Microsoft announced on 31st January 2023 that its security teams are tracking over 100 threat actors who use ransomware during cyberattacks. According to the corporation, it monitors over 50 active ransomware families until the end of last year. "Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal," according to Microsoft.
"Defense tactics, on the other hand, should focus less on payloads and more on the sequence of events that lead to their deployment," because ransomware gangs continue to target servers and devices that have not yet been patched against common or recently resolved vulnerabilities.
Furthermore, while new ransomware families emerge regularly, most threat actors employ the same strategies while infiltrating and propagating across networks, making recognising such behaviour much more beneficial in blocking their attacks.
According to Redmond, attackers are increasingly relying on methods other than phishing to carry out their attacks, with threat actors such as DEV-0671 and DEV-0882 exploiting recently patched Exchange Server vulnerabilities to penetrate susceptible systems and spread Cuba and Play ransomware.
The Exchange team recommended administrators last week to apply the most recent supported Cumulative Upgrade (CU) to secure on-premises Exchange servers and have them ready to install an emergency security update.
Over 60,000 Internet-exposed Exchange servers are still vulnerable to ProxyNotShell RCE attacks. At the same time, thousands of people are still waiting to be protected against attacks based on the ProxyShell and ProxyLogon vulnerabilities, which were two of the most exploited security issues of 2021.
Other ransomware operators are also shifting to or employing malvertising to deliver malware loaders and downloaders that aid in the distribution of ransomware and other malware strains such as information stealers.
For example, a threat actor known as DEV-0569, which is thought to be an early access broker for ransomware gangs, is now leveraging Google Ads in large-scale advertising campaigns to disseminate malware, steal credentials from infected computers, and eventually get access to enterprise networks. They either exploit this access in their attacks or sell it to other malicious actors, such as the Royal ransomware gang.
The end of the Conti cybercrime operation last year coincided with the advent of new ransomware-as-a-service (RaaS) operations such as Royal, Play, and BlackBasta.
Meanwhile, LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware attackers continued to hack and extort victims throughout 2022. Nonetheless, ransomware gangs suffered a 40% decline in revenue last year, only extorting $456.8 million from victims through 2022, down from a record-breaking $765 million the previous two years, according to blockchain analytics company Chainalysis. This large decrease, however, was caused not by fewer attacks, but by their victims' refusal to pay the attackers' ransom demands.
After the Hive ransomware data dump and Tor payment dark web sites were raided as part of an international law enforcement operation including the US Department of Justice, the FBI, the Secret Service, and Europol, this year has started with a huge triumph against ransomware gangs.
The FBI acquired access to Hive communication data, malware file hashes, and details on 250 Hive affiliates after breaking into Hive's servers and distributing over 1,300 decryption keys to Hive victims. On the same day, the United States State Department offered up to $10 million for any information that could lead to the identification of the Hive ransomware group (or other threat actors) and foreign governments.
Please do not enter any spam link in the comment box.