The cyber security industry has done so well at detecting suspicious activity that may be a precursor to a ransomware attack, that when cyber criminals succeed in breaking into a victim’s network, they are deploying and executing their lockers quicker than ever before, according to data contained in Secureworks’ annual State of the Threat report.
In just 12 months, the median dwell time observed in incidents to which Secureworks’ Counter Threat Unit (CTU) responded has freefallen from four-and-a-half days to less than 24 hours, and in 10% of cases, ransomware lockers were deployed within five hours of initial access.
“The driver for the reduction in median dwell time is likely due to the cyber criminals’ desire for a lower chance of detection. The cyber security industry has become much more adept at detecting activity that is a precursor to ransomware,” said Don Smith, vice-president of threat intelligence at the Secureworks CTU.
“As a result, threat actors are focusing on simpler and quicker-to-implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.”
The CTU team’s findings mirror to some extent those of an August report produced by their peers at Sophos X-Ops, which showed that in general – not just in ransomware incidents – average dwell times had dropped by almost a week since the start of 2022.
The Secureworks report, which covers the period from June 2022 to July 2023, found a number of familiar names still dominate the landscape, to little surprise. But, said Smith, while the most active threat actors are clearly still LockBit (Gold Mystic in Secureworks’ taxonomy), ALPHV/BlackCat (Gold Blazer) and Clop/Cl0p (Gold Tahoe), there are several new and highly active threat groups that are fuelling a significant rise in victim numbers and data leak volumes.
Indeed, the final four months of the period covered by the report were the most prolific for victim numbers since name-and-shame attacks began to gather pace in 2019, with 600 victims posted to leak sites in May 2023 alone, three times higher than 2022.
“Despite high-profile takedowns and sanctions, cyber criminals are masters of adaptation, so the threat continues to gather pace,” said Smith.
Newer emergent groups on which the CTU is keeping a beady eye include names such as MalasLocker, 8BASE and Akira. 8BASE in particular listed almost 40 victims on its leak site in June 2023, almost on par with LockBit. MalasLocker, which scored big through a compromise of vulnerable Zimbra servers in April 2023, posted 171 new victims on its site.
The most widespread means of access for ransomware gangs observed were, variously, scan-and-exploit at 32% of the total, via stolen credentials, also 32%, and commodity malware spread through phishing, at 14%.
The success of the scan-and-exploit technique, which involves seeking out vulnerable systems via a search engine such as Shodan, and then using a specific exploit to compromise them, reflects the continued lack of attention paid to patching in general – within the 12 most commonly sexploited vulnerabilities, 58% of them have CVE dates older than 12 months.
Smith said security teams risked becoming distracted by the hype around ChatGPT and generative AI, but said the highest profile attacks of 2023 tended to result from unpatched infrastructure.
“Cyber criminals are reaping the rewards from tried and tested methods of attack, so organisations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype,” he said.
Nation states
Turning to the world of nation state-backed advanced persistent threat (APT) actors, the Secureworks report also reveals insights into the behaviour of threat groups associated with the most active states in this regard, namely China, Iran, North Korea and Russia.
Secureworks revealed that while China retains its focus on near neighbours and Taiwan, it is increasingly looking to Eastern Europe and is displaying a growing emphasis on more stealthy tradecraft using commercial tools such as Cobalt Strike and China-developed open source tooling to minimise risk of attribution and blend in with other activity. This is a marked departure from its traditional “smash and grab” reputation, the team said.
Iran, meanwhile, continues to focus its APTs on dissidents and members of the Iranian diaspora around the world, on hindering the Abraham Accords that normalised relations between Israel, Bahrain and the UAE, and Western intentions towards renegotiating nuclear accords. Iranian APTs, which are generally backed out of the Ministry of Intelligence and Security or the Islamic Revolutionary Guard Corp, both specialise in using outside contractors to support their activities, and are notable for creating fake sockpuppet personas, or impersonating colleagues and collaborators, to lull their victims into a false sense of security.
In North Korea, the goal remains very much one of supporting the isolated pariah regime in Pyongyang financially, although there is also an element of cyber espionage in play. Tools such as AppleJeus, a cryptocurrency malware, have proven invaluable to the North Koreans, which are thought to have stolen over $2bn of crypto assets since 2017.
Moscow’s APTs are, of course, still focused largely on the war in Ukraine, with activity falling into two camps – either espionage, or disruptive and destructive cyber attacks. Notably, 2023 has seen a marked increase in “patriotic” hacktivist groups targeting organisations that Russia considers enemies, organising themselves on platforms such as Telegram. More broadly, Russian APTs have been observed making more malicious use of trusted third-party cloud services in targeting their victims.