, with a sole focus on ransomware operations in the short-term future (one to three months).

Staying proactive and flexible is crucial. By continuously monitoring shifts in TTPs, security teams can anticipate attacks and tailor defenses accordingly. Implementing automated incident response can enhance remediation by automatically containing threats upon detection, isolating hosts, blocking suspicious IoCs, terminating sessions, and rotating user credentials. Organizations using ReliaQuest Automated Response Playbooks have reduced their mean time to contain (MTTC) to just five minutes for relevant alerts. This rapid containment drastically reduces the scope and damage of threats, halting an attack in its tracks and allowing security teams the breathing room to thoroughly investigate the threat and maintain operational continuity.

Aligning threat intelligence with your specific threat model ensures that the most pertinent threats are prioritized and effectively mitigated. This vigilant and adaptive approach helps safeguard against emerging risks and maintains the integrity of critical systems and data.