Talos, one of the world’s most trusted commercial threat intelligence organizations, has released its quarterly threat intelligence analysis for the second quarter of 2023. The observed increase in data theft extortion is in line with public reporting. However, with a new trend: more and more ransomware groups are refraining from deploying their ransomware and encrypting files. Instead, they steal the data and blackmail their victims.
“Cybercriminals are also trimming their business for efficiency,” says Thorsten Rosendahl, Technical Leader Cisco Talos Germany. “Encryption is increasingly seen as an unnecessary and time-consuming step. This makes it more difficult to detect and stop these attacks.”
The report’s findings suggest that criminals with financial motivations increasingly see this streamlining of the operation as the best way to get their victims’ money.
The cause, the report estimates, is due to the global actions of law enforcement agencies as well as improved corporate protection measures. These include such things as behavior-based attack detection and endpoint detection and response (EDR) solutions. As a result, conducting traditional ransomware attacks with encryption is becoming increasingly difficult – as well as more dangerous for the attackers themselves.
Discarding encryption
Previous ransomware groups such as BianLian and Clop are also turning away from encryption and switching to direct extortion through data theft. Contributing to this change in behavior has been the fact that a free decryption tool for the BianLian ransomware has been public since January 2023.
Clop, on the other hand, has historically focused on exploiting zero-day vulnerabilities on a wide scale, affecting hundreds of companies worldwide. It is highly unusual for attackers to consistently exploit zero-day vulnerabilities, as significant resources are required to develop such exploits. As a result, Clop is believed to have similar expertise and financial resources as advanced persistent threats (APT) groups.
Ransomware remains dangerous
Although some groups are increasingly abandoning encryption, ransomware cases have nevertheless increased. In addition to the well-known representatives LockBit and Royal, Cisco experts observed ransomware variants 8base and MoneyMessage for the first time.
8base was discovered in March 2022, but it was not until June 2023 that its activity increased significantly. The group uses a customized version of the Phobos ransomware and steals data before encrypting it.
MoneyMessage is a relatively new ransomware group that only emerged in March 2023. Similar to 8base, it works on the double extortion model. In one case, the malware was dropped in the Netlogon directory. This allows the ransomware to spread on multiple hosts. Before executing the ransomware, the attackers also uninstalled various security tools such as EDR solutions via PowerShell scripts to bypass protections.
Healthcare industry targeted
Looking at the affected sectors of the economy, healthcare was the most attacked, as it was last quarter. This accounted for 22 percent of the observed incidents. It was followed by the financial sector and utilities.
Initial vectors and multifactor authentication
Initial attack vectors most often involved stolen credentials to access valid accounts. This access method was observed in nearly 40 percent of all cases, a 22 percent increase over the first quarter of 2023. Ransomware attacks were as high as 75 percent using access through valid accounts.
There are several ways to steal credentials. These include exploiting insufficient third-party security, malware to steal information (such as “Redline”), and phishing campaigns. The risk increases exponentially when users use the same credentials for multiple accounts. As a result, organizations need to enforce strict password policies and enable MFA (multi-factor authentication) for critical servers.
A lack of or improper implementation of MFA on critical services played a role in more than 40 percent of cases, according to Cisco Talos analysis. MFA was not enabled in as many as 90 percent of valid accounts. In some cases, it was observed that threat actors were successful with so-called “MFA exhaustion/fatigue” attacks. Here, potential victims are flooded with push messages, for example, in the hope that one of the prompts will be accepted out of carelessness. Identifying such attacks and educating users are the most important elements in combating MFA evasion techniques.
Cisco Talos recommends disabling VPN access for all accounts that do not have MFA enabled. However, it is generally recommended to enable MFA for all user accounts, including those used for maintenance purposes by vendors or service providers. It has been repeatedly observed that such “VCA” (Vendor and Contractor Accounts) have been the target of an attack, as they usually have extended privileges and are often overlooked during an audit. If possible, these accounts should be disabled as long as they are not needed.
“MFA is one of the best ways to achieve a comparatively high level of cybersecurity with little effort and budget – as long as it is implemented cleanly,” says Thorsten Rosendahl.
– – – – –
Further links
👉 www.cisco.com
Graphic: Cisco
