Over the past year, ransomware assaults have only gotten more complex and potent. Ransomware gangs have modified their ways to effectively evade typical defence strategies, ranging from new evasion and anti-analysis techniques to stealthier variations programmed in new languages.
The Q3 Ransomware Report from Cyble, a well-known cyber threat intelligence firm noted for its investigations and conclusions, was just published. This article explores the major changes from 2023's third quarter, as reported in the Q3 Ransomware Report, and makes forecasts for the next quarters. The main goal is to present a thorough summary of the main goals broken down by sector, country, and region. The piece will also offer novel approaches, highlighting significant events and advancements that prospective targets ought to be conscious of. We'll also talk about expected developments in ransomware's future evolution.
The growing use of vulnerabilities as weapons to distribute ransomware:
In recent months, Cyble has seen a surge in the usage of vulnerabilities—with a focus on networking devices—as a vector for the delivery of malware, including ransomware. This is a departure from the earlier emphasis on turning Managed File Transfer (MFT) apps and software into weapons.
As evidenced by the MOVEit vulnerability and the supply chain attack on Barracuda Networks, it possessed high-impact vulnerabilities that resulted in the compromising of major players in the sector. Based on all signs, ransomware operators will persist in weaponizing vulnerabilities and taking advantage of zero-days to distribute ransomware payloads and compromise their targets in Q3 and beyond.
Although zero days are by definition unknown until they are exploited, organisations can take precautions to reduce the likelihood that they will be vulnerable to an exploitable zero-day. It is imperative for organisations to ensure that their software and products are up to date and to develop cyber-awareness policies to prioritise the identification and security of potentially exploitable vulnerabilities.
Cyble Research & Intelligence Labs (CRIL) found a few additional trends in the ransomware area that are also worth monitoring, in addition to this noteworthy result.
1. A shift in sectoral concentration with the healthcare sector at risk
Although ransomware assaults on the Manufacturing sector increased in the first half of the year, current patterns indicate that the focus is shifting to the Healthcare sector. Healthcare now ranks among the top 5 industries that ransomware organisations target, and it is the target of about 25% of all ransomware assaults. The goal of these assaults is to obtain sensitive information, including Protected Health Information (PHI), that is accessible to healthcare providers and institutions, and then sell it on the darkweb.
The healthcare industry is especially susceptible to ransomware assaults, according to Cyble's ransomware research, since it has a vast attack surface that includes billions of IoT medical devices, numerous websites, portals, and a vast network of suppliers and supply chain partners. Therefore, it is essential for this industry to have a standardised cybersecurity plan in order to protect this sensitive data and guarantee the uninterrupted execution of vital healthcare operations.
2. The major emphasis continues to be on high-income organisations#
Although ransomware operators frequently give the impression that they are indiscriminate in who they target, it is well known that they mostly target well-to-do businesses that handle sensitive data. This increases the likelihood that ransomware payments will be made in addition to elevating the ransomware operator's profile as a major threat.
There are two reasons for this: first, well-off companies can afford to pay the huge ransoms that are demanded; second, they are more vulnerable to having their reputation as a reliable company damaged by appearing to be inept in handling sensitive data.
Because of their high net worth and larger attack surfaces, Professional Services, IT & ITES, and Construction were the most targeted industries in the preceding quarter, along with Healthcare.
3. The US continues to be the most targeted country.
The established pattern of the United States being the most targeted region by ransomware operators remains stable, despite the fact that various patterns regarding ransomware victims and techniques have changed on a quarterly basis. The fact that the United States saw more ransomware assaults in Q3 2023 alone—more than the following ten countries combined—provides evidence of this.
This is explained by the US's distinctive position as a highly digitalized country with extensive international engagement and outreach. Because of geopolitical considerations, hacktivist groups that use ransomware to protest both local and global policies or to address perceived social injustice find the United States to be a prime target for their efforts.
In terms of the number of ransomware attacks in Q3, the UK came in a distant second, followed by Germany and Italy.
4. LOCKBIT is still a formidable threat, even though more recent ransomware gangs are making a reputation for themselves quickly. Although LOCKBIT's overall number of attacks decreased by 5% from the previous quarter, they still targeted the greatest number of victims—240 were confirmed victims in Q3-2023.
However, the more recent entrants to the ransomware market have not remained inactive. Attacks from more recent groups, like Cactus, INC Ransom, Metaencryptor, ThreeAM, Knight Ransomware, Cyclop Group, and MedusaLocker, increased in Q3-2023. This suggests that these groups are still formidable threats even though they don't have the same prominence and worldwide reach as well-known players like LOCKBIT.
