Chris Swagler | June 1st, 2022

According to security researchers, external remote access services are increasingly becoming the main vector for ransomware groups to breach companies’ networks. These are the primary methods, along with phishing and exploiting vulnerabilities in public-facing applications, that lead threat actors to steal data and encrypt systems. Cybersecurity researchers explain that threat actors frequently target remote desktop (RDP) servers exposed on the web for initial network access. Additionally, some ransomware affiliates are utilizing compromised credentials to log in and attack the infrastructure from the inside.

The cybersecurity researchers released a report stating that ransomware groups began focusing on numerous vulnerabilities in public-facing applications and quickly added exploits for newly discovered security issues. The following are some of the most prominent vulnerabilities discovered and are being used by ransomware threat actors in 2021:

A joint analysis released by several cybersecurity companies noted that the number of vulnerabilities linked to ransomware attacks has increased to 310 in the first quarter of 2022. In the early months of 2022, companies discovered 22 new security issues exploited by ransomware groups, a 7.6% increase from December 2021. Even though not all bugs are new. In 2019, half of the flaws linked to ransomware attacks were discovered. However, many of them have public exploits, making the threat operator’s job much easier. The four companies discovered that ransomware actors were actively exploiting 157 vulnerabilities in the first quarter of 2022, more than the previous quarter.

On threat actor leak sites, ransomware groups published information from 3,500 victims, the majority of which are based in the United States (1,655). LockBit and Conti (confirmed in the report from other companies) were the most aggressive ransomware operations in 2021, with 670 and 640 victims respectively. Last year, the cybersecurity researchers’ digital forensics and incident response (DFIR) team investigated over 700 ransomware attacks and discovered data exfiltration in 63% of the cases. According to the data collected from the incidents, it was estimated that the average ransom demand was $247,000 last year. Ransomware threat actors continue to use data exfiltration to pressure victims into paying a ransom. Some groups have created their custom tools and made them available to affiliates.

LockBit offers StealBit, an automated data collection module and BlackMatter offers the ExMatter tool. These tools choose files for exfiltration based on specific extensions or keywords that were more likely to contain valuable information for the threat operators. Using command and scripting interpreters and remote services are among the techniques observed by the cybersecurity company in ransomware attacks and both were part of all attacks the researchers investigated. The threat operators employed various techniques to identify remote systems, steal credentials (Mimikatz, Lazagne), and disable security tools. The cybersecurity company created a top ten list of tools in various attack stages with SoftPerfect Network Scanner at the top.

The researchers discovered a Cobalt Strike beacon in more than half of the ransomware incidents investigated, which is a common tool for post-exploitation stages since it offers various actions (script execution, logging keystrokes, file downloads). Defenders can utilize the information to create detections that can catch continuing malicious activity before the final strike occurs. The main stages of a ransomware attack, despite changing tactics and adopting new tools and techniques, remain the same. Because affiliates go from one ransomware operation to another, it’s tough for security professionals to keep track of the methods the adversary adopts.

Using a consistent method to define the main trends, including the MITRE ATT&CK matrix, can make it easier to prepare for ransomware incidents. Additionally, it’s always important for companies to remain vigilant on the current threat landscape and update security patches to avoid vulnerabilities from being exploited. At SpearTip, our advisory services allow our certified engineers to engage with companies’ people, processes, and technology to measure the maturity of the technical environment.

The extensive experience gained through responding to thousands of security incidents allows us to improve companies’ operational, procedural, and technical control gaps based on security standards. Our gap analysis helps us discover blind spots in companies that can lead to significant compromises. We analyze the configurations and interactions of companies’ network infrastructure with skilled penetration testers. SpearTip discovers vulnerabilities in firewall systems and enables companies to dedicate their valuable resources to evaluate and prioritize fixes by providing visibility of actual network gaps, including existing false negatives. SpearTip provides clear remediation steps to ensure a strengthened security posture.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.