What Security Teams Need To Know About the Ransomware Threat Landscape

Sponsored Post: Nick Lowe, CrowdStrike Director, Falcon OverWatch.

Organizations of every vertical, size, and location can be targeted with a ransomware attack. Here’s what you need to know about how these threats are evolving.

Ransomware activity continues to grow and evolve each year, putting all organizations at heightened risk of an attack. Security teams, the protectors of the enterprise, must stay a step ahead of adversaries who are finding easier, more subtle and more effective ways to breach their victims and achieve their goals.

The CrowdStrike Falcon OverWatch™ threat hunting team continuously tracks changes in adversary tradecraft and tooling. Between July 1, 2021, and June 30, 2022, the team identified more than 77,000 potential intrusions, or approximately 1 potential intrusion every 7 minutes. Their findings revealed a 50% increase in interactive intrusion activity year-over-year. The most concerning aspect of these trends is they’re not limited to a specific collection of verticals: OverWatch observed malicious hands-on-keyboard activity across 37 distinct industry verticals.

When it comes to interactive eCrime activity, OverWatch found the average breakout time—the time it takes for an adversary to move laterally—was only 1 hour and 24 minutes, highlighting how critical it is to be able to quickly identify early signs of an eCrime intrusion before it can spread. 

Every organization is potentially vulnerable to attacks by criminally motivated adversaries, regardless of industry, size, or location. As businesses are tasked with the increasingly difficult job of protecting an ever-growing attack surface, cybercriminals are ramping up innovation to poke holes in these defenses and maximize their illicit profits. This is evident in the growth of affiliate networks and how Ransomware-as-a-Service (RaaS) models are taking shape.

A vast array of cybercriminals is capitalizing on the availability of RaaS—a model whereby ransomware operators sell their toolkits to affiliates via a variety of revenue models. A RaaS kit may include 24/7 support, bundled offers, user reviews, forums, and other features. Think of it as a malicious take on the Software-as-a-Service (SaaS) business model.

The RaaS model benefits both malicious parties: Ransomware operators grow the number of attackers using their toolsets; affiliates receive easy access to ransomware and earn a percentage of each successful ransom payment. RaaS has been a key driver in the proliferation of ransomware, in large part because it drastically lowers the barrier to entry for criminals and makes it possible for less technically skilled adversaries to launch devastating attacks.

Not all of these campaigns look the same, however, even if they rely on the same ransomware. There’s a common misconception that all ransomware incidents follow a single pattern. In reality, different affiliate groups often use unique tradecraft to deploy the same tooling. This makes it more complicated for defenders to identify early-stage ransomware preparation, as it requires greater awareness of a wide range of intrusion tactics and methods that affiliates use.

As part of CrowdStrike’s efforts to understand adversary behavior, the OverWatch team has been tracking the diversification of ransomware affiliates’ tradecraft. Analysis of LockBit intrusions over the past year demonstrates the broad array of techniques its affiliates use.

LockBit, a particularly popular form of ransomware, attracts adversaries with a wide range of skill levels. In various intrusions observed by OverWatch over the past year, LockBit affiliates have compromised a VPN, brute-forced credentials, abused remote desktop protocol (RDP), created new privileged accounts added to domain and enterprise admin groups, and executed several living-off-the-land techniques. Adversaries’ tactics varied, likely depending on their objective and skill level—in one case, for example, their emphasis was on data theft and extortion, which generated a different set of tactics, techniques, and procedures (TTPs) when compared to similar intrusions.

For protectors, the ongoing evolution of ransomware tradecraft poses a constant challenge. How can you best protect your assets as adversaries change their techniques? Following are a few steps for IT and security teams.

What Protectors Can Do

There’s no one-size-fits-all model for how ransomware affiliates craft their intrusions; nor is there a single silver bullet defenders can rely on to protect their organizations. However, understanding adversaries’ motivations and tactics can help identify areas of focus. Protectors should:

• Supplement technology-based defenses with continuous human-driven threat hunting: Today’s ransomware affiliates are fast and creative in the ways they deploy their attacks. The most effective way to stay ahead of this threat is to implement a continuous threat hunting program that looks for the array of behavioral patterns that can indicate malicious activity.
• Activate a strong, flexible identity security solution: Compromised credential use is prolific in interactive intrusions, and continuous human-driven threat hunting is effective at uncovering adversaries leveraging valid accounts to carry out their activities. It’s equally important to implement technologies that can assist with privileged account management and account auditing.
• Prioritize security controls to secure and audit remote access: Intrusions often include the exploitation of remote access and use of RDP, along with a form of valid account. Focusing on security controls in these areas, such as multifactor authentication, can help prevent attackers who would take this route.
• Be wary of activity coming from non-standard locations: Adversaries regularly use non-standard directories to stage or execute files, or store the output of their tooling. Businesses should monitor for the download and execution of scripts from non-standard locations—any associated requests with obfuscated or encoded command lines may indicate malicious activity.
• Audit external services to identify potential entry points: External services, in particular legitimate remote access software, are commonly abused by adversaries. Remote access software is a popular target as it’s often deployed and trusted within enterprise environments. This provides adversaries with persistent access that can blend in with legitimate use, improving the chances of evading detection. 
• Invest in protection for cloud resources: Adversaries are adapting to the world of cloud technology and view the cloud as a new arena to carry out IP theft, data extortion, ransomware, and destructive attacks. Protectors are challenged to protect this growing attack surface as more attackers set their sights on the cloud. As you focus on cloud security, be sure to invest in monitoring for and defending against attacks on cloud resources, and do not assume default security settings are best for your organization. 

The ransomware threat landscape is evolving with the rise of new attack techniques, and it’s growing larger as the barrier to entry lowers for less-skilled adversaries. In order to best protect their most valuable assets, organizations must understand what they’re up against and plan their security strategies accordingly as these threats continue to change.