Cybersecurity specialist Trend Micro says it blocked more than 159-million email threats, around 8-million malicious URLs, and over 22-million malicious mobile apps targeting South African businesses and consumers between January and December 2023. This, as threat actors deviate from big-batch attacks to focus on a narrower range of more lucrative targets.

These new patterns in the cybercrime landscape are highlighted in the Trend Micro 2023 Annual Cybersecurity Report which presents highlights from the company’s telemetry covering the broadest attack surface view across millions of commercial and consumer clients.

“Our latest data shows that threat actors are fine-tuning their operations, shifting away from large-scale attacks and instead focusing on a smaller range of targets, but with higher victim profiles for maximum gain with minimum effort,” says Gareth Redelinghuys, country MD, African Cluster at Trend Micro. “As they continue to double down on tried and tested techniques, they are also delegating and streamlining operations – resulting in bolder, more effective strikes.”

Though almost 40 000 ransomware attacks were blocked by Trend Micro in South Africa in 2023, YoY research shows that ransomware groups are working smarter instead of harder, prioritising high-value targets over volume.

There has been a general downward trend in ransomware detections with worldwide detections from 2021 to 2023 averaging less than half of the recorded detections in 2020. However, this should not be misconstrued as a cue for security operations centres and decision-makers to lower their guards. Historically, ransomware attacks were launched in “bulk” – such as spam campaigns with malicious links – but attacks that focus on quantity can more easily be blocked.

Additionally, a continued increase in Trojan FRS threat detections globally could suggest that attackers are using more effective ways to evade preliminary detection by focusing on arrival and defence evasion techniques. Examples of this include Living-Off-The-Land Binaries and Scripts. Because these computer files are non-malicious in nature and local to the operating system, they can be used by threat actors to camouflage their attacks.

Last year, several ransomware families across the world were also observed maximising remote and intermittent encryption, as well as abusing unmonitored virtual machines to bypass Endpoint Detection and Response. Because there is less content used during intermittent encryption, for example, there is less chance of triggering detection.

Gangs are also launching bolder attacks. Prolific groups were some of the most active in 2023: Clop exploited major vulnerabilities; and BlackCat launched a new variant, while also making its extortion public by leveraging the US Security and Exchange Commission’s four-day disclosure requirement to incentivise its victims to communicate more quickly with them.

This trend towards threat actors opting for quality over quantity is equally present in the patterns observed around email threats. Though email threat detections in South Africa decreased from almost 250-million in 2021 to 159-million in 2023, the increase in malware detection count over the same period suggests a shift in the threat landscape that finds attackers making use of more sophisticated ways to avoid detection.

Trend Micro’s data also shows a decrease in malicious URL detection in South Africa from 2021 to 2023, indicating that instead of focusing on malicious links to randomly victimise users, criminals are using more targeted operations such as BEC schemes where emails are less likely to undergo scrutiny because of how legitimate they look.

Instead of launching attacks on a wider range of users and relying on victims clicking on malicious links in websites and emails, more sophisticated attacks are launched using specificity to trick a narrower field of high-profile victims. This also allows them to bypass early detection layers like network and email filters.

Over the course of 2023, AI showed great promise in social engineering attempts globally: Its automation proved most useful in mining datasets for actionable information, while generative AI (GenAI) has made phishing on mass scale virtually effortless with error-free and convincing messages. The use of GenAI in phishing attempts is already branching beyond emails and texts to include persuasive audio and video “deepfakes” for an even more business-affecting threat.

Imagine a company that requires live voice authorisation for purchases above a million dollars, for example. An attacker could send a real-seeming email request with a rigged phone number embedded and answer the confirmation call with a deepfaked voice to validate the transaction. These new tactics introduce the possibility of everything from stock market manipulations to democratic or wartime disinformation campaigns – or smear attacks on public figures.

The barriers to entry for techniques like these have fallen away radically with the rise of readily available app-style interfaces like HeyGen. Cybercriminals with no coding knowledge or special computing resources can produce customised high-resolution outputs that are humanly undetectable.

“Looking at the overall trend in decreasing ransomware threats it might be tempting for local organisations to develop a false sense of security and lower their defences,” says Zaheer Ebrahim, solutions architect, Middle East and Africa at Trend Micro. “However, our research shows that these increasingly sophisticated attacks are going to become more and more difficult for businesses to detect and that they will be increasingly costly when they succeed.

“IT leaders must refine their processes and protocols to enable their defences to combat persistence with efficiency,” adds Ebrahim.