LockBit ransomware gang most apt to leak stolen victim data

Issue 1 2023 News & Events

Trellix has released The Threat Report: February 2023 from its Advanced Research Centre, examining cybersecurity trends from the final quarter of 2022. Trellix combines telemetry collected from the world’s largest network of endpoint protection installs and its complete XDR product line with data gathered from open- and closed-source intelligence reports to deliver the report insights.


Carlo Bolzonello.

“Q4 saw malicious actors push the limits of attack vectors,” said John Fokker, Head of Threat Intelligence, at Trellix Advanced Research Centre. “Grey zone conflict and hacktivism led to an increase in cyber as statecraft and activity across threat actor leak sites. As the economic climate changes, organisations need to make the most effective security out of scarce resources.”

In South Africa, the threats and vulnerabilities follow similar targets and methods of infiltration, where human error, rather than system flaws, is exploited. Country lead for Trellix South Africa, Carlo Bolzonello, points to our most important institutions as the most attractive prey for international syndicates.

“The South African context for our findings overlaying the global results shows that ransomware and email threats are still top of the biggest threats to South Africa, with government a large focus followed by financial organisations,” Bolzonello says.

The report includes evidence of malicious activity linked to ransomware and nation-state backed advanced persistent threat (APT) actors, and examines threats to email, the malicious use of legitimate security tools, and more. Key findings include:

LockBit 3.0 most aggressive with ransom demands: While no longer the most active ransomware group (based on Trellix telemetry) – Cuba and Hive ransomware families generated more detections in Q4 – the LockBit cybercriminal organisation’s leak site reported the most victims. This makes LockBit the most vehement in pressuring their victims to comply with ransom demands. These cybercriminals use a variety of techniques to execute their campaigns, including exploiting vulnerabilities found as far back as 2018.

Nation-state activity led by China: APT actors linked to China, including Mustang Panda and UNC4191, were the most active in the quarter, generating a combined 71% of detected nation-state backed activity. Actors tied to North Korea, Russia, and Iran followed. The same four countries ranked the most active APT actors in public reports.

Critical infrastructure sectors most targeted: Sectors across critical infrastructure were most impacted by cyberthreats. Trellix observed 69% of detected malicious activity linked to nation-state backed APT actors targeting transportation and shipping, followed by energy, oil, and gas. According to Trellix telemetry, finance and healthcare were among the top targeted sectors by ransomware actors, and telecom, government and finance among the top sectors targeted via malicious email.

Fake CEO emails led to business email compromise: Trellix determined that 78% of business email compromise (BEC) involved fake CEO emails using common CEO phrases. This was a 64% increase from Q3 to Q4 2022. Tactics included asking employees to confirm their direct phone number to execute a voice-phishing – or vishing – scheme. 82% were sent using free email services, meaning threat actors need no special infrastructure to execute their campaigns.

The Threat Report: February 2023 includes proprietary data from Trellix’s sensor network, investigations into nation-state and cybercriminal activity by the Trellix Advanced Research Centre, open- and closed-source intelligence, and threat actor leak sites. The report is based on telemetry related to detection of threats, when a file, URL, IP-address, suspicious email, network behaviour or other indicator is detected and reported by the Trellix XDR platform.

Find more at https://www.trellix.com/en-us/advanced-research-center.html




Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Local innovation driving excellence in FM
Securex South Africa News & Events
As organisations seek cost-effective, sustainable, and high-quality solutions, home-grown facilities management innovation is proving to be a critical driver of operational efficiency and long-term success.

Read more...
PIV-ready High Sec Controller 7000
News & Events
Gallagher Security announced the release of the latest addition to its controller product range; the High Sec Controller 7000, which incorporates all the core functions of the C7000 Standard variant released less than 18 months ago.

Read more...
The impact of GenAI on cybersecurity
Sophos News & Events Information Security
Sophos survey finds that 89% of IT leaders worry GenAI flaws could negatively impact their organisation’s cybersecurity strategies, with 87% of respondents stating they were concerned about a resulting lack of cybersecurity accountability.

Read more...
Lack of optimism for African economy
News & Events
African Leadership University publishes the 2025 Africa Workforce Readiness Survey, which shows that only 21% of South African employers are optimistic about the future of the country’s economy, the lowest of any country polled.

Read more...
From the editor's desk: What’s a trillion between friends?
Technews Publishing News & Events
Back in the bad old days of 2015, some (who didn’t want to take the blame for coming up with that number) estimated the amount of money lost to corruption by the South African government to be around ...

Read more...
Closing physical security loopholes
Securex South Africa News & Events
Relying on outdated physical security measures can expose businesses and facilities to threats in today’s fast-evolving security landscape. Fortunately, advances in security technology are helping organisations stay ahead of threats by closing critical security gaps.

Read more...
Paxton opens second experience centre
Paxton News & Events Access Control & Identity Management
Security technology manufacturer, Paxton, has opened a new experience centre in Cape Town on 12 February in partnership with its exclusive distributors, Reditron and Regal Security.

Read more...
Gallagher’s Integrate 360 event in Durban
Gallagher News & Events Perimeter Security, Alarms & Intruder Detection
Gallagher Security held its Integrate 360 event in Durban, South Africa. The event attracted 65 channel partners, end users, and consultants from across KwaZulu-Natal and broader South Africa to showcase the latest in Gallagher’s technology suite.

Read more...
Vumacam highlights concerns with proposed Johannesburg CCTV by-laws
Vumacam News & Events Surveillance
Vumacam has raised objections to critical provisions of the by-laws governing privately owned CCTV cameras with a view of public spaces in the city, which were promulgated on Friday, 28 February 2025.

Read more...