Between 2023 and 2024, Cisco Talos reviewed 14 prominent ransomware groups, studying the volume of attacks, their impact on customers and atypical threat actor behavior.
The research utilized data from ransomware groups’ public leak sites, Cisco Talos Incident Response (Talos IR), Talos internal tracking efforts and open-source reporting.
As ransomware continues to plague enterprise security, Cisco’s Talos security intelligence group recently conducted an in-depth analysis of ransomware groups to identify common techniques and offer strategies for better protection.
In this article, you will learn about seven key findings from Cisco Talos analysis of attack chain and network ransomware tactics.
Here are seven key findings from Cisco Talos analysis of attack chain and network ransomware tactics.
- Initial Access and Exploitation
According to the research stated by Cisco Talos analyst James Nutland,
“The most prolific ransomware actors prioritize gaining initial access to targeted networks with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks,”.
Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications.
- Emergence of New Ransomware Groups
Talos noted significant shifts in the ransomware landscape including the emergence of multiple new ransomware groups, each with unique goals and operational structures.
Groups like Hunters International, Cactus and Akira have carved out specific niches. These groups focus on distinct operational goals and stylistic choices to differentiate themselves.
- Defense Evasion Techniques
Common techniques for ransomware players include disabling or modifying security software such as antivirus programs, endpoint detection solutions.
Security features in the operating system to prevent the detection of the ransomware payload.
Ransomware actors also obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed.
They often modify the system registry to disable security alerts, configure software to execute at startup or block certain recovery options for users.
- Multi-Factor Authentication Exploits
Adversaries may send emails containing malicious attachments or URL links that execute malicious code on the target system, exploiting multi-factor authentication (MFA).
They bypass multi factor authentication through poor implementation or by using valid account credentials. Increasingly, ransomware affiliates exploit vulnerabilities or misconfigurations in internet-facing systems such as in dedicated server hosting or unpatched software.
- Seeking Long-Term Access
Ransomware actors aim to establish long-term access to ensure their operations remain successful even if the initial intrusion is discovered. They often use automated malware persistence mechanisms such as AutoStart execution upon system boot or modify registry entries.
Remote access software tools and the creation of local, domain and cloud accounts are also deployed to establish secondary credentialed access.
- Enumerating Target Environments
Upon establishing persistent access, threat actors enumerate the target environment to understand the network’s structure, locate resources to support the attack and identify valuable data for double extortion. They exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain.
Talos observed the popular use of network scanner utilities in conjunction with local operating system tools and utilities such as Certutil, Wevtutil, Net, Nltes, and Netsh.
These tools blend in with typical operating system functions, exploit trusted applications and processes, and aid in malware delivery.
- Double Extortion
In the shift towards a double extortion model, adversaries collect sensitive or confidential information to send to an external adversary-controlled resource.
File compression and encryption utilities like WinRAR and 7-Zip conceal files for unauthorized transfer. Mature Ransomware-as-a-Service operations have developed custom data exfiltration tools such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.
Earlier this year, Talos reported that perpetrators of advanced persistent threat (APT) attacks are not just looking to access networks but also aim to linger, collect valuable data or plan future attacks.
Post-compromise threats target aging network infrastructure and edge devices with critical unpatched vulnerabilities.
Recommendations for Combating Ransomware
Here are some of the steps you can take to combat ransomware attacks.
- Apply Patches and Updates
Businesses should regularly and consistently apply patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk.
- Implement Strong Password Policies
Implement strong password policies that require complex, unique passwords for each account. Enforce multi-factor authentication (MFA) to add an extra layer of security.
- Network Segmentation
Segment the network to isolate sensitive data and systems, preventing lateral movement in case of a breach. Utilize network access control mechanisms such as 802.1X to authenticate devices before granting network access, ensuring only authorized device connections.
- Security Information and Event Management (SIEM)
Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events.
Deploy Endpoint Detection and Response (EDR) and Extended Detection and Response (XDR) solutions.
All clients and servers to provide advanced threat detection, investigation and response capabilities.
If you are planning to buy a VPS, this means that it can detect threats and respond to them with the help of EDR and XDR.
- Continuous Monitoring and Advanced Threat Detection
Deploy advanced monitoring systems and threat detection tools to keep a vigilant eye on security events and incidents.
This includes using security information and event management systems for comprehensive event analysis and endpoint detection and response.
Extended detection and response solutions for in-depth threat investigation and response.
Conclusion
The analysis by Cisco Talos highlights the evolving nature of ransomware threats and the sophisticated techniques employed by threat actors.
By understanding these trends and implementing robust security measures, businesses can better protect themselves against the increasing threat of ransomware attacks.
Regular updates, strong authentication policies, network segmentation and continuous monitoring are crucial components of an effective defense strategy. Which of these findings shocked you the most? Share it with us in the comments section below.
Leave a Reply