Ransomware attacks escalated in 2023, driven by exploited vulnerabilities and pilfered user credentials
Ransomware attacks in 2023 have shown a concerning trend, with threat actors increasingly leveraging legitimate remote access and remote monitoring management (RMM) tools to gain and maintain persistent access to enterprise networks stealthily.
According to a report released by Mandiant on Monday, ransomware activity surged last year, with the number of incidents investigated by Mandiant increasing by 20% compared to the previous year. The report also indicates a shift towards using known vulnerabilities and legitimate tools by attackers, potentially evading detection mechanisms.
Most initial access vectors for ransomware attacks in 2023 involved stolen credentials or exploited vulnerabilities in public-facing infrastructure. In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments. This trend suggests a collective inability to reduce ransomware attacks in the industry.
Attackers are using various methods to exploit these legitimate tools. Initial access can be gained via phishing or social engineering, with attackers sending phishing emails impersonating IT support to trick victims into initiating remote access tools like Quick Assist or AnyDesk. Techniques like the "ClickFix" social engineering trick, where users are coaxed into running payloads by being told it will fix device issues, have also been observed.
Once inside, attackers exploit trusted RMM software for remote control, script execution, file transfers, and establishing persistence. They also exploit unpatched flaws in these tools to perform remote code execution, privilege escalation, and information disclosure, enabling lateral movement between providers and downstream victims.
To protect against such attacks, enterprises must bolster access control, patch management, user awareness, and monitoring around these tools. Implementing strict access controls and monitoring on RMM tools, limiting administrative access, enforcing multi-factor authentication, and monitoring for unusual activity patterns in legitimate remote access tool usage are essential measures.
Patching all RMM and remote access software promptly to close known vulnerabilities exploited by attackers is another crucial step. Enhancing email security and user training, deploying phishing detection and conducting user awareness programs about social engineering and deceptive techniques like ClickFix, are also recommended.
Monitoring PowerShell and script execution with robust logging and alerting, guarding against suspicious persistence techniques or deletion of logs, is also essential. Using network segmentation and least privilege to restrict lateral movement opportunities, deploying Endpoint Detection and Response (EDR) and behaviour analytics to detect abnormal activities involving remote tools and file transfer utilities often abused in these attacks, and regularly auditing and reviewing accounts and sessions for signs of unauthorized remote access are other effective strategies.
The damage caused by ransomware attacks is significant for businesses and individuals. In 2023, Mandiant conducted a record number of ransomware incident response investigations, with the number of posts on data leak sites surging to more than 1,300 in the third quarter, setting a quarterly record. Threat groups use data leak sites to make claims and ramp up pressure on alleged victims, with the alleged victim organizations named on data leak sites spanning more than 110 countries last year.
As the threat landscape evolves, it is crucial for organisations to stay vigilant and proactive in their cybersecurity measures. By implementing the recommended mitigation approaches, enterprises can better protect themselves against these evolving threats.
- As the ransomware activity surged in 2023, it became clear that threat actors are increasingly using known vulnerabilities and legitimate tools, potentially evading detection mechanisms, as seen in the incident response incidents investigated by Mandiant.
- In light of this, enterprises must bolster their data-and-cloud-computing security through measures such as patching RMM and remote access software promptly, enhancing email security, and implementing strict access controls and monitoring on these tools to combat these stealthy ransomware attacks.
- In the face of evolving ransomware threats, it is vital for organizations to safeguard their cybersecurity by deploying Endpoint Detection and Response (EDR) and behaviour analytics, monitoring PowerShell and script execution, and using network segmentation to restrict lateral movement opportunities, reducing the collective industry vulnerability to such attacks.
