Fraud Management & Cybercrime , Ransomware
Yet More Evidence Highlights Ransomware Groups' Banner Year
Surge Includes Record-Breaking Victim Listing, Cases InvestigatedMore evidence suggests attackers are continuing to wield ransomware with increasing frequency and for greater monetary gain.
See Also: 57 Tips to Secure Your Organization
Google Cloud's Mandiant incident response group reported seeing a "moderate" increase - more than 20% - in the number of ransomware intrusions it investigated from 2022 to 2023 and a surge in the number of victims being posted to public-facing data leak sites, which grew by 75% and encompassed organizations of every size and sector across 130 countries.
Data leak blogs regularly lie and are designed to amplify attackers' scary-seeming reputations to pressure victims into paying. Even so, the volume of claimed victims posted to groups' blogs - including a record-breaking 1,300 organizations being listed in the third quarter of last year - highlights how 2023 appeared to be a very good year for many ransomware players, Mandiant said in a Monday report.
Last year, known ransomware profits shot to a record high of $1.1 billion, according to blockchain analytics firm Chainalysis.
Those profits came despite fewer victims apparently paying, and paying less if they do pay. Coveware, which assists organizations hit by ransomware, said overall last year an average of 37% of victims paid a ransom, although that declined to 29% in the final months of the year (see: Ransomware Victims Who Pay a Ransom Drops to Record Low).
12 Top Strategies
To keep the ransom profits rolling in, last year many ransomware groups tested or refined a number of strategies. In particular, Mandiant saw:
- Fresh families: New ransomware families have debuted at a rate of about 50 per year for the past few years, although recently more of those are variants of existing Windows-targeting families.
- Enhanced targeting: When ransomware groups introduced variants in 2023, 11% of the time they were rebranding and 70% of the time they did so to move beyond their Windows-targeting crypto-locker and add versions designed to infect Linux or VMware ESXi systems.
- Short dwell time: The median time between when attackers first accessed a victim's environment to when they deployed ransomware rose from five days in 2022 to six days in 2023, meaning it remained virtually unchanged. Mandiant said that in incidents it probed, the actual dwell time varied from zero to 116 days, and 15% of incidents happened in less than 24 hours.
- Out-of-hours hits: About 75% of ransomware attacks last year occurred outside the victim's normal business hours - a slight decline from prior years - as attackers seek to crypto-lock as many files as possible before defenders can respond.
- Remote access tools: Attackers' use of Cobalt Strike beacons after infiltrating a network, to provide a backdoor, is giving way to the use of legitimate remote access utilities, and attackers oftentimes install more than one such tool in a victim's network. Last year, "we identified remote access utilities used to maintain presence in more than 35% of incidents," Mandiant said. Such tools included FleetDeck, Pulseway, Level.io, ScreenConnect, TeamViewer, AnyDesk, Splashtop, RustDesk, MeshAgent, eHorus and others. The use of Cobalt Strike to maintain persistence fell from 50% of all attacks in 2021 to 37% in 2022 and 14% in 2023.
- Stolen credentials: When investigators could confirm how attackers accessed a network, nearly 40% of the time it traced to legitimate credentials they stole, brute-forced or purchased from info-stealer markets or initial access brokers.
- Exploits for initial access: When investigators could confirm how attackers accessed a network, 30% of the time it involved exploiting a known or zero-day flaw.
- Phishing attacks: Fourteen percent of intrusions traced to attackers conducting email, phone or SMS phishing, Mandiant said. Many Black Basta attacks traced to Qakbot campaigns that delivered payloads, including
.zip
and OneNote files with malicious payloads. - Connecting via VPN: In "the vast majority" of incidents involving compromised credentials, Mandiant said, attackers logged directly into the corporate virtual private network infrastructure.
- Lateral movement: Attackers last year continued to often use a variety of legitimate tools to move laterally across networks, including via SMB and Windows remote desktop protocol, as well as to use the PSExec command-line tool to move and execute many different types of files across the network, including crypto-locking malware.
- More data theft: Nearly 60% of incidents last year involved confirmed or suspected data exfiltration, up from about 50% in 2022. Such incidents typically result in longer dwell time. Many ransomware groups try to get victims to pay more than one type of ransom - one for a decryptor, for example, and another for a promise to delete stolen data. Experts say there's no evidence that ransomware groups have ever honored this type of nontangible promise.
- Cryptocurrency nudging: Some newer ransomware-as-a-service operations, including Kuiper and Trigona, charge extra if victims pay in bitcoin rather than using monero, which preserves more privacy. This strategy has been previously tested by other groups, but experts say many victims have a difficult time procuring anything that's not bitcoin.
Mandiant last year said the groups most often tied to ransomware attacks it investigated - in 17% of cases each - were BlackCat, aka Alphv, and LockBit, followed by Black Basta, which accounted for 8% of cases.
Law enforcement agencies disrupted BlackCat last December and LockBit in February, after which both groups appear to have at least partially bounced back, aided by many operators and affiliates living in countries such as Russia, which never extradites its citizens to face foreign charges.
Which groups will dominate this year and whether or not they can maintain their ability to amass revenue via ransom payments remains to be seen.