Ransomware Reaches Uncharted Heights
It’s Here to Stay: Exploitable Vulnerabilities, Data Breaches, and Rapid Escalations Continue to Fuel the Impact of Ransomware Attacks.
Ransomware is projected to target a growing number of organizations in 2023, as attackers escalate their assaults, causing extensive damage before detection.
In July, a report from security consultancy NCC Group revealed that data from 502 breaches was posted on leak sites, marking a 150% increase compared to the same month the previous year. This trend continues, with the number of breaches shared on these sites, commonly used by double-extortion ransomware groups, up by 79% year-to-date compared to 2022.
A combination of factors, including exploitable vulnerabilities like those in managed-file transfer services such as MOVEit, and the proliferation of initial access services, has driven this surge, explains Matt Hull, the Global Head of Threat Intelligence at NCC Group. He emphasizes that criminal groups are opportunistic and seek the easiest path to profit. Thus, if another vulnerability similar to MOVEit emerges, it’s likely to attract significant attention and lead to a surge in cybercriminal activity.
Additionally, data indicates that ransomware attackers are moving faster to compromise organizations once they’ve gained initial access. The average dwell time in ransomware incidents has decreased to five days in 2023, down from nine days in 2022, as per a Sophos analysis of 80 incident response cases. In contrast, non-ransomware attackers are taking longer, with dwell times increasing from 11 days in 2022 to 13 days this year, as revealed in Sophos’ midyear ‘Active Adversary Report’ analysis.
Chester Wisniewski, the Field CTO for Applied Research at Sophos, notes that attackers are continually improving their techniques, refining the process of stealing and encrypting data.
He explains, “When you look at a median dwell time of five days, that aligns with the complexities of a modern ransomware attack. You have to find a way in, breach the Active Directory, elevate your privileges to an admin level, and often disable backups. With all these tasks to accomplish, it’s challenging to significantly reduce the dwell time below four or five days.
Erase and Disclose
Two separate reports, both released this week, highlight the persistent threat posed by crypto-ransomware. Despite some groups like Cl0p moving toward simpler theft-and-extortion schemes, most continue with the double extortion strategy, which involves both data theft and encryption to compel ransom payment.
In July, the industrial sector remained the primary target for data breaches posted on leak sites, as indicated in NCC Group’s “Cyber Threat Intelligence Report.” Consumer cyclicals and technology industries followed at a distance, with only half the number of breaches reported.
NCC Group’s Hull explains that the industrial sector has attracted more attacks due to less regulation and historically lower spending on cybersecurity. In contrast, financial services, once prime targets, have seen a decline in attacks.
Attackers also rapidly move laterally, often referred to as “breakout,” to compromise Active Directory servers, which provide access to most other internal network resources. According to Sophos’ incident summary report, the median time to compromise an Active Directory server is approximately 16 hours.
Attacking an Active Directory server significantly boosts an attacker’s capabilities, as these servers hold significant privileges and control over identity and policies throughout an organization. Attackers can create new accounts, disable legitimate ones, and access highly privileged accounts.
Attack timing is another tactic in the attacker’s arsenal. Most attacks occur midweek but outside of standard business hours, leveraging time differences to their advantage, as noted by Sophos.
The Cl0p Group’s Impact on Ransomware Trends
A notable contributor to the surge in ransomware activity has been the Cl0p group, which has adeptly capitalized on vulnerabilities in two managed file transfer platforms. Their attacks on MOVEit in late May and GoAnywhere MFT in early January have led to a significant increase in successful compromises. Interestingly, the Cl0p ransomware group has evolved its tactics, now emphasizing data theft and extortion over traditional data encryption. If victims do not pay, the group threatens to expose the stolen data, a tactic increasingly adopted by some ransomware groups.
“We’ve observed that certain groups are departing from conventional ransomware tactics, with a notable absence of data encryption,” explains NCC’s Hull. “In fact, some groups have clearly shifted their focus toward data exfiltration.”
According to NCC Group’s data, the Cl0p group outshone its competitors, posting three times as many data leaks on their leak sites compared to the second most successful group, Lockbit 3.0. This prolific success has contributed to a surge in postings on data-leak sites, elevating the overall tracking of ransomware activities by NCC Group.
Remarkably, even when excluding the Cl0p group’s activities from the equation, ransomware activity has continued to rise, with posts to data-leak sites increasing by 57% year-over-year. Although this growth is slightly less than the 79% overall increase that includes the extortion group, it remains a significant upward trend.
Additionally, a predicted summer decline in ransomware activity for 2022 did not materialize in 2023. This unexpected continuation of ransomware attacks could be attributed to cybercriminals seeking financial opportunities amid global economic challenges.
“With the economic downturn experienced last year, criminal groups are seeking avenues to maintain or increase their profits,” notes Hull. “Clearly, there is a strong impetus driving these activities.