Over 100 threat actors deploy ransomware in attacks

Over 100 threat actors deploy ransomware in attacks

Microsoft revealed today that its security teams are tracking more than 100 malicious actors deploying ransomware in attacks. In total, the company says it monitors more than 50 unique ransomware families that were actively used through the end of last year.

“Some of the most prominent ransomware payloads from recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal,” Microsoft said.

“Defense strategies, however, should focus less on payloads and more on the chain of activities that lead to their deployment,” as ransomware gangs still target servers and devices that are not yet patched against common or recently patched vulnerabilities.

Additionally, while new ransomware families are released all the time, most threat actors use the same tactics as they penetrate and spread through networks, making the effort to detect these behaviors even more useful in thwarting their attacks.

As Redmond added, attackers are increasingly relying on tactics beyond phishing to carry out their attacks, with threat actors, such as DEV-0671 and DEV-0882, capitalizing on vulnerabilities. of Exchange Server recently patched to hack vulnerable servers and deploy Cuba and Play ransomware.

Last week, the Exchange team urged administrators to deploy the latest supported Cumulative Update (CU) to secure on-premises Exchange servers and make them always ready to install an emergency security update.

More than 60,000 Exchange servers exposed to the Internet are still vulnerable to attacks using ProxyNotShell RCE exploits. At the same time, thousands of people are still waiting to be protected against attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited security flaws of 2021.

Other ransomware actors also turn to or use malicious advertising to provide malware loaders and downloaders that help push ransomware and various other strains of malware, such as infostealers.

For example, a malicious actor tracked as DEV-0569, believed to be an initial access broker for ransomware gangs, is now abusing Google Ads in large-scale ad campaigns to distribute malware, steal words infected devices and ultimately gain access to corporate networks.

They use this access as part of their attacks or resell it to other malicious actors, including the Royal ransomware gang.

The ransomware-as-a-service (RaaS) ecosystem continues to evolve and grow with many players bringing varying techniques, goals, and skill sets. As of the end of 2022, Microsoft is tracking over 50 unique active ransomware families and over 100 malicious actors using ransomware in attacks.

— Microsoft Security Intelligence (@MsftSecIntel) January 31, 2023

Last year saw the end of cybercrime operation Conti and the rise of new ransomware-as-a-service (RaaS) operations, including Royal, Play and BlackBasta.

Meanwhile, ransomware operators LockBit, Hive, Cuba, BlackCat and Ragnar continued to rape and try to extort a steady stream of victims throughout 2022.

Nonetheless, ransomware gangs saw a massive drop in revenue of around 40% in the last year, as they were only able to extort around $456.8 million from victims throughout 2022, after a record high of $765 million in the previous two years, according to blockchain analytics firm Chainalysis.

However, this significant drop was not caused by fewer attacks, but by their victims’ refusal to pay the attackers’ ransom demands.

This year started with a big victory against ransomware groups after the Hive ransomware data leak and dark Tor payment websites were seized in an international law enforcement operation involving the US Department of Justice, the FBI, the secret services and Europol.

After hacking Hive’s servers, the FBI distributed over 1,300 decryption keys to Hive victims and gained access to Hive communication records, malicious file hashes, and details of 250 Hive affiliates.

On the same day, the US State Department offered up to $10 million for any information that could help connect the Hive ransomware gang (or other threat actors) to foreign governments.

Leave a Reply

Your email address will not be published. Required fields are marked *