{ "id": "9292b8ec-250a-401a-90f0-3ca39c0a9ee5", "created_at": "2026-04-06T00:18:30.382904Z", "updated_at": "2026-04-10T03:33:22.6498Z", "deleted_at": null, "sha1_hash": "f84a64921fde962d4439687691e48d0f50574b49", "title": "Cybercrime is more of a threat than nation-state hackers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1030849, "plain_text": "Cybercrime is more of a threat than nation-state hackers\r\nBy Cynthia Brumfield\r\nPublished: 2022-11-15 · Archived: 2026-04-05 14:29:54 UTC\r\nPublished: Nov. 14, 2022\r\nBack-to-back security conferences detailed the latest threats posed by malicious nation-states on the one hand and\r\ncybercriminals on the other. One takeaway is that cybercrime volumes are more massive and more persistent than\r\nthe higher profile advanced persistent threats.\r\nOn the heels of this year’s Cyberwarcon conference, which tackled topics related to advanced persistent threat\r\n(APT) actors, the organizers branched off into a new, second-day event called “Brunchcon” that examined the\r\nother big basket of cyber threats organizations face: cybercrime.\r\n“I could never pick crimeware over APT or APT over crimeware,” Proofpoint vice president of threat research and\r\ndetection Sherrod DeGrippo said during the first presentation at Brunchcon. “It’s like trying to pick your favorite\r\nchild,” she said, even as she acknowledged that Proofpoint built its reputation by working on crimeware.\r\nBut, “crimeware is more advanced, it’s more persistent, it’s more a threat. It’s more fun. It’s cooler. It has weirder\r\nstuff. We saw tons of Queen Elizabeth’s death lures. And APT guys aren’t doing that.”\r\nCybercrime impacts every organization\r\nhttps://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721\r\nPage 1 of 4\n\nAlthough not as headline-grabbing as nation-state attacks, the bread-and-butter threats most cyber defenders face\r\ncome from criminals, not the Kremlin. “The volumes are massive,” DeGrippo said, a point underscored by other\r\nBrunchcon speakers. Red Canary director of intelligence Katie Nickels and Brunchcon emcee told README “I\r\nthink researchers across the field agree that the predominant threats that we observe affecting organizations every\r\nday are cyber-criminal threats.”\r\n“I think the community tends to focus on so-called advanced persistent threats, those state-sponsored actors,\r\nbecause they’re intriguing, they’re interesting, they tend to make headlines,” Nickels said. “But the reality is that\r\nthe cybercrime actors compromising schools and hospitals with info stealers that can lead to data extortion or\r\nransomware impact every organization.”\r\nAllan Liska, an intelligence analyst at Recorded Future, agreed with DeGrippo and Nickels. “Sherrod had it\r\nright,” he told README. “The nation-state actors, for the most part, work nine to five, and then they go home. I\r\nknow we used to follow some Chinese threat actors who would leave for lunch for an hour every day. They had a\r\nbadminton porch in their office park. So, they would all go and [play badminton] and they would share scores\r\nwith each other and they had an ongoing tournament. And you don’t see that with ransomware actors. They just\r\nkind of work themselves to death. So, you do have to worry about that,” he said.\r\nStephan Rothe / Unsplash\r\nThe number of ransom extortion sites jumped in 2022\r\nIt’s difficult to determine whether the number of ransomware incidents has waxed or waned during 2022, Liska\r\ntold Brunchcon attendees. “What I think is much more interesting is in 2021, and all of 2021, when we pulled\r\nthings from extortion sites, we were pulling from 44 different extortion sites throughout the whole year,” he said.\r\nHowever, as of Oct. 31, the number of extortion sites from which Recorded Future pulled data rose to 113. “We’ve\r\nalso tracked 223 new ransomware variants,” Liska said. “And I want to be very clear, most of this is actually\r\nhttps://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721\r\nPage 2 of 4\n\nstolen code or rebranded stuff. I’m not saying that 223 people have gone out and made brand new ransomware\r\nvariants, but these are never-seen, never-reported ransomware variants compared to 183 in all of 2021.”\r\nOther ransomware trends flagged by Liska include a drop in healthcare and local government ransomware attacks.\r\nAttacks on schools are “downish,” he said, but they could still end up exceeding those of last year. Notably,\r\n“national government attacks are way, way, way up because there are almost none of those in the previous few\r\nyears,” Liska said.