A common trope in cybersecurity writing is to explain the nature of the threat landscape as constantly evolving. Furthermore and because of this fact, there remains an imperative for organizations wanting to remain resilient to maintain awareness and update their infrastructure to account for these changes. It is important to note shifts in threat actor tactics, techniques, and procedures (TTPs) as well as developments regarding the active threat groups and vectors they target. When we talk about developing a cyber playbook or updating an Incident Response (IR) plan, it is with these components in mind.
It is worth noting that changes on the cyber threat and defense landscape do not necessitate an improving space for organizations. Ransomware and Business Email Compromise (BEC) attacks are still prevalent and devastating for impacted businesses.
So, what has changed this year/recently that would qualify as an ‘evolution’?
A Move Away from Large Threat Groups
Let’s start with the ‘Who.’ Historically, ransomware attacks have been largely perpetrated by organized, well-funded, or state-sponsored groups. Just last year, for instance, “Akira, BlackCat, Rhysida, Lockbit, Clop, and Play Ransomware’” dominated the attack landscape (1). In Q2 of this year, only Akira (1st in market share) and Lockbit (5th in market share) crack the top nine, with Akira losing almost half of its total market share, per a @Coveware report (2). While threat actors come and go routinely, the most significant shift is who has taken the second position: independent, non-affiliated threat actors.
This evolution has taken place and will continue to for a few noteworthy reasons. One is the continuous pursuit and prosecution, when possible, of high value ransomware groups and their leaders. Blackcat/ALPHV, for instance, was the second most prolific threat group in 2023 but has since been dismantled by the @FBI, among others (3). The same is true for Lockbit, who was overtaken following a coordinated, international operation (4).
With every void that is left after a threat group is undone there are countless others eager to fill that space, particularly when massive sums of money are involved. The most recent evolution is the rise of these ‘lone wolf threat actors who can remain more inconspicuous than a branded organization.
The Proliferation of Ransomware as a Service (RaaS)
While RaaS is not a new phenomenon—its roots extend back to 2012 with Reveton (5)—its levels of sophistication and production have become more evolved. As a result, practically anyone can launch cyberattacks without having to develop their own malware. This democratization of ransomware tools and malicious code leads to a rise in unaffiliated attacks by less sophisticated actors. Given that many uncovered RaaS operations are organized like businesses with customer support, mailing lists, or user-friendly interfaces, coupled with the opportunity to amass a small fortune—the “average ransom payment has increased 500% in the last year” to a median of $2 million—recruiting new affiliates is becoming an easier process (6).
An additional evolutionary component of RaaS is its scalability, which is continually enhanced by AI. Affiliates can now launch multiple attacks simultaneously across different targets without the need for a large, coordinated group or deep knowledge of programming. This contributes to increasing the overall number of unaffiliated ransomware incidents. Moreover, when profit sharing models are in place, lone-wolf actors will often see a larger total payout.
RaaS also brings to many of its affiliates anonymity and decentralization, which is concerning to targeted organizations and law enforcement. These evolutionary traits make it harder to track down and dismantle threat actors as they are not organized, which might encourage more individuals to engage with these types of ransomware services without the fear of immediate repercussions.
A Strategic Focus Away from Enterprise Organizations
News headlines might lead some to believe that large companies, recognizable brands, and core social services—such as American Water, which is described as “the largest publicly regulated water and wastewater utility in the US”—are more frequent targets and victims of cyberattacks (7). While the losses and paid ransoms might be larger given the often deeper pockets of enterprises, there continues to be a shift toward threat actors targeting small and medium sized businesses (SMBs). This change in victim demographics is related in part to the break-up of large ransomware operations and enterprise organizations having more resources dedicated to cyber security and resilience while SMBs continue to lag.
The data, according to @Coveware, indicates a rapid shift in the targeting of SMBs. In Q3 of 2023, 64.4% of attacks targeted organizations up to 1000 employees (1). Less than a year later, in Q2 of 2024 the frequency increased to 70.6% (2). There is no reason to think this swift movement will not persist.
A significant aspect of how large organizations are targeted relates, in part, to whether they are considered a third-party vendor. The 2024 Third-Party Risk Management Study by @Prevalent, a company that helps others manage risks presented by third parties, found that since 2021, data breaches on third-party service and software providers have increased 3-fold (8). These attacks are troubling because they trickle downstream to their clients, creating a massive impact from a singular breach. What’s more, the same study found that “61 percent of companies experienced a third-party data breach or cybersecurity incident last year” (8).
Given the success threat actors are finding in this avenue of attack, this evolution is one that will continue to define the nature of the threat landscape for some time.
Increasingly Sophisticated Threat Actor TTPs
The increased fluidity of threat actors, moving between ransomware groups or operating independently, emphasizes the need for security teams to focus on predominant TTPs instead of specific ransomware strains. Because the landscape is so fluid, it can be difficult to stay ahead of the threat groups that, as a matter of course, are always trying to obfuscate current toolsets, automated cyber defense systems, and human threat hunters.
One of the more rapid evolutions of threat actor TTPs is the use of automation to launch attacks. Automated cyberattacks can be deployed more quickly than traditional incidents while identifying and exploiting an organization’s vulnerabilities without the need for additional time or coding. AI systems can create custom, malicious codes that can be used for a variety of purposes, including more convincing phishing and social engineering campaigns.
Threat actors are now using SMS (texting), voice-based tactics, and deepfake media to craft messages designed to target specific industries, singular organizations, and even individuals. One specific example of this recently happened to a Florida politician whose voice was “cloned” and used to send his own father a frantic message that “fooled his own dad into nearly handing over $35,000” (9). This is a significant amount of cash for a relatively simple to execute cyberattack. Multiply this dozens of times across numerous victims and a successful scammer can generate substantial income.
Beyond AI, threat actors are using novel exfiltration methods to bypass current defense systems. The emerging RAMBO attacks (Radiation of Air-gapped Memory Bus for Offense) cause the CPU to write directly to RAM, bypassing the caches and, as a result, allowing the broadcasting of data via the EMF signal. In other words, threat actors can “leverage radio signals emanated by a device’s random access memory (RAM) as a data exfiltration mechanism, posing a threat to air-gapped networks” (10). This is a significant and problematic development as air gapping, which essentially isolates secure networks from non-secured networks, is “reserved for the most sensitive networks or devices connected to them, such as those used in systems for voting, industrial control, manufacturing, and power generation” (11).
These indicators are emblematic of the dynamic and evolving cyber threat landscape where attackers are adapting their strategies to evade detection and exploit new vulnerabilities.
The evolving cyber threat landscape requires continuous vigilance and adaptation. As threat actors become more sophisticated, using automation, AI, and novel exfiltration methods, security teams must focus on prevalent TTPs. The rise of independent actors and RaaS creates a decentralized threat environment. The shift towards targeting small and medium-sized businesses, along with exploiting third-party vulnerabilities, highlights the need for proactive cybersecurity measures. Staying informed and regularly updating incident response plans are crucial for defending against the ever-changing strategies of cyber adversaries.
SOURCES
Identify, neutralize, and counter cyberattacks - provide confidence in your security posture
©2024 SpearTip, LLC. All rights reserved.