The CYFIRMA Industry Report delivers original cybersecurity insights and telemetry- driven statistics of global industries, covering one sector each week for a quarter. This report focuses on professional goods and services, presenting key trends and statistics in an engaging infographic format.
Welcome to CYFIRMA infographic industry report, where we delve into the external threat landscape of the professional goods and services industry over the past three months. This report provides valuable insights and data-driven statistics, delivering a concise analysis of attack campaigns, phishing telemetry, and ransomware incidents targeting professional goods and services, including machinery and equipment, office supplies and services, staffing, consulting, legal and other outsourced services, excluding financial, IT, and delivery services etc., which we covered in their respective industry reports.
We aim to present an industry-specific overview in a convenient, engaging, and informative format. Leveraging our cutting-edge platform telemetry and the expertise of our analysts, we bring you actionable intelligence to stay ahead in the cybersecurity landscape.
Professional goods and services organizations featured prominently in 38 out of the 66 observed campaigns, accounting for a substantial 57% of the total. This high representation is attributed to the diverse array of sectors encompassed within the professional goods and services industry.
The diverse array of various sectors in this industry also translates into a diverse range of suspected threat actors. The increased Lazarus Group activity is linked to the recent discovery of MagicRAT and QuiteRAT. There’s also a surge in Chinese cyber activity using the Barracuda ESG vulnerability and other TTPs used in the same campaigns, resulting in more detections.
Financially motivated threat actors, TA505 and FIN11, are connected to the Cl0p ransomware group, which carried out a widespread ransomware campaign using the MoveIt file transfer vulnerability.
The attack campaigns that involved the professional goods and services victims are by a large margin European. This makes sense in the context of general European contractors-heavy industry composition, full of small and medium businesses.
Due to the overlapping nature of monitoring telemetry, further breakdown beyond the top 10 countries is calculated for regions rather than individual countries to maintain clarity.
Web applications continue to be the primary target for cyberattacks across all industries, followed by operating systems. Notably, within this industry, there is a relatively high focus on infrastructure, cloud, and virtualization technology. This makes sense considering the nature of many sectors included in professional goods and services.
There are numerous phishing attacks that specifically target or impersonate professional goods and services entities. However, due to the nature of our telemetry and the prevalence of small to medium-sized businesses in this sector, tracking these attacks comprehensively is currently challenging. The contractor-oriented nature of this industry does provide compelling spear-phishing opportunities, but our telemetry primarily concentrates on broader phishing campaigns.
Over the past 3 months, CYFIRMA’s telemetry recorded 6,851 phishing attacks out of a total of 201,408 that included various professional goods and services targets.
As per the chart below, our telemetry does not track this industry as a whole. Most of the relevant brands classify as Online/Cloud Services, Financial Services or Logistic Services, which we covered in their respective industry reports.
Global Distribution of Phishing Themes per Sector
Out of 6,851 observed relevant phishing attacks, only 4 brands qualified as professional goods and services.
While the top places are mostly internet-wide campaigns leveraging global brands, we have observed a total of 155 brand names. The vast majority were local banks, followed by local delivery and postal services and some local government themes, such as taxes and customs.
In the past 90 days, CYFIRMA has identified 189 verified ransomware victims within the professional goods and services sectors. This accounts for 11.7% of the overall total of 1,612 ransomware incidents during the same period.
The monthly chart below shows consistently high numbers of attacks.
Breaking down the monthly activity by gangs, 8base and Lockbit3 are the most active with 39 and 31 victims. Initially surprising was a low number of otherwise very active Cl0p victims. Manual verification of data showed Cl0p is mainly focusing on the manufacturing and financial industry, therefore most of their victims did not qualify for this category.
The subsequent chart underscores the dominance of major ransomware gangs, with the top 5 accounting for 65% of all victims. Simultaneously, the chart illustrates how the collective activity of smaller groups contributes to a substantial number of victims.
Ransomware Victims in Professional Goods and Services Industry per Group
From 54 gangs active in the past 90 days, 29 recorded verified Professional Goods & Services industry victims. This is a significantly higher number compared to other industries. Average gang participation is between 12-15 for industry. We attribute this to a high volume of smaller size victims attacked by smaller and more opportunistic gangs.
All Ransomware Victims by Group (Top 25)
Geographic Distribution of Victims
Global Spread – Out of the 163 victims with identified geography, the United States emerges as the most affected with 71 victims. Followed by the UK, Italy, Germany, Canda and France.
Together, Top 5 countries account for 69% of all victims with identified geography.
Geographical Vulnerability – The distribution of victims serves as a reminder that no region is exempt from ransomware threats. Cyber attackers have the capability to breach and target vulnerable organizations globally. This trend indicates that many threat actors prioritize exploiting vulnerabilities within organizations, regardless of their geographical locations.
The chart below illustrates the distribution of ransomware incidents over the past 90 days.
The highly diversified nature of the professional goods and services industry does translate into highly diversified threats and threat actors.
Our data has observed high interest from both state-sponsored and financially motivated threat actors, as well as a high number of various other groups, compared to other more narrowly defined sectors. The high volume of European-based APT victims correlates with the European SME/Contractors market composition. The relatively high presence of infrastructure, cloud and virtualization in attacked technologies also reflects the same nature of the victims.
This fragmented and diverse nature complicates phishing telemetry data, which primarily focuses on campaigns over individual phishing emails. Professional goods and services businesses present great spear-phishing lure but aren’t well suited for “spray and pray” kinds of campaigns. Most impersonated brands targeting this sector were local banks and local logistics and postal services.
In ransomware data, we also see a very diverse range of groups. As a surprise comes the relatively low number of Cl0p ransomware victims, who appear to prioritize high- value targets in manufacturing and financial industries. On the other hand, 8base takes the first place, underlining its opportunistic approach to attacking even small and medium-sized businesses.
