The initial point of access for the attackers and the privileges it provided themHow easy it is to reach other network segments and systems from the initially compromised assetWhether access into the environment was resold to a ransomware operator by an initial access brokerWhether the attackers decided to operate only outside the victim’s regular business hoursAnother important factor that Huntress analyzed was the number of actions attackers took inside the environment after the initial compromise. These include malicious actions such as network scans for reconnaissance, lateral movement, credential dumping for privilege escalation, running scripts, executing terminal commands, downloading additional payloads, and exfiltrating files.This metric is important because the higher the number of malicious actions, the more chances there are to trigger an alert that would enable an organization to discover the intruders early during the attack. According to Huntress, the average number of malicious actions across investigated ransomware incidents was 18, but some groups took as few as six and others more than 30.”Attackers focusing on extortion, data theft, and espionage tend to perform more actions, with pivoting, data harvesting, and exfiltrating being those extra activities,” the researchers wrote. “Attackers who rely on receiving ransomware payments for decryption tend to perform a lower number of actions as they’re basically smashing and grabbing.”
Shifting tactics: Ransomware represented almost 10% of all types of threats that Huntress detected or investigated, with the healthcare, technology, education, manufacturing, and government sectors seeing the highest rates of ransomware incidents. However, it’s worth noting that some of the other threats tracked separately, such as malware or scripts, are often delivery mechanisms for ransomware or are used by initial access brokers who then sell the access to ransomware groups.For example, Huntress noted a significant spike in the abuse of remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn for both gaining and maintaining access to networks. Some ransomware groups have exploited zero-day vulnerabilities in RMM tools in the past.There are also industry-specific shifts in tactics. The researchers noted that ransom incidents in the healthcare industry are shifting from traditional data encryption toward data theft.”Attackers keep exfiltrating data right up to the point of ransoming a victim, with many attackers implementing RAR or ZIP to bundle up data and exfiltrate it to their C2 servers,” Huntress said. “We saw more sophisticated attackers starting to use encrypted P2P services like Cloudflare tunneling to not only exfiltrate but to deliver tools and malware.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3825444/ransomware-gangs-extort-victims-17-hours-after-intrusion-on-average.html