news
March 6, 2024by Dov Lerner

State of the Underground 2024: The good, the bad, and the ugly in cybersecurity trends

For many in the cybersecurity industry, there’s an expectation that cyber news comes down to “things are really bad and getting even worse:” more and more attacks, greater sophistication by the threat actors, and ever-deeper costs to those suffering breaches.

Fortunately, there’s a bit of good news to share about recent trends, as we discovered while compiling our State of the Underground 2024 report. On a few fronts, the attackers are being repelled or at least finding less success than they had previously.

That’s not to say that cybersecurity professionals have less to worry about. There are still many areas of concern for cyber defenders, as discussed in our latest report. Below is a summary of the good, the bad, and the ugly in cybersecurity trends, as revealed in our annual State of the Underground report.

Sources of intelligence

Cybersixgill has been at the forefront of collecting information about threat actors. Our automated mechanisms collect millions of intelligence items from the clear, deep, and dark web EVERY DAY. With this unparalleled compilation of data, we’re able to create a broad, detailed picture of cybercriminal activities.

In our report, we compared 2023’s figures with those from previous years to identify what new trends are emerging, which ones have diminished, and what the overall impact is on intended targets.

Let’s start with the positive developments and pinpoint the areas of change.

Exploited vulnerabilities tumble by 66%

CISA’s Catalog of Known Exploited Vulnerabilities listed 188 exploited vulnerabilities in 2023 vs. 556 in 2022. Such drop-offs are obviously welcome, but we should caution that this information doesn’t mean that the overall impact or number of attacks using CVEs declined in parallel.

As a side note, it’s worth noting that the Common Vulnerability Scoring System (CVSS) as a way of categorizing threats only provides one piece of information. The CVSS score evaluates the potential severity of a vulnerability without assessing how likely that vulnerability will be targeted - in other words, it doesn’t assess the risk posed to organizations. Cybersixgill’s Dynamic Vulnerability Exploit (DVE) Intelligence alerts teams to high-risk CVEs that are most likely to be exploited by threat actors well before the National Vulnerability Database (NVD) has assigned it a CVSS score, helping them to prioritize remediation activities and reduce their risk exposure effectively.

Some initial access markets were shut down but others are going strong

 After declining for a number of years, the sales of access to compromised remote desktop protocols (RDPs) in dedicated marketplaces stopped completely in 2023, as the primary RDP market was taken down. Furthermore, a major market for compromised endpoints, Genesis1, was taken down by law enforcement in April 2023. 

However, actors still had plenty of opportunities to gain access to systems, as compromised endpoint sales massively increased in 2023 by a whopping 88% over 2022. Compromised domains, meanwhile, jumped by 17% as well. These all represent potential entry points for cybercriminals into organizational systems, allowing them to execute ransomware demands and other attacks.

Ransomware: a mixed bag

The good news: Ransomware attacks (as measured in terms of posts on leak sites) dropped by more than 9%. The bad news: the average ransomware payout increased by almost 90%. In other words, ransomware attacks became more targeted and sophisticated, aimed at organizations that could afford to pay higher ransomware. 

One piece of news that came after we published the State of the Underground report came earlier this month (February 2024). An international law enforcement operation arrested and indicted members of the LockBit ransomware gang – one of the world’s most notorious associations, linked to more than $120 million in ransom payments and billions in damages. In our report, we calculated that LockBit was responsible for 24% of all ransomware attacks detected in 2023 – the largest percentage attributable to a single organization. We can only hope this trend will continue in 2024, but it remains to be seen whether other groups will fill in for LockBit’s absence.

Stealer malware proliferates

Stealers have continued to increase in popularity among cybercriminals. This malware gathers valuable data such as credentials from infected systems. In 2023, threat actors used four new types extensively: Stealc, Risepro, Lumma, and Silencer. Still, the established stealers, such as Raccoon and Vidar, remained popular – demonstrating their resilience in the face of new competition due to their reliability, effectiveness, and maintenance by their providers. 

Also noteworthy is that Raccoon saw increased usage, despite the arrest of one of its central administrators in 2022, demonstrating that not all law enforcement actions curb the use of cybercriminal activity.

Underground credit card markets slightly rebound from multi-year decline

Beginning in 2019, we saw a steep drop in the number of compromised credit cards for sale on underground credit card markets. That year, the total number of cards for sale totaled more than 140 million. Just a few years later, in 2022, there were only 9.1 million cards posted for sale. In 2023, that number jumped by 25% to just over 12 million.

Furthermore, the average price of a compromised credit card with CVV data dropped as well: down from $12.21 in 2022 to $9.72 in 2023.

We believe these declines are due to improved fraud prevention and detection, better e-commerce security, and effective law enforcement. Declines in compromised credit-card value also can be due to cybercriminals selecting more profitable alternatives. Simply put, it has become harder to compromise a credit card and it has become harder to use one fraudulently.

Nevertheless, the significant rebound in 2023 is a reminder that organizations can’t be complacent regarding credit-card theft. Threat actors are undoubtedly seeking new ways to compromise them and monetize them. It remains to be seen in which direction credit card theft will trend in 2024.

Download the report to get a deeper understanding

It is quite difficult to take all of these data points and distill them into a single, cohesive bottom line. However, the overall message is that while there have been disruptions, the cybercrime underground is largely continuing with business as usual. That is, while the best efforts of the cybersecurity industry to prevent and detect breaches and of law enforcement to apprehend criminals have led to some significant successes, threat actors are largely continuing their activities. 

If you want to learn more about these and other findings, download the report to gain an in-depth understanding of the underground we face in 2024. If you want to see a demo of Cybersixgill’s solutions and learn how we can help keep you a step ahead of the cybercrime underground, sign up for a demo of our products or contact us for more information.


 1https://www.justice.gov/opa/pr/criminal-marketplace-disrupted-international-cyber-operation

You may also like

SOTU-Ransomware blog thumbnail

April 17, 2024

State of the Underground 2024: Two ways to guard against the ongoing threat of ransomware

Read more
Access for Sale Blog-Thumbnail

April 16, 2024

Cybersixgill’s Access Currently for Sale - high-value intelligence just got even better

Read more
Change Healthcare Breach Blog Thumbnail

April 15, 2024

Change Healthcare Breach: Data in the Hands of a New Ransomware Group

Read more