AI-based tools designed for criminal activity are in high demand

Multiple regional conflicts, such as Russia’s continued invasion of Ukraine and the Israel-Hamas conflict, have resulted in a surge in cyberattacks and hacktivist activities, according to Trellix.

AI tools ransomware

AI-driven ransomware boosts cybercrime tactics

The research examines an increasingly complex ransomware ecosystem where groups have adopted advanced tools with embedded AI to spread ransomware.

Trellix telemetry reveals China-affiliated threat actor groups remain a prevalent source of nation-state advanced persistent threat (APT) activities, with Mustang Panda generating more than 12% of detected APT activity alone.

“The last six months delivered AI advancements, from AI-driven ransomware to AI-assisted vulnerability analysis, evolving criminal strategies, and geopolitical events, which have reshaped the cyber landscape. Resilience planning has never been more important for cybersecurity teams,” said John Fokker, Head of Threat Intelligence, Trellix Advanced Research Center. “The increased use of generative AI by cybercriminals has also posed new challenges. The industry must continue monitoring for transformative use of AI by cybercriminals to strengthen defenses,” added Fokker.

With several arrests, the indictment of LockBit leaders, and action to dismantle infrastructure by global law enforcement, Trellix observed a diversification of ransomware groups, expanded use of AI-powered tools to deliver ransom demands, and a focus on tools built specifically to evade endpoint detection and response (EDR) solutions.

The top five most active groups account for less than 40% of all attacks, demonstrating less concentrated activity among major actors. This highlights the need for organizations and governments to remain adaptable, continuously updating their strategies to address the evolving tactics of ransomware groups.

RansomHub emerged as the most active among ransomware groups, accounting for 13% of Trellix detections. Its rise, and the activity of other smaller groups, further illustrates the fluid nature of ransomware. LockBit remains active, generating the second most detections (11%), followed by groups Play (7%), Akira (4%) and Medusa (4%).

Ransomware attacks continue to target healthcare and critical sectors

Trellix found a thriving market for EDR evasion tools on the dark web. They are built to avoid detection by the tools most organizations rely on to identify and respond to known threats. RansomHub adopted one such tool named EDRKillShifter to disable EDR capabilities before executing their attacks.

The cybercriminal underground has become a hub for malicious actors to sell new AI-based tools to execute crime. Trellix observed the sale of a number of these tools on the black market, including the Radar Ransomware-as-a-Service program, which conceals the way AI is used but seeks to recruit forum users to join its affiliate network.

Healthcare, education, and critical infrastructure remain prime targets, and the global spread of ransomware persists, focusing on the US and other developed economies. The US received 41% of all Trellix ransomware detections, outpacing the next most targeted country (the UK) nine-fold.

The Trellix Advanced Research Center examined industry cyber threat data, with analysis pointing to a rise in attacks from North Korea-aligned group Kimsuky, which doubled the activity of other APT groups. The study of industry reports of cybersecurity events also revealed a targeted distribution across critical sectors, with the government bearing the brunt of attacks (13%), followed by the financial sector (7%) and manufacturing (5%).

Don't miss