Cybercriminals can go from click to compromise in less than a day
The median dwell time in ransomware engagements dropped to just under 24 hours from 4.5 days in the previous year and 5.5 days in the year before that, according to SecureWorks. In 10% of cases, ransomware was even deployed within five hours of initial access.
Outdated vulnerabilities still a prime target for cyberattacks
“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high-profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace,” Smith continued.
While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on “name and shame” leak sites. The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.
The exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the reporting period.
The same threat groups continued to dominate in 2023 as in 2022. GOLD MYSTIC’s LockBit remains the head of the pack, with nearly three times the number of victims as the next most active group, BlackCat, operated by GOLD BLAZER.
Alarming surge in ransomware victims
New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023. 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit. Analysis shows that some of the victims go back as far as mid 2022, although they were dumped at the same time.
MalasLocker’s attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May. The report examines what leak site activity reveals about ransomware attack success rates — it’s not as straightforward as it seems.
The report also reveals that monthly victim numbers from April-July 2023 were the most prolific since name and shame emerged in 2019. The highest number of monthly victims was posted to leak sites in May 2023 with 600 victims, three times as many as in May 2022.
The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit (32%), stolen credentials (32%) and commodity malware via phishing emails (14%).
Scan-and-exploit involves the identification of vulnerable systems, potentially via a search engine like Shodan or a vulnerability scanner, and then attempting to compromise them with a specific exploit. Within the top 12 most commonly exploited vulnerabilities, 58% have CVE dates of earlier than 2022. One (CVE-2018-13379) also made the top 15 most routinely exploited list in 2021 and 2020.
“Despite much hype around ChatGPT and AI-style attacks, the two highest-profile attacks of 2023 thus far were the result of unpatched infrastructure. At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype,” Smith continued.
Nation-state attackers started to diversify tactics
The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. Geopolitics remains the primary driver for state-sponsored threat groups across the board.
China: China has shifted part of its attention to Eastern Europe, while also maintaining a focus on Taiwan and other near neighbors. It displays a growing emphasis on stealthy tradecraft in cyberespionage attacks — a change from its previous “smash-and-grab” reputation. The use of commercial tools like Cobalt Strike, as well as Chinese open-source tooling, minimizes risk of attribution and blends with activity from post-intrusion ransomware groups.
Iran: Iran remains focused on dissident activity, on hindering progress on the Abraham Accords, and on Western intentions towards renegotiations of nuclear accords. Iran’s main intelligence services — the Ministry of Intelligence and Security (MOIS or VAJA) and the Islamic Revolutionary Guard Corp (IRGC) — both use a network of contractors to support offensive cyber strategies. The use of personas (impersonating real people or fake created people) is a key tactic across Iranian threat groups.
Russia: The war in Ukraine remained the focus for Russian activity. This falls into two camps; cyberespionage and disruption. This year has seen an increase in the amount of patriotic-minded cyber groups targeting organizations considered adversaries of Russia. For gangs, Telegram is the social media/messaging platform of choice for recruitment, targeting and celebrations of success. The malicious use of trusted third-party cloud services is frequently incorporated into Russian threat group operations.
North Korea: North Korea threat groups fall into two groups: cyber espionage and revenue generation for the isolated regime. AppleJeus has been a fundamental tool for North Korea’s financial theft initiatives, and according to Elliptic, North Korean threat groups have stolen $2.3 billion in crypto assets between May 2017 and May 2023 (30% of this from Japan).