Sophos 2023 Threat Report

Defending against the new malware “as-a-service” global economy

The gloves came off in 2022. While Russia-based threat actor groups spread misinformation and launched multiple cyberattacks against Ukraine, China-based (and likely sponsored) threat actor groups attacked hardware security products made by nearly every company in the cybersecurity and infrastructure industries.

During this time, the cybercriminal economy has increasingly transformed into an industry. Information technology companies have shifted to “as-a-service” offerings, and the cybercrime ecosystem has done the same. Access brokers, ransomware, information-stealing malware, malware delivery, and other elements of cybercrime operations have lowered barriers to entry for would-be cybercriminals.

Get the Report Now

Malware-as-a-service continues to change the economic landscape of cybercrime

Criminal marketplaces such as Genesis enable entry-level cybercriminals to purchase malware and malware deployment services and sell stolen credentials and other data in bulk. Access brokers are increasingly selling vulnerable software exploits and credentials to other criminal organizations.

This industrialization of ransomware has allowed ransomware “affiliates” to evolve into professional operations specializing in exploitation. These professional groups specialize in gaining (or purchasing) access for any motivated actor willing to pay—or, in some cases, multiple actors with multiple motives.

In this report, you’ll learn about:

  • Geopolitical Impacts and Conditions
  • Attack-as-a-service Variations
  • Notable Attack Tool Detections
  • The Infostealer Ecosystem
  • Ransomware Attack Trends for Practitioners

Cybercrime-as-a-service: The Naughty Nine

Access-as-a-service

Gaining access to compromised accounts and systems in bulk through RDP and VPN credentials, web shells, and exploitable vulnerabilities

Malware-as-a-service

Facilitating the distribution of malware within specific regions or sectors with watering-hole attacks, crossover with access-as-a-service listings, and other vulnerabilities

Phishing-as-a-service

How threat actors are offering end-to-end services for cloned sites, hosting, emails to bypass spam filters, and other phishing campaigns

OPSEC-as-a-service

Bundled services provided by threat actors designed to hide Cobalt Strike infections to minimize the risk of detection

Crypting-as-a-service

Common on many forums, crypting as a service involves the use of encrypted malware to bypass detection for a one-time purchase or subscription

Scamming-as-a-service

Designed as classified ads, scamming kits and services help threat actors pose as support specialists for cryptocurrency scams

Vishing-as-a-service

How threat actors offer to rent voice systems to receive calls where victims opt out and speak to a bot, rather than a human

Spamming-as-a-service

Infrastructure designed to build or manage bulk spamming services through a variety of mechanisms, including SMS and email

Scanning-as-a-service

Offering access at discount prices for legitimate commercial tools such as Metasploit and Burp Suite to find and exploit vulnerabilities

How Sophos is Keeping Up in 2023

Real-time threat intelligence, Sophos X-Ops threat response specialists, and world-leading AI with deep learning capabilities enable Sophos to continually evolve against criminal activities. The Sophos 2023 Threat Report provides key insights to help organizations and security practitioners defend against new ransomware groups and services designed to launch multiple malware attacks and steal information.

Get the Report

Cybersecurity Delivered

Sophos is a worldwide leader in next-generation cybersecurity and protects more than 500,000 organizations and millions of consumers in more than 150 countries from today’s most advanced cyberthreats. Sophos delivers a broad portfolio of advanced security services and products to protect corporations and individuals against a wide range of cyberattacks.