In the ever-evolving landscape of cybersecurity, the battle against ransomware has taken a concerning turn. According to the latest findings from Secureworks annual State of the Threat Report, the deployment of ransomware is now occurring within just one day of initial access in more than half of all engagements.
The Rapid Decline in Dwell Time
Perhaps the most concerning revelation in the report is the drastic reduction in median dwell time, plummeting from 4.5 days to less than one day within a span of 12 months. In 10% of cases, ransomware was even unleashed within a mere five hours of gaining initial access. This accelerated pace is attributed to cybercriminals' efforts to minimize the risk of detection.
Don Smith, VP Threat Intelligence at Secureworks CTU, notes in a press release that this trend reflects a shift towards simpler and quicker operations. As the cybersecurity industry becomes more proficient at detecting ransomware precursors, threat actors opt for faster and less complex attacks to increase their chances of success.
Top Ransomware Groups
While familiar threat groups such as GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) continue to dominate the ransomware landscape, the report highlights the emergence of new and highly active threat groups. MalasLocker, 8BASE, and Akira have all entered the scene, contributing to a substantial rise in victim and data leaks.
Notably, LockBit remains the most active group, with nearly three times the number of victims compared to the next group, BlackCat. The report emphasizes that the past four months there were the highest victim counts since the initiation of "name and shame" attacks in 2019.
Initial Access Vectors and Vulnerabilities
The report identifies three primary initial access vectors (IAV) observed in ransomware engagements: scan-and-exploit (32%), stolen credentials (32%), and commodity malware via phishing emails (14%). Of these, scan-and-exploit involves the identification of vulnerable systems and attempts to compromise them with specific exploits.
Despite the hype around AI-style attacks, the report underscores that unpatched infrastructure remains a significant factor in successful attacks. Cybercriminals continue to exploit known vulnerabilities from 2022 and earlier, accounting for over half of the most exploited vulnerabilities during the reporting period.
State-Sponsored Threat Groups
The State of the Threat Report delves into the activities of state-sponsored threat groups from China, Russia, Iran and North Korea. Geopolitics continues to be the driving force behind their actions:
- China: Shifts focus to Eastern Europe with a growing emphasis on stealthy tradecraft in cyber espionage attacks
- Iran: Targets dissident activity, hinders progress on the Abraham Accords, and employs personas across threat groups
- Russia: Intensifies cyber espionage and disruption, with patriotic-minded groups targeting adversaries. Utilizes Telegram for recruitment and communication
- North Korea: Engages in cyber espionage and revenue generation, with AppleJeus as a key tool. North Korean threat groups have stolen $2.3 billion USD between May 2017 and May 2023
The State of the Threat Report 2023 underscores the critical need for organizations to prioritize good cybersecurity hygiene. With ransomware attacks becoming faster and more dynamic, staying ahead of evolving threats requires a proactive and adaptive approach. New-school security awareness training can ensure your users are up to date on the latest ransomware threats, and will be vigilant on how to spot and report any suspicious activity.
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
Here's how it works:
