Info@NationalCyberSecurity
Info@NationalCyberSecurity

Yet More Evidence Highlights Ransomware Groups’ Banner Year | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware


Fraud Management & Cybercrime
,
Ransomware

Surge Highlighted by Record-Breaking Victim Listing, Cases Investigated

Victim listing surged to an all-time high, says Mandiant. (Image: Shutterstock)

More evidence suggests attackers are continuing to wield ransomware with increasing frequency and for greater monetary gain.

See Also: Fighting Back Against Double Extortion and Data Exfiltration


Google Cloud’s Mandiant incident response group reported seeing a “moderate” increase – more than 20% – in the number of ransomware intrusions it investigated from 2022 to 2023, alongside a surge in the number of victims being posted to public-facing data-leak sites, which grew by 75% and encompassed organizations across 130 countries of every size and sector.


Data-leak blogs regularly lie and are designed to amplify attackers’ scary-seeming reputation to pressure victims into paying. Even so, the volume of claimed victims posted to groups’ blogs – including a record-breaking 1,300 organizations being listed in the third quarter of last year alone – highlights how 2023 appeared to be a very good year for many ransomware players, Mandiant said in a Monday report.


Last year, known ransomware profits shot to a record-high $1.1 billion, according to blockchain analytics firm Chainalysis.


Those profits came despite fewer victims apparently paying, and many appearing to pay when they do. Coveware, which assists organizations hit by ransomware, said overall last year an average of 37% of those victims paid a ransom, although that declined to 29% in the final months of the year (see: Ransomware Victims Who Pay a Ransom Drops to Record Low).




12 Top Strategies


To keep the ransom profits rolling in, last year many ransomware groups tested or refined a number of strategies. In particular, Mandiant saw:





  • Fresh families: New ransomware families have debuted at a rate of about 50 per year for the past few years, although recently more of those are variants of existing Windows-targeting families.

  • Enhanced targeting: When ransomware groups introduced variants in 2023, 11% of the time they were rebranding, while 70% of the time it was to move beyond their Windows-targeting crypto-locker and add versions designed to infect Linux or VMware ESXi systems.

  • Short dwell time: The median time between when attackers first accessed a victim’s environment to when they deployed ransomware last year rose from five days in 2022 to six days in 2023, meaning it remained virtually unchanged. Mandiant said that in actual incidents it probed, the actual dwell time varied from zero to 116 days, with 15% of incidents happening in less than 24 hours.

  • Out-of-hours hits: About 75% of ransomware attacks last year occurred outside the victim’s normal business hours – a slight decline from prior years – as attackers seek to crypto-lock as many files as possible before defenders can respond.

  • Remote-access tools: Attackers’ use of Cobalt Strike beacons after infiltrating a network, to provide a backdoor, is giving way to the use of legitimate remote-access utilities, with attackers oftentimes installing more than one such tool in a victim’s network. Last year, “we identified remote access utilities used to maintain presence in more than 35% of incidents,” Mandiant said. Such tools included Fleetdeck, Pulseway, Level.io, ScreenConnect, Teamviewer, Anydesk, Splashtop, RustDesk, MeshAgent, eHorus and others. The use of Cobalt Strike to maintain persistence fell from 50% of all attacks in 2021, to 37% in 2022 and 14% in 2023.



  • Stolen credentials: When investigators could confirm how attackers accessed a network, nearly 40% of the time it traced to legitimate credentials they stole, brute-forced, or purchased from info-stealer markets or initial access brokers.



  • Exploits for initial access: When investigators could confirm how attackers accessed a network, 30% of the time it involved exploiting a known or zero-day flaw.



  • Phishing attacks: 14% of intrusions traced to attackers conducting email, phone or SMS phishing, Mandiant said. Many Black Basta attacks traced to Qakbot campaigns that delivered payloads, including .zip and OneNote files with malicious payloads.



  • Connecting via VPN: In “the vast majority” of incidents involving compromised credentials, Mandiant said attackers logged directly into the corporate virtual private network infrastructure.

  • Lateral movement: Attackers last year continued to often use a variety of legitimate tools to move laterally across networks, including via SMB and Windows remote desktop protocol, as well as to use the PSExec command-line tool to move and execute many different types of files across the network, including crypto-locking malware.

  • More data theft: Nearly 60% of incidents last year involved confirmed or suspected data exfiltration, up from about 50% in 2022. Such incidents typically result in longer dwell time. Many ransomware groups try to get victims to pay more than one type of ransom – one for a decryptor, for example, and another for a promise to delete stolen data. Experts say there’e no evidence ransomware groups have ever honor this type of non-tangible promise.

  • Cryptocurrency nudging: Some newer ransomware-as-a-service operations, including Kuiper and Trigona, charge extra if victims pay in Bitcoin, versus using Monero, which is more privacy-preserving. This is a strategy previously tested by other groups, although experts say many victims have a difficult time procuring anything that’s not Bitcoin.


Mandiant last year said the groups most often tied to ransomware attacks it investigated – in 17% of cases each – were BlackCat, aka Alphv, and LockBit, followed by Black Basta, which accounted for 8% of cases.


Law enforcement agencies disrupted BlackCat last December, and LockBit in February, after which both groups appear to have at least partially bounced back, aided by many operators and affiliates living in countries such as Russia, which never extradites its citizens to face foreign charges.


Which groups will dominate this year, and whether or not they can maintain their ability to amass revenue via ransom payments, remains to be seen.



——————————————————–


Click Here For The Original Source.

.........................

National Cyber Security

FREE
VIEW