Ransomware attacks are becoming increasingly frequent, with a growing number of sophisticated methods being used to infiltrate and compromise systems. Cisco Talos Intelligence recently released a comprehensive report analyzing the tactics, techniques, and procedures (TTPs) of 14 major ransomware groups active from 2023 to 2024. New reports are providing valuable insights into the changing strategies of these groups and offer practical recommendations for bolstering cybersecurity defenses.
Essential highlights from Cisco Talos’ ransomware analysis
Cisco Talos Intelligence published a report on the tactics, techniques, and procedures of 14 prominent ransomware groups active between 2023 and 2024.
Ransomware groups are responsible for a significant number of attacks that target organizations worldwide. The detailed examination of their TTPs sheds light on the sophisticated mechanisms these groups use to infiltrate, control, and extort their victims.
The report emphasizes the increasing commonality of ransomware attacks and offers insights and recommendations for improving cybersecurity defenses.
The report highlights the critical need for organizations to stay ahead of these threats by understanding the strategies ransomware groups employ. Key recommendations include adopting robust patch management practices, implementing strong password policies, and utilizing multi-factor authentication (MFA) to prevent unauthorized access.
Eye-opening discoveries about ransomware tactics
Ransomware groups commonly gain initial access to target systems through phishing campaigns or exploiting known vulnerabilities in public-facing applications. Phishing remains a prevalent method due to its effectiveness in tricking users into clicking malicious links or downloading infected attachments.
Unpatched vulnerabilities in software and systems also provide an open door for attackers. Once inside, attackers often use lateral movement techniques, navigating through the network to identify and compromise critical systems.
The clever tricks ransomware uses to stay hidden
To evade detection, attackers disable or alter security software, obfuscate their code, and leverage legitimate tools such as PowerShell and Windows Management Instrumentation (WMI). Tactics like these let them blend in with regular network traffic, making it challenging for traditional security solutions to identify malicious activities. When using legitimate tools, attackers exploit the trust and permissions these tools have within the network, further complicating detection efforts.
Ransomware’s hunt for your passwords
Attackers frequently target the Local Security Authority Subsystem Service (LSASS) memory to extract credentials.
Dumping credentials from LSASS means they can move laterally across the network without triggering security alerts. Such techniques grant attackers access to critical systems and sensitive data, letting them to escalate their privileges and deepen their infiltration.
How attackers take over systems without being spotted
Legitimate remote monitoring and management tools are often used by ransomware attackers to maintain control over compromised systems, commonly allowed within organizational environments, letting attackers operate under the radar. When mimicking regular administrative activities, they avoid raising suspicion and can execute their malicious operations undetected.
The notorious ransomware crews you need to know
- AlphV/Blackcat and Rhysida: Known for their versatile and adaptive TTPs, these groups tailor their attacks to the specific environments of their targets, making them highly effective and challenging to defend against. Customized attacks mean that they can exploit the unique vulnerabilities and weaknesses of each target.
- BlackBasta and LockBit: Infamous for their aggressive strategies, focusing on encrypting data and causing significant disruption to force victims into paying ransoms. Ransomware groups employ fast-acting encryption mechanisms that quickly render data and systems unusable, maximizing pressure on victims to comply with ransom demands.
- Clop: Distinguished by primarily engaging in data theft and extortion rather than encryption. Clop exfiltrates sensitive information and then threatens to release it publicly if the ransom is not paid, using the fear of public exposure and regulatory repercussions, compelling victims to pay up to prevent the disclosure of their sensitive data.
Critical vulnerabilities ransomware groups love to exploit
Ransomware groups are continuously scouring for weak spots within network defenses to infiltrate and impose their malicious intents. The sophistication of these attacks often hinges on the exploitation of known vulnerabilities that, despite being identified and cataloged, remain a persistent threat due to delayed patching or oversight.
- CVE-2018-13379 is a vulnerability in Fortinet’s SSL VPN that attackers exploit to gain unauthorized access to networks, involving a path traversal issue that allows attackers to retrieve system files, including password databases, from the VPN. Exploiting this vulnerability means ransomware groups can breach network defenses and initiate their attack chain.
- CVE-2020-1472, also known as Zerologon, is a vulnerability that permits attackers to escalate privileges within domain controllers. When using this flaw, attackers can achieve full control over an entire network. Zerologon’s ease of exploitation and its profound impact on network security make it a prime target for ransomware groups aiming to establish dominance over their victims’ systems.
