Ransomware is on track to victimize more organizations in 2023, while attackers rapidly escalate their attacks to wreak widespread damage before defenders can even detect an infection.
In July, data from 502 compromises was posted to leak sites, an increase of more than 150% compared with the same month a year ago, according to a report published on Aug. 23 by NCC Group, a security consultancy. The growth continues a rising trend in 2023, with the number of breaches publicized on the sites — now a common tactic for double-extortion ransomware groups — growing 79% to date, compared with the same period in 2022.
A convergence of factors — such as recent easy-to-exploit vulnerabilities in managed-file transfer services, such as MOVEit, and the growing number services offering of initial access — have led to the increase, says Matt Hull, global head of threat intelligence at NCC Group.
“Criminal groups … are opportunistic in nature — they want to make money and they look for the easiest way to make that money,” he says. “So if there is another MOVEit at some point this year, or something similar to that, I have no doubt in my mind that you will see groups jumping on that bandwagon and seeing massive increases in activity.”
Other data shows that ransomware criminals are moving more quickly to compromise companies once they have gained initial access, with the average dwell time in ransomware incidents shrinking to five days, from nine days in 2022, according to an analysis of 80 incident response cases by Sophos, a cybersecurity company. Other types of attacks are moving slower, with non-ransomware attackers taking more time, 13 days compared with 11 days in 2022, Sophos stated in its midyear “Active Adversary Report” analysis.
The attackers are getting better at what they do, honing their process of stealing and encrypting data, says Chester Wisniewski, field CTO for applied research at Sophos.
“When you look at a median dwell time of five days, that makes sense [because it] takes that long to do a full-scale, modern ransomware attack,” he says. “You’ve got to find a way in, you got to breach the Active Directory and elevate yourself to be an admin, you’ve got often to disable the backups. … You’re not going to really get the dwell time much shorter than four or five days when you’ve got all those tasks to do.”
Wipe and Release
The conclusions from two separate reports — both released this week — underscore the continued threat that crypto-ransomware poses, despite the fact that some attack groups, such as the Cl0p group, are moving away from encrypting data to a simpler theft-and-extortion scheme. Most groups continue to pursue the strategy known as double extortion, which relies on the theft and encryption of data to convince a company to pay the ransom.
The industrial sector in July continued to dominate the list of victims whose data had been posted to leak sites, according to NCC Group’s “Cyber Threat Intelligence Report.” The consumer cyclicals and technology industries came in a distant second and third place, respectively, with only half the number of breaches reported.
“What we have seen within the industrial sector … we know there is less regulation, we know that there has been less spend on cybersecurity budgets over the last number of years,” NCC Group’s Hull says. “When you compare that to, for example, financial services, which were a prime target for ransomware and criminal groups five to 10 years ago — they’ve almost dropped off the face of the earth.”
Attackers also tend to quickly move laterally — often called “breakout” — especially to compromise an Active Directory servers, which can give them access to most other resources in the internal network. The median time to compromise an Active Directory server is about 16 hours, according to Sophos’ incident summary report.
“Establishing a foothold on an Active Directory server greatly enhances the capabilities of an attacker,” the report stated. “An AD server is typically the most powerful and privileged asset within a network, one that’s capable of controlling identity and policies across an entire organization. Attackers can siphon off highly privileged accounts, create new ones, or disable legitimate ones.”
Finally, attackers are using time differences to their advantage, with most attacks occurring midweek but outside of business hours, Sophos said.
The Cl0p Factor
One particular group has accounted for much of the growth: the Cl0p group. It has moved quickly to exploit vulnerabilities in two managed file transfer platforms — attacking MOVEit in late May and GoAnywhere MFT in early January — resulting in a surge of successful compromises. However, the Cl0p ransomware group relies on straight theft and extortion now, stealing data and then threatening to reveal it, if the victim does not pay, says NCC’s Hull.
“We know that some of these groups aren’t using what would be traditionally termed as ransomware — there’s no encryption of data,” he says. “And there is been certainly been — by some groups — a general, if not full, shift from encrypting data to focus on exfiltration of data.”
The Cl0p group posted three times more data leaks on their leak sites than the second most successful group, Lockbit 3.0, according to NCC Group’s data. The group’s success has resulted in a surge of posts to data-leak sites, which has pushed the NCC Group’s ransomware tracking higher.
Yet even without tracking the Cl0p group’s endeavors, ransomware activity has grown, Hull says. Ignoring Cl0p activity, posts to data-leak sites still grew by 57% year-over-year, less than the 79% overall growth including the extortion group, but still a significant increase.
In addition, a summer slump in ransomware activity in 2022 failed to materialize this year, possibly due to more cybercriminals trying to make ends meet during a global downturn, Hull says.
“With the downturn of the economy last year, there needs to be a way for these criminal groups to make money,” he says. “They need to … get their profits back up, so there is clearly some sort of drive to do that.”