According to Secureworks® Counter Threat Unit™ (CTU™), ransomware is now being deployed within 24 hours of initial access in more than 50% of engagements. Over the course of just one year, the median dwell time, as reported in the annual Secureworks State of the Threat Report, has fallen from 4.5 days to under 24 hours. In 10% of instances, ransomware was deployed within a mere five hours of gaining initial access.
Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit says: “The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware.
"As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.
“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace.”
- Some familiar names that continue to play a dominant role in the ransomware landscape, but with a growing presence of new groups that are emerging, listing significant victim counts on “name and shame” leak sites. The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019
- The three largest initial access vectors (IAV) observed in ransomware engagements were: scan-and-exploit, stolen credentials and commodity malware via phishing emails
- Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period
Most active ransomware groups
In 2023, the same threat groups continued to dominate as they did in 2022. Leading the charge is GOLD MYSTIC's LockBit, with almost three times as many victims as the next most active group, GOLD BLAZER's BlackCat.
Additionally, new players have emerged on the scene and posted numerous victims. MalasLocker, 8BASE, and Akira (which ranked 14th) are among the newcomers that made an impact from Q2 2023. In June 2023, 8BASE listed almost 40 victims on its leak site, just slightly fewer than LockBit.
An analysis indicates that some of these victims date back to mid-2022, even though they were revealed at the same time. MalasLocker’s attack on Zimbra servers from the end of April 2023, accounted for 171 victims on its leak site in May. The report delves into what leak site activity truly reveals about the success rates of ransomware attacks, highlighting that it's not as straightforward as it may appear.
The report also discloses that the number of victims per month from April to July 2023 reached the highest levels since name-and-shame emerged in 2019. In May 2023, the highest number of monthly victims ever posted on leak sites resulted in 600 victims, three times the count from May 2022.
Top Initial Access Vectors for Ransomware
The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit (32%), stolen credentials (32%) and commodity malware via phishing emails (14%).
The scan-and-exploit method involves the identification of susceptible systems, potentially via a search engine like Shodan or a vulnerability scanner, before attempting to compromise them with a specific exploit. Among the dozen vulnerabilities that are most frequently exploited, it's worth noting that 58% of them possess CVE dates predating 2022. Notably, one of these vulnerabilities, CVE-2018-13379, even appeared in the top 15 of the most frequently exploited list in both 2021 and 2020.
“Despite much hype around ChatGPT and AI style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure,” says Smith. “At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organisations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype.”
The World of Nation-State Attackers
The report also looks at the significant activities and trends in the behaviour of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. Geopolitical factors remain the primary motivation for these state-sponsored threat groups.
China has redirected some of its attention toward Eastern Europe while continuing to maintain a focus on Taiwan and its neighbouring regions. Notably, it displays a growing emphasis on stealthy tradecraft in cyberespionage attacks, marking a shift from its previous ‘smash-and-grab’ reputation.
Iran maintains its focus on dissident activity, obstructing progress on the Abraham Accords, and monitoring Western intentions regarding renegotiations of nuclear agreements. Iran's primary intelligence services—the Ministry of Intelligence and Security (MOIS or VAJA) and the Islamic Revolutionary Guard Corp (IRGC)—both rely on a network of contractors to support their offensive cyber strategies. The use of personas, whether it be impersonating real people or fake created people, is a key tactic employed by various Iranian threat groups.
Russian activity continues to centre around the conflict in Ukraine, with a focus on both cyberespionage and disruptive operations. There has been an increase in the involvement of patriotic-minded cyber groups targeting organisations perceived as adversaries of Russia.
Telegram serves as the preferred social media and messaging platform for recruitment, targeting, and celebrating successes among these groups. Additionally, Russian threat actors frequently incorporate the malicious use of trusted third-party cloud services into their operations.
North Korean threat groups can be categorised into two main groups: cyber espionage and revenue generation for the isolated regime. AppleJeus has played a pivotal role in North Korea's financial theft initiatives, and according to Elliptic, North Korean threat groups have stolen $2.3 billion USD in cryptocurrency assets between May 2017 and May 2023, with 30% of this originating from Japan.
The Secureworks State of the Threat Report can be read in full here: [https://www.secureworks.com/resources/rp-state-of-the-threat-2023]
Please also check out our upcoming event - Cloud and 5G LIVE on October 11 and 12 2023.
BizClik is a global provider of B2B digital media platforms that cover Executive Communities for CEOs, CFOs, CMOs, Sustainability leaders, Procurement & Supply Chain leaders, Technology & AI leaders, Cyber leaders, FinTech & InsurTech leaders as well as covering industries such as Manufacturing, Mining, Energy, EV, Construction, Healthcare and Food.
BizClik – based in London, Dubai, and New York – offers services such as content creation, advertising & sponsorship solutions, webinars & events.