5. The growing usage of GoLang and Rust in more recent ransomware variations#
Ransomware organisations have consistently attempted to make it more difficult or impossible to identify or examine their operations. This complicates the analysis and investigation of the ransomware, its infection channel, and mode of operation by victims, cybersecurity professionals, and governments; corrective actions are then put into place in accordance with the findings.
However, the patterns we've seen recently demonstrate how prevalent Rust and GoLang are becoming among well-known ransomware groups like RansomExx, Agenda, Hive, and Luna. Again, there are two reasons for this: first, it is more difficult to analyse the ransomware's behaviour on a victim system when using programming languages like Rust. The lethality and target base of any ransomware developed with these languages are further increased by the fact that they are simpler to modify to target various Operating Systems.
What responses did organisations provide these developments?# It seems like every news cycle has at least one story about a well-known company or prominent figure in the sector being the victim of ransomware at some point; recent breaches of Caesar's Palace and MGM Casino by BlackCat/ALPHV Ransomware are two such examples.
Government and regulatory organisations from all around the world have taken notice of this and have implemented steps to lessen the frequency and impact of ransomware attacks. Businesses have also taken matters into their own hands by putting procedures in place to lessen the likelihood of ransomware attacks and their effects. Among the noteworthy actions we have seen are:
1. Stressing staff training – Employees are frequently an organization's first line of defence against any kind of assault, and ransomware is no exception. As a result, businesses have increased the scope of their cybersecurity awareness and training initiatives, implementing required cybersecurity training sessions and promoting a cyber-aware culture. Training on phishing attempt detection, managing dubious attachments, and social engineering attempt detection are prime instances of this.
2. Incident Response Planning #Ransomware assaults can still happen for a variety of reasons, even with precautions taken to prevent them. Companies have taken this into consideration and stepped up their efforts to create a thorough response to these kinds of situations. These include the infosec team's answers, internal security's future steps, legal procedures for informing authorities, and the quarantining of any impacted systems or products.
3. Improved Recovery and Backups# The two main objectives of ransomware attacks are to obtain sensitive data and encrypt it so that the target organisations cannot use it. Organisations have begun focusing more on safeguarding sensitive data and developing thorough recovery procedures for it in order to mitigate this risk.
4. Multi-factor authentication and Zero-Trust Architecture Implementation#
Ransomware organisations have a history of using phishing, initial access brokers, and other human vulnerabilities to facilitate or intensify ransomware attacks. In response, businesses have imposed multi-verified levels of authentication and Zero-Trust Architecture on all vital platforms and data, making it impossible to access sensitive information without them.
5. Sharing intelligence and working with law enforcement# To combine resources and intelligence to thwart future ransomware attacks, companies in related industries established Information Sharing and Analysis Centres (ISACs). Additionally, they collaborate closely with regulatory agencies and law enforcement to report ransomware efforts and assist in identifying security flaws.
6. Increased adoption/use of Threat Intelligence Platforms# Organisations are using Threat Intelligence Platforms more and more for their expertise, anomaly detection, and behavioural analysis to gain real-time threat intelligence to help mitigate ransomware attacks. This is due to their specific competency in this space as well as their advanced AI and machine learning capabilities.
7. Give vulnerability management priority
Over the past few years, vulnerabilities have gained attention due to significant instances like the recent MoveIT and PaperCut flaws, which made exploits and hacks possible. In response, companies have put vulnerability management and procedures in place to guarantee that all important software is current and gets patches on a regular basis.
8. Supply chain security and vendor risk management# If a ransomware operator is unable to gain access to an organisation, it is common for them to attack its supply chain through partners, suppliers, and other unreliable third parties who might not be as safe online. As a result, businesses have begun implementing vendor risk assessments to guarantee that every link in their supply chain is completely secured against future ransomware attacks.
Learn important lessons and how ransomware groups are changing the way they target victims. Get the Q3-2023 Ransomware Report right away.
How can Cyble Vision, its AI-powered threat intelligence tool, help you?
Cyble Vision can help you stay one step ahead of ransomware operators by providing you with an acute look into both the surface and deep web.
Cyble Vision's astute Threat Analysis may assist in pinpointing vulnerabilities in your company's digital risk profile and offer guidance on mitigating these openings that could be targeted by ransomware gangs.
With Cyble Vision, you can protect your whole ecosystem and supply chain against intrusions by scanning not just your own network but also that of your partners, suppliers, and other third parties.
Cyble Vision's AI-powered capabilities enable it to scan enormous volumes of data from the deep, dark, and surface webs, providing real-time updates on the actions of threat actors.
Cyble Vision, with its emphasis on Darkweb Monitoring, enables you to monitor the behaviours and patterns of Threat Actors on the Darkweb. You can stay one step ahead of ransomware operators by talking about a new variation and keeping an eye on affiliate programs.
Comments