Mandiant report reveals ransomware surge & evolving tactics

Mandiant has observed a significant resurgence in ransomware activities during 2023, following a slight decline in the previous year. According to the firm's latest report, ransomware-related posts on data leak sites surged by 75%, and the volume of ransomware investigations led by Mandiant itself saw a more than 20% increase.

The report identifies over 50 new ransomware families and variants, with approximately one-third of these being variants of existing families. This suggests that cybercriminals may be focusing their efforts on updating pre-existing ransomware rather than creating new variants from scratch.

One notable trend is that attackers increasingly used commercially available and legitimate tools to carry out intrusions. While there was a noted decline in the use of Cobalt Strike BEACON, an increase in the use of legitimate remote access tools was observed. This shift in tactics indicates a move towards tools that are less likely to raise immediate suspicions among targets.

Interestingly, in nearly one-third of ransomware incidents, the malware was deployed within 48 hours of the initial access. Furthermore, 76% of these deployments took place outside standard work hours, primarily during the early morning. This tactic aims to exploit times when organisational defences might be less vigilant.

The global impact of ransomware in 2023 has been considerable, with victims spread across more than 110 countries and various sectors. Mandiant also reported new and innovative methods employed by ransomware operators. For example, ALPHV operators developed a searchable victim data website and even filed a complaint with the SEC against one of their victims. Such novel approaches underline the adaptability and persistent threat these cybercriminals pose.

Ransomware has proven to be highly profitable, with 2023 seeing over USD $1 billion paid to attackers. This resurgence follows a tumultuous 2022, marked by geopolitical events and internal disruptions among cybercriminal factions. The year 2023 also saw the highest volume of posts on shaming sites since these sites began being tracked in Q1 2020. Notably, Q3 2023 broke the quarterly record with over 1,300 posts.

Approximately 30% of posts on newly identified data leak sites (DLS) were associated with various ransomware families, including ROYALLOCKER.BLACKSUIT, RHYSIDA, and REDBIKE (also known as Akira). Limited overlaps were identified between some top new DLS and previously observed ransomware families, suggesting that some of the activity might stem from established threat actors forming new alliances or rebranding rather than creating entirely new offerings.

Mandiant's analysis also noted a slight shift in the timing of ransomware deployment. While a high volume of these activities continued to occur outside of business hours, the execution appeared to be more evenly distributed across the days of the week compared to prior years. About 15% of incidents in 2023 involved ransomware being deployed within one day of initial attacker access, and almost one-third were deployed within the first 48 hours.

The most common vectors for initial access in 2023 involved the use of stolen credentials or the exploitation of vulnerabilities in public-facing infrastructure. This highlights the critical importance of robust security measures and vulnerability management plans for organisations worldwide.

As the ransomware landscape continues to evolve, organisations are urged to remain vigilant and adopt comprehensive cybersecurity strategies to thwart these increasingly sophisticated attacks. Mandiant's findings underscore the persistent and pervasive nature of the ransomware threat as it continues to adapt to overcome defensive measures.