Ransomware attacks register record speeds thanks to success of infosec industry

The time taken by cyber attackers between gaining an initial foothold in a victim’s environment and deploying ransomware has fallen to 24 hours, according to a study.

In nearly two-thirds of cases analysed by Secureworks’ researchers, cybercriminals were deploying ransomware within a day, and in more than 10 percent of incidents it was deployed within five hours.

This average dwell time has dropped significantly in 2023, down from 4.5 days in 2022 and 5.5 days the year before that.

The findings remained consistent across the year’s incidents, researchers noted, not being influenced by specific ransomware variants of cybercrime groups.

Dwell times in some cases were longer when data exfiltration occurred before ransomware was deployed – a double extortion scenario.

However, this wasn’t true in every case, and as Microsoft revealed last week in its annual threat intelligence report, double extortion events accounted for just 13 percent of ransomware incidents in the past year.

Secureworks said that ransomware attacks are being carried out with less complexity than in years gone by, with the days of organization-wide encryption incidents becoming increasingly more difficult to pull off.

“The cybersecurity industry is undoubtedly getting better at detecting the activity that has historically preceded ransomware, such as the use of offensive security toolkits like Cobalt Strike,” Secureworks said in its “State of The Threat Report.” 

“This may be a factor in forcing ransomware operators to work more quickly.”

As detection technologies become more effective, cybercriminals are naturally forced to adapt to a changing defensive landscape, having to complete their attacks faster.

Secureworks’ experts also said the popularity of the ransomware-as-a-service (RaaS) model could also provide an explanation for shorter attacks. 

With effective ransomware payloads, complete with easy-to-follow instructions for affiliates to use them, the RaaS model makes executing attacks possible for even the least-skilled criminals.

This lowering of the barrier to enter the ransomware market as an affiliate has led to an increase in attacks overall, and June broke the single-month record for ransomware attacks thanks to Cl0p’s exploitation of vulnerabilities in MOVEit MFT.

Although the overall number of attacks has risen following a brief slowdown in 2022, criminals are resorting to less-complex attacks in favor of greater volume.

LockBit has enjoyed the greatest share of success among the RaaS operators this year, exploiting its notoriety to get its kit in the hands of what Secureworks calls a “broad and loosely managed pool of affiliates”.

This approach has cemented it as the year’s most prolific ransomware group, registering nearly three times as many attacks as the next gang, BlackCat.

Initial access drivers

Three main access vectors have been identified as those that facilitate the early stages of attacks in the majority of cases.

Cybercriminals are using vulnerability-scanning tools and stolen credentials in equal measure to gain an initial foothold in their targets’ networks. Each method facilitated the initial intrusion in 32 percent of ransomware attacks over the past year.

“Despite much hype around ChatGPT and AI style attacks, the two highest-profile attacks of 2023 thus far were the result of unpatched infrastructure,” said Don Smith, VP threat intelligence at Secureworks Counter Threat Unit. 

“At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype.”

• Chinese smart TV boxes infected with malware in PEACHPIT ad fraud campaign
• CDW data to be leaked next week after negotiations with LockBit break down
• MGM Resorts attackers hit personal data jackpot, but house lost $100M
• BYOD should stand for bring your own disaster, according to Microsoft ransomware data

Using stolen credentials as an initial access vector (IAV) was largely attributed to the steep rise in infostealer activity from the past year.

Researchers noted that the logs generated by infostealers thrive on marketplaces, with total yearly listings on Russian Market rising to more than 7 million, significantly up from the previous year’s 2.9 million.

Malware distributed via phishing emails was also still a highly useful tactic for criminals launching fast attacks, facilitating 14 percent of initial intrusions and completing the top three IAVs.

In several cases investigated by the researchers, an email that dropped Qakbot malware in the first instance then installed the oft-abused pentesting tool Cobalt Strike which criminals subsequently used to deploy Black Basta ransomware.

These incidents saw criminals use malware to gain an initial foothold, steal data, and deploy ransomware all in under 24 hours. ®