Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

URL has been copied successfully!
Ransomware gangs extort victims 17 hours after intrusion on average
URL has been copied successfully!

Collecting Cyber-News from over 60 sources

The initial point of access for the attackers and the privileges it provided themHow easy it is to reach other network segments and systems from the initially compromised assetWhether access into the environment was resold to a ransomware operator by an initial access brokerWhether the attackers decided to operate only outside the victim’s regular business hoursAnother important factor that Huntress analyzed was the number of actions attackers took inside the environment after the initial compromise. These include malicious actions such as network scans for reconnaissance, lateral movement, credential dumping for privilege escalation, running scripts, executing terminal commands, downloading additional payloads, and exfiltrating files.This metric is important because the higher the number of malicious actions, the more chances there are to trigger an alert that would enable an organization to discover the intruders early during the attack. According to Huntress, the average number of malicious actions across investigated ransomware incidents was 18, but some groups took as few as six and others more than 30.”Attackers focusing on extortion, data theft, and espionage tend to perform more actions, with pivoting, data harvesting, and exfiltrating being those extra activities,” the researchers wrote. “Attackers who rely on receiving ransomware payments for decryption tend to perform a lower number of actions as they’re basically smashing and grabbing.”

Shifting tactics: Ransomware represented almost 10% of all types of threats that Huntress detected or investigated, with the healthcare, technology, education, manufacturing, and government sectors seeing the highest rates of ransomware incidents. However, it’s worth noting that some of the other threats tracked separately, such as malware or scripts, are often delivery mechanisms for ransomware or are used by initial access brokers who then sell the access to ransomware groups.For example, Huntress noted a significant spike in the abuse of remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn for both gaining and maintaining access to networks. Some ransomware groups have exploited zero-day vulnerabilities in RMM tools in the past.There are also industry-specific shifts in tactics. The researchers noted that ransom incidents in the healthcare industry are shifting from traditional data encryption toward data theft.”Attackers keep exfiltrating data right up to the point of ransoming a victim, with many attackers implementing RAR or ZIP to bundle up data and exfiltrate it to their C2 servers,” Huntress said. “We saw more sophisticated attackers starting to use encrypted P2P services like Cloudflare tunneling to not only exfiltrate but to deliver tools and malware.”

First seen on csoonline.com

Jump to article: www.csoonline.com/article/3825444/ransomware-gangs-extort-victims-17-hours-after-intrusion-on-average.html

Loading

Share via Email
Share on Facebook
Tweet on X (Twitter)
Share on Whatsapp
Share on LinkedIn
Share on Xing
Copy link