Sophos 2023 Threat Report

Defending against the new malware “as-a-service” global economy

The gloves came off in 2022. While Russia-based threat actor groups spread misinformation and launched multiple cyberattacks against Ukraine, China-based (and likely sponsored) threat actor groups attacked hardware security products made by nearly every company in the cybersecurity and infrastructure industries.

During this time, the cybercriminal economy has increasingly transformed into an industry. Information technology companies have shifted to “as-a-service” offerings, and the cybercrime ecosystem has done the same. Access brokers, ransomware, information-stealing malware, malware delivery, and other elements of cybercrime operations have lowered barriers to entry for would-be cybercriminals.

Get the Report Now

Malware-as-a-service continues to change the economic landscape of cybercrime

Criminal marketplaces such as Genesis enable entry-level cybercriminals to purchase malware and malware deployment services and sell stolen credentials and other data in bulk. Access brokers are increasingly selling vulnerable software exploits and credentials to other criminal organizations.

This industrialization of ransomware has allowed ransomware “affiliates” to evolve into professional operations specializing in exploitation. These professional groups specialize in gaining (or purchasing) access for any motivated actor willing to pay—or, in some cases, multiple actors with multiple motives.

In this report, you’ll learn about:

  • Geopolitical Impacts and Conditions
  • Attack-as-a-service Variations
  • Notable Attack Tool Detections
  • The Infostealer Ecosystem
  • Ransomware Attack Trends for Practitioners

Cybercrime-as-a-service: The Naughty Nine


Gaining access to compromised accounts and systems in bulk through RDP and VPN credentials, web shells, and exploitable vulnerabilities


Facilitating the distribution of malware within specific regions or sectors with watering-hole attacks, crossover with access-as-a-service listings, and other vulnerabilities


How threat actors are offering end-to-end services for cloned sites, hosting, emails to bypass spam filters, and other phishing campaigns


Bundled services provided by threat actors designed to hide Cobalt Strike infections to minimize the risk of detection


Common on many forums, crypting as a service involves the use of encrypted malware to bypass detection for a one-time purchase or subscription


Designed as classified ads, scamming kits and services help threat actors pose as support specialists for cryptocurrency scams


How threat actors offer to rent voice systems to receive calls where victims opt out and speak to a bot, rather than a human


Infrastructure designed to build or manage bulk spamming services through a variety of mechanisms, including SMS and email


Offering access at discount prices for legitimate commercial tools such as Metasploit and Burp Suite to find and exploit vulnerabilities

How Sophos is Keeping Up in 2023

Real-time threat intelligence, Sophos X-Ops threat response specialists, and world-leading AI with deep learning capabilities enable Sophos to continually evolve against criminal activities. The Sophos 2023 Threat Report provides key insights to help organizations and security practitioners defend against new ransomware groups and services designed to launch multiple malware attacks and steal information.

Get the Report

Cybersecurity Delivered

Sophos is a worldwide leader in next-generation cybersecurity and protects more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Sophos delivers a broad portfolio of advanced security services and products to protect corporations and individuals against a wide range of cyberattacks.