- CVE-2023-0669 affects the GoAnywhere MFT software, allowing attackers to execute arbitrary code on affected systems; this vulnerability poses a significant threat as it can be used to take over systems, deploy malware, and disrupt operations. Ransomware groups exploiting this flaw can compromise critical file transfer processes and gain extensive control over network operations.
Organizations must adopt a proactive security posture, emphasizing the importance of regular system updates, continuous monitoring, and rigorous security protocols.
The step-by-step playbook of a ransomware attack
Ransomware attacks often start with gaining initial access through malicious attachments, phishing emails, or vulnerabilities in public-facing applications.
Phishing emails are particularly effective, as they trick users into clicking on malicious links or downloading infected attachments. Vulnerabilities in public-facing applications also provide an entry point for attackers, who exploit these weaknesses to infiltrate systems.
Once inside, the attackers begin their malicious activities, setting the stage for further infiltration and control.
Unleashing the malicious payload
Once initial access is gained, the execution phase begins. During this phase, attackers deploy malicious payloads through scripts or malicious documents. Payloads are designed to execute harmful actions on the victim’s machine. Scripts can automate the execution process, while malicious documents often contain embedded macros or other code that, when opened, triggers the payload.
This stage is key as it initiates the ransomware’s active components, leading to further compromise and control.
How attackers stay hidden and active in your network
To maintain control and avoid detection, attackers establish persistence within the victim’s environment, achieving this by adding registry entries, setting up scheduled tasks, or using legitimate tools that provide continuous access.
When embedding themselves deeply into the system, attackers make sure they can remain active even if initial indicators of compromise are addressed. Persistent access allows them to execute their plans over an extended period, increasing the damage they can inflict.
Gaining higher-level network access
Privilege escalation is a key step in ransomware attacks. Attackers seek to gain higher-level access within the network to enhance their control and access sensitive data. Attackers often exploit system vulnerabilities or use stolen credentials to elevate their privileges.
With higher-level access, attackers can move freely within the network, access critical systems, and perform actions that require administrative permissions.
Stealing authentication details for network control
Credential access involves techniques like credential dumping from LSASS (Local Security Authority Subsystem Service) memory to obtain authentication details. Attackers target LSASS because it stores sensitive credential information that can be used to authenticate users across the network.
Dumping these credentials means attackers can impersonate legitimate users, move laterally within the network, and access restricted systems. Such techniques are highly effective and widely used in ransomware attacks.
Navigating across networks to critical systems
Lateral movement refers to the tactics attackers use to navigate through a network to identify and access critical systems.
Once attackers have valid credentials and elevated privileges, they move laterally by leveraging network protocols and tools. They use techniques such as Remote Desktop Protocol (RDP), Windows Management Instrumentation (WMI), and other administrative tools to explore the network and identify high-value targets.
Secretly stealing your sensitive data
Before deploying ransomware, attackers often exfiltrate sensitive data. Data exfiltration phases involve transferring valuable information out of the compromised environment to an external location controlled by the attackers.
Stolen data can include personal information, financial records, intellectual property, and other critical assets. When exfiltrating data, attackers increase their leverage over the victim, as they can threaten to release the data publicly if the ransom is not paid.
Ransomware attacks have surged, becoming one of the most common threats to cybersecurity.
When ransomware strikes
The final stage of a ransomware attack is the impact phase, where the ransomware is deployed to encrypt data and render systems inoperable. Encryption process locks the victim’s files, making them inaccessible until the ransom is paid. Attackers then demand payment in exchange for the decryption key, creating a sense of urgency and panic.
Key lessons from Cisco Talos’ ransomware report
The Cisco Talos report highlights the sophisticated methods used by modern ransomware groups and the necessity of stringent security measures to counter these threats.
Ransomware attacks are becoming more frequent and sophisticated, making it essential for organizations to adopt robust cybersecurity strategies. Implementing the recommended mitigation strategies, such as patch management, strong password policies, system hardening, network segmentation, continuous monitoring, limiting privileges, and reducing IT exposure, can significantly improve an organization’s defenses.
Specific measures are key for protecting systems and data from the growing ransomware threat and ensuring the continuity of business operations.
