Microsoft says more ransomware stopped before reaching encryption

October 15, 2024 TH Author

Microsoft says ransomware attacks are up 2.75 times compared to last year, but claims defenses are actually working better than ever.

Ransomware continues to be a popular method among cybercrims given how lucrative a single success can be. However, according to data from today’s Microsoft Digital Defense Report (MDDR), the number of raids that reach the encryption phase has decreased threefold over the last two years.

The report attributes this positive downward trend to automatic attack detection and disruption, meaning the security solutions organizations pay for are stymieing ransomware strikes before they can deal the most damage.

As we know, the most common model for ransomware is double extortion, whereby an assailant gains an initial foothold in the victim’s network, steals some data, encrypts files, and holds it all to ransom.

The finding suggests that defenses are getting much better at stopping criminals during crucial stages of their operations. For the vast majority (90 percent) that reach the ransom stage, Microsoft said that cyber baddies had taken advantage of unmanaged devices in the network either to gain initial access or carry out remote encryption of assets. Something for defenders to consider.

As for what’s doing all that encryption, Akira was the top ransomware variant of choice for cybercrime in the past year, sweeping up 17 percent of attacks. Closely followed in second place was LockBit with 15 percent, then Play with 7 percent, and ALPHV/BlackCat and Black Basta with 6 percent each.

Exploiting vulnerabilities with severity ratings of CVSS 8 and above is one of the leading causes of intrusions. However, social engineering techniques continue to be the most prevalent initial access vectors for ransomware, Microsoft says in the report.

Social engineering remains a constant threat

The wider adoption of multi-factor authentication (MFA) is helping to significantly drive down password-based attacks and intrusions, but perpetrators are still finding various ways to bypass it.

Social engineering techniques are still highly effective and given the human element on which they rely, technology alone can’t mitigate them entirely.

The English-speaking Octo Tempest crew, aka Scattered Spider/0ktapus, is known for highly effective, well-researched phishing tactics that allow members to schmooze their way around MFA, getting employees to approve it on their behalf, or even the IT helpdesk to kickstart a password reset, for example.

Microsoft notes a 146 percent rise in this kind of activity, known as adversary-in-the-middle attacks. Once MFA is approved, the main line of defense is down and cybercriminals are then free to carry out the business end of their assaults.

Russia’s Midnight Blizzard, aka Nobelium, took a slightly different approach earlier this year. It was able to bypass 2FA protection by impersonating Microsoft Security through Teams tenants that allowed messages from outside organizations, sending links to users that harvested their credentials, before convincing them to provide 2FA codes.

Octo Tempest’s phishing skills also enable SIM swapping, allowing members to gain access to MFA-protected user accounts before raining down ransomware.

“Once the actor has control of the victim’s SIM, they can receive MFA codes and one-time passcodes,” Microsoft’s report reads.

“Operational security on the part of individuals is crucial in preventing this kind of attack. Individuals should monitor their online footprint to see what information is publicly available about them that a threat actor could use to impersonate them.”

So, to mitigate the human element of cybercrime as much as possible, the prevalent recommendation right now is to go passwordless and opt for phishing-resistant passkeys instead.

Microsoft opened up the technology to all users earlier this year, having previously restricted it to paying commercial customers. It essentially means that in order to gain access to an account or service, a cybercrim would need access to a user’s physical device plus whatever extra protection they set up for that, be it a PIN, face scan, fingerprint, or something else.

The idea is that it’s more secure than having to remember a password and it would eliminate the possibility of being socially engineered to enter valid credentials in an attacker-controlled website, for example.

Away from authentication bypass methods, baddies are still exploiting weak spots in software and more recently cloud environments.

A recent PwC report noted that cloud security is at the top of business leaders’ fears, and Microsoft says in today’s report that compromising cloud identities is becoming more common after once being considered a possibility only for the most sophisticated groups.

Octo Tempest is among the leading groups threatening cloud environments, along with the emerging crews Storm-0539 and Storm-0501.

“In Octo Tempest cloud attacks identified by Microsoft Threat Intelligence, this prolific threat actor targeted federated identity providers using tools like AADInternals to federate domains,” Microsoft researchers write.

“The actor then used the newly federated identity provider to sign in as a valid user. Similarly, in March 2024, ransomware threat actor Storm-0501 attacked Azure environments using the AADInternals tool to federate attacker-owned domains within compromised tenants, using the newly federated identity provider to sign into additional valid accounts.”

Microsoft recommends rolling out MFA to prevent these kinds of barrages, and blocking legacy authentication methods while you’re at it. Getting a proper handle on which accounts have access to any given service is a good idea too, since criminals often exploit the mismanagement of privileges to target accounts with access to the assets they want. ®