Ransomware attacks appear to be leveling out, with 66% of organizations experiencing attacks in both 2022 and 2023, according to The State of Ransomware 2023 report. What is changing is the speed and nature of these attacks. Most recently, we’ve seen the Rorschach ransomware variant, which can partially encrypt 22,000 files in just 4.5 minutes, stealing the crown from LockBit, which previously held the title as the fastest variant at 7 minutes.
Encryption is not the only thing that ransomware has gotten quicker at. The ransomware window, the time it takes from the initial compromise and ransomware payload deployment to data encryption, has also shrunk from 5 days in 2021 to 4.5 days in 2022. Even more startling, the dwell time, or the time the attacker spends on the network, has halved from 22 days in 2021 to 11 days in 2022.
Less time to respond
These speed increases, of course, make it much harder for the organization to defend itself. It significantly shortens the time the company has to detect and respond (Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR)) because the threat actor is in and out of the network so quickly. In fact, the State of Ransomware report found the percentage of businesses that were able to recover in less than a day has dropped from 14% in 2022 to 8% in 2023, revealing that organizations are being outpaced and are struggling to deal with these swift attacks. So, how is ransomware evolving, and what can the organization do to improve its defense?
BianLian is a good example of how swiftly a variant can adapt. First detected in June 2022, it was used to target critical infrastructure in the US and Australia. It initially used the double extortion tactic, which sees data encrypted and a ransom demanded with the additional threat of publishing the data. However, its plans were foiled when Avast released a decryptor tool in January. After that, BianLian no longer bothered to encrypt the data it stole and merely threatened to publish it.
This move to pureplay extortion is something we’ve also seen with the exploitation of vulnerabilities in the MOVEit File Transfer Protocol (FTP) application by Clop at the end of May. It, too, has moved away from encryption to double, triple (whereby customers and partners are threatened as well), and even quadruple extortion (which also includes the threat to take down the company servers in a Distributed Denial of Service attack).
Clop has recently focused on exploiting file transfer software (it previously attacked GoAnywhere in February and most likely discovered the MOVEit vulnerability back in 2021). In addition to exploits, ransomware operators primarily look for credentials or logins to access sensitive data. The most favored method remains the phishing attack, which gives the malware the toehold it needs to download the initial payload. Still, other techniques include malvertising, infecting users who click on bogus adverts containing links to a site that then see the malware downloaded.
Credential harvesting
Redline uses both phishing and malvertising and can extract logins from web browsers, FTP clients, email, Steam, instant messenger apps, and VPNs. It can also collect authentication cookies and credit card numbers stored in browsers, chat logs, files, and cryptocurrency wallets. Once inside the user’s system, it collects details such as the user’s IP address and operating system, geographical location, name, and admin privileges to capture valuable data.
Similarly, AgentTesla has evolved from having remote administrator capabilities to a full-blown data harvester. It, too, starts with a phishing attachment, which sees the payload connect to a malware distribution site to download AgentTesla onto the system. The malware then spies upon the user, recording screen activity and keylogging to steal credentials from browsers and mail clients, and it’s unusual as it can extract data from a large number of browsers and email types, making it highly versatile.
Shared TTPs
All these ransomware variants have in common the tactics, techniques and procedures (TTPs) they use, which will run through different phases. It starts with reconnaissance and resource development before gaining initial access, executing the payload, and achieving persistence, meaning the malware uses various attempts to maintain access. At this point, the attacker will attempt to escalate their access privileges to gain credential access while simultaneously trying to evade detection. The attack may then move laterally through the network in search of other targets before exfiltrating the data to a Command and Control (C&C) server.
These TTPs make it possible to detect and defend against ransomware. Analysis tools, such as sandboxing, behavioral analysis, and security monitoring, can all look for signs of malware activity. But the sheer scale of the problem and the need to respond even more quickly than before make it imperative to automate detection and response. Using technologies such as Security Orchestration Automation and Response (SOAR) in conjunction with Security Incident and Event Management (SIEM) can help reduce MTTD and MTTR significantly, leveling the odds in the defender’s favor.
It’s also now possible to use a virtual form of Endpoint Detection and Response (EDR) to deal with malware on endpoints such as user devices. During the persistence phase, for example, a relevant playbook can tackle particular strains of malware and take action to disable and eliminate processes, scheduled tasks, and start-up services on the endpoint.
Effective security hygiene is important, such as regular patching. In the case of the MOVEit attack, Progress Software speedily issued a patch, and the race was then on to patch as quickly as possible. User security awareness training can also help raise awareness of phishing and malvertising, hopefully preventing the activation of the malware in the first place. All these forms of defense now need to be prioritized because, while ransomware attacks may have stabilized, they are still evolving, becoming more effective and will become harder to stop.
Logpoint is the creator of a reliable, innovative cybersecurity operations platform — empowering organizations worldwide to thrive in a world of evolving threats. By combining sophisticated technology and a profound understanding of customer challenges, Logpoint bolsters security teams’ capabilities while helping them combat current and future threats.
Logpoint offers SIEM, UEBA, SOAR and Business-Critical Security technologies in a complete platform that efficiently detects threats, minimizes false positives, autonomously prioritises risks, responds to incidents, and much more.
Headquartered in Copenhagen, Denmark, with offices around the world, Logpoint is a multinational, multicultural, and inclusive company. For more information, visit http://www.logpoint.com.
