Bugs, viruses, and stolen data leaks are driving the ransomware fire that makes it more painful than ever.
Increase in ransomware attacks
Ransomware targets more and more entities in 2023; The attackers develop their attacks at a rapid pace to spread destructive chaos, even before the victim can detect the disaster.
Last July, data for approximately 502 companies was published on leak sites, recording a 150 percent increase compared to the same month last year, according to a report conducted by the security consulting group NCC, which was published on August 23. . The current year is witnessing a continuous growth in leakage cases. The numbers of violations published on the sites – in a common tactic used for double blackmail by extortion groups – indicate an increase of 79 percent to date, compared to the same period in 2022.
Matt Hall, head of Threat Intelligence at the NCC Group, said in an interview with Dark Reading magazine that various elements, most notably vulnerabilities in secure programs regulating file transfer and exchange, such as the MoveIt program, and the growing services that secure and enable… The initial entry is what leads to this increase in attacks.
He added: “If another software bug, or something similar, occurs and spreads this year, there is no doubt that we will see groups rushing to exploit it, with a huge increase in extortion activities.”
Other data shows that criminals who use ransomware are moving more quickly to strike companies as soon as they have an opportunity to penetrate. The average time period for an extortion attack reduced to 5 from 9 days in 2022, according to an analysis of 80 response cases conducted by Sophos, a company specializing in cybersecurity.
In contrast, other types of attacks move slowly; Electronic attacks that do not use ransomware require a longer time, about 13 days, compared to 11 in 2022, according to the “Active Advisory” mid-term report issued by “Sophos”.
For his part, Chester Wisneski, Technology Director for Applied Research at Sophos, believes that attackers are getting better at what they do, by refining their processes for stealing and encrypting data.
He adds: “When we look at the five-day period that the attack requires, we see that it is logical; Because it is simply the amount of time required to complete a modern and complete attack using a blackmail program. It starts with finding a way in, then hacking into the active directory and promoting yourself to become an administrator, and you also have to disable hedging tools… Most likely, this period will not be less than 4 days; Because it is what the aggressor needs to complete all these tasks.”
Double blackmail strategy
Conclusions from two separate reports issued recently stress the continuing threat posed by encrypted extortion software, despite the fact that some attacking groups, such as C10P, have dispensed with data encryption and are now content with theft and extortion. On the other hand, most groups insist on continuing the double blackmail strategy that relies on stealing and encrypting data to force the company to pay the required ransom.
In July, the industrial sector maintained its top spot in the list of victims of graphic leaks, according to the Cyber Threat Intelligence Report issued by the NCC Group. Consumer and technology industry periodicals came in second and third place, reporting only half of the breaches.
“What we’ve seen in industry is less regulation and smaller budgets for cybersecurity in the past few years,” says NCC Group’s Hall. When compared to another field, such as financial services, which was the main target of extortion software and criminal groups for about 5 or 10 years, we feel as if the latter no longer exists in the accounts of extortion software.
Attackers also tend to move “laterally” – or “defection” – to compromise Active Directory servers, which may give them access to most of the resources in the internal network. It takes an average of 16 hours to hack an Active Directory server, according to a summary of the Sophos report.
The report notes that “access to the Active Directory server greatly enhances the attacker’s capabilities; Because it is practically the strongest and most powerful part of the network, being the party most capable of controlling the identity and policies of an entire organization. Through it, attackers can steal valuable accounts, create new ones, or close legitimate accounts.”
Finally, the Sophos report indicates that attackers exploit time differences to their advantage. Most attacks occur in the middle of the week, but outside working hours.
Assault strike group
One group controls the lion’s share of the growth in ransomware attacks: the C10p group, which is moving very quickly to exploit vulnerabilities in two file transfer platforms. The group attacked MoveIt in late May and GoAnywhere MFT in early January, leading to a rise in the number of successful attacks. However, the C10B group that uses extortion software relies on direct theft and blackmail, that is, stealing data and then threatening to publish it if the victim refuses to pay the requested ransom.
“We know that some of these groups are not using what is commonly called ‘extortion software’ because there is no data encryption,” NCC’s Hall says. In some groups, what has been described as a general, if not complete, shift away from data encryption to a focus on data extraction and dissemination.
C10B published three times as much data on its leak sites as the second most powerful extortion group, known as Lockbit 3.0, according to NCC Group data. The success of the first group contributes to a sharp increase in the number of posts on data leak sites, which leads to an increase in the NCC Group’s extortion software monitoring index.
Hall points out that extortion software activity is on the rise even without scrutiny of the C10B group’s maneuvers. Posts on data leak sites have grown by 57 percent (not counting the operations of the first group) in one year.
The year 2022 witnessed a decrease in the ransomware attack index, but this did not apply to this year. Because, according to Hall, the aggressors are trying to make more money to compensate for their losses resulting from the global recession.
Finally, Hall concludes by saying: “With the decline that struck the global economy last year, these criminal groups must find a way to make money. Because it needs to increase its profits again, and it seems clear that the engine for this purpose exists.”
