Ransomware reaches new heights

Ransomware is on track to victimize more organizations in 2023, while attackers rapidly escalate their attacks to wreak widespread damage before defenders can even detect an infection.

In July, data from 502 compromises was posted to leak sites, an increase of more than 150% compared with the same month a year ago, according to a report published on Aug. 23 by NCC Group, a security consultancy. The growth continues a rising trend in 2023, with the number of breaches publicized on the sites — now a common tactic for double-extortion ransomware groups — growing 79% to date, compared with the same period in 2022.

A convergence of factors — such as recent easy-to-exploit vulnerabilities in managed-file transfer services, such as MOVEit, and the growing number services offering of initial access — have led to the increase, says Matt Hull, global head of threat intelligence at NCC Group.

“Criminal groups … are opportunistic in nature — they want to make money and they look for the easiest way to make that money,” he says. “So if there is another MOVEit at some point this year, or something similar to that, I have no doubt in my mind that you will see groups jumping on that bandwagon and seeing massive increases in activity.”

Other data shows that ransomware criminals are moving more quickly to compromise companies once they have gained initial access, with the average dwell time in ransomware incidents shrinking to five days, from nine days in 2022, according to an analysis of 80 incident response cases by Sophos, a cybersecurity company. Other types of attacks are moving slower, with non-ransomware attackers taking more time, 13 days compared with 11 days in 2022, Sophos stated in its midyear “Active Adversary Report” analysis.

The attackers are getting better at what they do, honing their process of stealing and encrypting data, says Chester Wisniewski, field CTO for applied research at Sophos.

“When you look at a median dwell time of five days, that makes sense [because it] takes that long to do a full-scale, modern ransomware attack,” he says. “You’ve got to find a way in, you got to breach the Active Directory and elevate yourself to be an admin, you’ve got often to disable the backups. … You’re not going to really get the dwell time much shorter than four or five days when you’ve got all those tasks to do.”

Wipe and Release

The conclusions from two separate reports — both released this week — underscore the continued threat that crypto-ransomware poses, despite the fact that some attack groups, such as the Cl0p group, are moving away from encrypting data to a simpler theft-and-extortion scheme. Most groups continue to pursue the strategy known as double extortion, which relies on the theft and encryption of data to convince a company to pay the ransom.

The industrial sector in July continued to dominate the list of victims whose data had been posted to leak sites, according to NCC Group’s “Cyber Threat Intelligence Report.” The consumer cyclicals and technology industries came in a distant second and third place, respectively, with only half the number of breaches reported.

To read the complete article, visit Dark Reading.