Organizations of every vertical, size, and location can be targeted with a ransomware attack. Here’s what you need to know about how these threats are evolving.
Ransomware activity continues to grow and evolve each year, putting all organizations at heightened risk of an attack. Security teams, the protectors of the enterprise, must stay a step ahead of adversaries who are finding easier, more subtle and more effective ways to breach their victims and achieve their goals.
The CrowdStrike Falcon OverWatch™ threat hunting team continuously tracks changes in adversary tradecraft and tooling. Between July 1, 2021, and June 30, 2022, the team identified more than 77,000 potential intrusions, or approximately 1 potential intrusion every 7 minutes. Their findings revealed a 50% increase in interactive intrusion activity year-over-year. The most concerning aspect of these trends is they’re not limited to a specific collection of verticals: OverWatch observed malicious hands-on-keyboard activity across 37 distinct industry verticals.
When it comes to interactive eCrime activity, OverWatch found the average breakout time—the time it takes for an adversary to move laterally—was only 1 hour and 24 minutes, highlighting how critical it is to be able to quickly identify early signs of an eCrime intrusion before it can spread.
Every organization is potentially vulnerable to attacks by criminally motivated adversaries, regardless of industry, size, or location. As businesses are tasked with the increasingly difficult job of protecting an ever-growing attack surface, cybercriminals are ramping up innovation to poke holes in these defenses and maximize their illicit profits. This is evident in the growth of affiliate networks and how Ransomware-as-a-Service (RaaS) models are taking shape.
A vast array of cybercriminals is capitalizing on the availability of RaaS—a model whereby ransomware operators sell their toolkits to affiliates via a variety of revenue models. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features. Think of it as a malicious take on the Software-as-a-Service (SaaS) business model.
The RaaS model benefits both malicious parties: Ransomware operators grow the number of attackers using their toolsets; affiliates receive easy access to ransomware and earn a percentage of each successful ransom payment. RaaS has been a key driver in the proliferation of ransomware, in large part because it drastically lowers the barrier to entry for criminals and makes it possible for less technically skilled adversaries to launch devastating attacks.
Not all of these campaigns look the same, however, even if they rely on the same ransomware. There’s a common misconception that all ransomware incidents follow a single pattern. In reality, different affiliate groups often use unique tradecraft to deploy the same tooling. This makes it more complicated for defenders to identify early-stage ransomware preparation, as it requires greater awareness of a wide range of intrusion tactics and methods that affiliates use.
As part of CrowdStrike’s efforts to understand adversary behavior, the OverWatch team has been tracking the diversification of ransomware affiliates’ tradecraft. Analysis of LockBit intrusions over the past year demonstrates the broad array of techniques its affiliates use.
LockBit, a particularly popular form of ransomware, attracts adversaries with a wide range of skill levels. In various intrusions observed by OverWatch over the past year, LockBit affiliates have compromised a VPN, brute-forced credentials, abused remote desktop protocol (RDP), created new privileged accounts added to domain and enterprise admin groups, and executed several living-off-the-land techniques. Adversaries’ tactics varied, likely depending on their objective and skill level—in one case, for example, their emphasis was on data theft and extortion, which generated a different set of tactics, techniques, and procedures (TTPs) when compared to similar intrusions.
For protectors, the ongoing evolution of ransomware tradecraft poses a constant challenge. How can you best protect your assets as adversaries change their techniques? Following are a few steps for IT and security teams.
What Protectors Can Do
There’s no one-size-fits-all model for how ransomware affiliates craft their intrusions; nor is there a single silver bullet defenders can rely on to protect their organizations. However, understanding adversaries’ motivations and tactics can help identify areas of focus. Protectors should:
The ransomware threat landscape is evolving with the rise of new attack techniques, and it’s growing larger as the barrier to entry lowers for less-skilled adversaries. In order to best protect their most valuable assets, organizations must understand what they’re up against and plan their security strategies accordingly as these threats continue to change.