With ransomware whales becoming so dominant, would-be challengers ask ‘what’s the point?’

The number of new ransomware strains in circulation has more than halved over the past 12 months, suggesting there is little need for innovation given the success of the existing tools used by top gangs.

Only 43 new ransomware families were observed in 2023, according to Rapid7’s research published today, a stark decrease from 95 the previous year.

Christiaan Beek, senior director of threat analytics at Rapid7, told The Register: “The reduction in the number of ransomware families likely reflects a combination of matured and effective existing ransomware capabilities, stable and profitable attack strategies, and possibly improved but not foolproof defensive measures. 

“Where initial ransomware was focused on encrypting the entire endpoint, today it is more focused on business-critical systems that store data like network shares and, for example, virtual machine clusters. Exfiltrating the data first, then deploying ransomware is the major shift we have observed.”

The vendor’s report concludes that nearly 5,600 ransomware attacks were carried out between January 2023 and February 2024 – the period of time from which the data that informed the report was collected. The number, however, is expected to be significantly higher since so many attacks go unreported.

Those who keep tabs on ransomware news won’t be surprised to hear that LockBit 3.0 or LockBit Black, whichever you prefer, was the dominant family of the year. It has been among the most prolific cybercriminal organizations for the past four years and continued to be up until law enforcement’s disruption efforts recently. 

ALPHV/BlackCat was right up there too, until police also halted its efforts, and before it pulled a final exit scam after collecting a pretty penny from Change Healthcare. BianLian, Play, Medusa, and Black Basta comprised the other most successful gangs of the year.

How do they even get in?

All of that is fairly common knowledge, but what’s perhaps more useful for defenders is knowing how they gain an initial foothold. 

Rapid7’s telemetry indicates that exploiting vulnerabilities in public-facing applications and getting hold of a valid account are the two most common ways ransomware attacks begin. Apply patches and deploy MFA – the same old advice still stands.

And for those wondering if these miscreants have moved away from encrypting files given the success of Cl0p’s MOVEit MFT attack, then it’s bad news. The “vast majority” of incidents involve encryption. The MOVEit incident has claimed 2,771 victims so far, according to Emsisoft’s tracker, but these pure-extortion attacks comprised just a small number of ransomware-related incidents overall, despite their large scale.

Do your MFA rollout properly

Without trying to labor the point, deploying MFA is really important, if you can believe it. Last year it was the single most common initial access vector for all kinds of attacks, including ransomware and all the others, used in 41 percent of cases.

Vulnerability exploits accounted for 30 percent of intrusions and social engineering methods such as phishing were responsible for 12 percent, Rapid7 said. 

So, the advice to defend the majority of ransomware and all other kinds of attacks is generally the same: if you can deploy MFA effectively and patch vulnerabilities quickly, then that will eliminate the majority of attacks from taking place.

Sounds simple enough, but Caitlin Condon, director of vulnerability intelligence at Rapid7, said it’s not a case of orgs not deploying MFA, they’re just not enforcing it strictly enough.

“Effective MFA is enforced MFA. One of the things our incident response team has found on engagements is that some affected orgs have implemented MFA, but they aren’t enforcing properly. 

“If you have MFA set up but a quarter of your organization is in an MFA bypass group, that security mechanism is not having the intended effect. In other places, the wheels of security change just move slowly; unfortunately, adversaries have a way of prioritizing security measures for businesses if those businesses aren’t able to prioritize security themselves. We have also seen upticks in attack techniques like MFA push fraud that are aimed at social engineering employees into giving attackers access to systems with MFA enabled.”

And while applying security patches will in most cases secure an organization from vulnerability exploits, the rise in zero-day-enabled attacks last year nearly matched the all-time peak of 2021. 

The exploitation of zero days was responsible for more mass compromise events last year than n-day vulnerabilities (n-days are publicly disclosed bugs that are known to the vendor). It’s the second time in three years this has been the case, and Condon says this could be attributed to the funds available to cybercrime groups.

“Cybercrime is profitable, and like any financial ecosystem, the demand for new zero-day exploits incentivizes their development,” she said. “Rapid7 regularly sees dark web postings soliciting new zero-day exploits for popular technologies such as enterprise VPNs for $100K+. A ransomware group that’s pulling in eight figures or more from orchestrated global attack campaigns can afford to buy or commission plenty of bespoke new zero-day exploits.”

Zero days were especially prevalent in network and security appliances, which were at the heart of 60 percent of all zero-day vulnerabilities in 2023.

The data also suggests attackers are increasingly looking at network edge devices to launch their attacks in future. The number of exploits in this realm almost doubled last year, with 36 percent of all widely exploited bugs being found in network perimeter devices.

“Attackers of all stripes and motivations have incentive to target these devices, and ransomware groups and state-sponsored adversaries have both shown strong interest in n-day and zero-day exploit opportunities in these systems,” the report reads. ®

READ MORE HERE