\r\nCosta Rica, for example, was thrown into a national emergency when it was struck by a ransomware attack from\r\nthe Russia-linked Conti ransomware gang earlier this year. Other Latin American nations, including Chile and the\r\nDominican Republic, have been targeted by ransomware attackers over the past several months.\r\nOne conclusion Liska takes away from his data is that “we’re starting to see ransomware groups reject the\r\n[ransomware as a service] model and either going it alone or, if they’re adopting the RaaS model, they’ve also got\r\na side hustle of ‘I also have my own ransomware, so maybe sometimes I deploy LockBit, but sometimes I deploy\r\nmy own ransomware.’”\r\nConsequently, “what we’re seeing is LockBit, and then a whole bunch of really also-rans, and very few are\r\ncracking even a hundred victims on their extortion site,” Liska said. “None that have gotten over 200 victims. So,\r\nwe’re seeing this kind of either centralization to LockBit or moving away from that entirely.”\r\nInfo stealers enable a new class of attackers\r\nSome new cybercrime threats are on the rise due to the advent of info stealers, Christopher Glyer, a principal\r\nsecurity researcher at Microsoft, told Brunchcon attendees. The rise of info stealers “have really enabled an\r\nentirely kind of new class of attacker that now is actually targeting enterprises,” Glyer said.\r\nAlthough many of the info stealer groups Microsoft tracks are broadly labeled as Lapsus$, a loosely formed group\r\nof hackers notorious for attacking large companies such as Microsoft itself, Nvidia and Samsung for extortion\r\npurposes, “there’s an entirely new class of actors that we’re tracking in the last year and they have wildly different\r\nmotivations,” Glyer said. “Some of them are extortion operators, some deploy ransomware, some are looking to\r\nmonetize by targeting high net worth individuals. Others are looking to monetize via selling SIM swapping as a\r\nservice.”\r\nAmong this new class of actors is a group that Microsoft calls DEV-0537, which overlaps Lapsus$. Two other new\r\ngroups include DEV-0829 (which overlaps a group called Nwgen Team) and DEV-0875 (which overlaps a group\r\ncalled 0ktapus.) Despite their differences, these new operators share some commonalities, including purchasing\r\ncredits or tokens from info stealers. Surprisingly, many of these groups come from western countries, according to\r\nGlyer. “They have native speakers for targeting organizations from a social engineering perspective.”\r\nBEC is on the rise\r\nAnother type of cybercriminal activity that is on the rise is business email compromise (BEC), wherein a\r\ncybercriminal socially engineers or tricks victims into handing over money. Despite its prevalence, “we’re barely\r\nhttps://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721\r\nPage 3 of 4\n\nscratching the surface,” Cofense principal threat advisor Ronnie Tokazowski said at Brunchcon. “The scale we’re\r\noperating at now, we are barely touching” the vast number of BEC operators out there.\r\n“We’ve had maybe 2,000 arrests, which is great, but we know at least hundreds of thousands of operators are\r\ndoing some of this stuff, to put that into perspective,” Tokazowski said. “We are absolutely nowhere near where\r\nwe need to be” in addressing BEC scams.\r\nAttendance at Brunchcon exceeded the organizers’ expectations, so much so they’re considering hosting it as a\r\nstand-alone event as early as next May. But, to avoid a possible trademark dispute, Brunchcon will be\r\ncalled Sleuthcon going forward.\r\nSource: https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721\r\nhttps://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://readme.security/cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721" ], "report_names": [ "cybercrime-is-more-of-a-threat-than-nation-state-hackers-6f6cccf47721" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-10T02:00:05.311385Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-10T02:00:03.291149Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "Lapsus", "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-10T02:00:03.663831Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-10T02:00:05.014316Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "9e75b919-e882-4496-b353-5c0070b31352", "created_at": "2024-02-02T02:00:04.088778Z", "updated_at": "2026-04-10T02:00:03.565273Z", "deleted_at": null, "main_name": "Storm-0829", "aliases": [ "DEV-0829", "Nwgen Team" ], "source_name": "MISPGALAXY:Storm-0829", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434710, "ts_updated_at": 1775792002, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f84a64921fde962d4439687691e48d0f50574b49.pdf", "text": "https://archive.orkl.eu/f84a64921fde962d4439687691e48d0f50574b49.txt", "img": "https://archive.orkl.eu/f84a64921fde962d4439687691e48d0f50574b49.jpg" } }