According to the “2023 State of the Threat” report by Her Secureworks, the number of victims reported on ransomware leak sites by criminal gangs reached exceptionally high levels from March to June 2023.
In 2023, it seems to be the year with the most recorded victims on the so-called “name and shame” websites since this practice began in 2019.
The Secureworks report, covering the period from July 2022 to June 2023, unveiled that the predominant factor behind the breach of numerous organizations and their subsequent appearance on data leak sites over the last four months was the widespread exploitation of specific vulnerabilities.
In March, the Clop ransomware gang utilized a vulnerability in Fortra GoAnywhere. In May, the MalasLocker gang targeted a bug in the Zimbra mail server. And in June, the Clop gang exploited a vulnerability in MOVEit Transfer.
Furthermore, Secureworks reported that an operator known as GOLD MYSTIC was the most prolific ransomware group during the 12-month period outlined in the report, disclosing nearly three times as many victims as the next most active group, ALPHV (BlackCat).
Nevertheless, beyond the established ransomware groups, Secureworks unveiled that newly emerged ransomware strains also victimized many organizations from March to June 2023. Notably, 8BASE, a relatively new entrant, had amassed nearly 40 victims on its leak site by June 2023.
The ransomware development timeline has been shortened.
The report indicated that ransomware typically remained on systems for less than 24 hours, marking a significant decrease from the 4.5 days observed in the prior 12 months. In 10% of cases, cybercriminals managed to deploy ransomware within just five hours of gaining initial access.
This shift reflects cybercriminals’ awareness of companies adopting more advanced detection measures and their efforts to expedite operations to minimize the risk of being thwarted before ransomware deployment.
Ransomware: What Are the Primary Methods of Initial Access?
Secureworks noted that the two most prevalent methods of gaining initial access were through scan-and-exploit (32%) and stolen credentials (32%). Phishing emails accounted for the remaining 14%.
Protecting against ransomware attacks today requires a comprehensive approach that encompasses both preventive and responsive measures. Here are some key steps to help safeguard your systems and data:
- Backup Data Regularly: Maintain up-to-date backups of your critical data and ensure they are isolated from the network. Regularly test your backup and recovery processes to ensure they work effectively.
- Keep Software Updated: Regularly apply security patches and updates to your operating systems, software, and applications. Vulnerabilities in outdated software are often exploited by ransomware.
- Use Antivirus and Anti-Malware: Employ robust antivirus and anti-malware software to detect and prevent known threats. Keep these tools updated to stay protected against the latest malware variants.
- Implement Email Security: Use email filtering solutions to block malicious attachments and links in emails. Train employees to recognize phishing attempts and avoid clicking on suspicious links or downloading attachments from unknown sources.
- User Education: Conduct regular cybersecurity training for employees to increase awareness about ransomware threats and best practices for avoiding them.
- Network Segmentation: Segment your network to limit lateral movement for attackers. This can help contain ransomware infections and prevent them from spreading across your network.
- Access Control: Enforce the principle of least privilege (PoLP) by granting users and systems only the minimum access necessary to perform their duties. This reduces the attack surface for ransomware.
- Use a Firewall: Employ a firewall to filter network traffic and block unauthorized access to your network. Configure it to allow only necessary traffic.
- Intrusion Detection and Prevention Systems (IDPS): Deploy IDPS to monitor network traffic for suspicious activity and take action to prevent attacks in real-time.
- Ransomware Protection Software: Consider using specialized ransomware protection software that can detect and block ransomware activity based on behavioral analysis.
- Incident Response Plan: Develop and regularly update an incident response plan that outlines the steps to take in the event of a ransomware attack. Ensure that all employees are familiar with this plan.
- Regularly Monitor Systems: Continuously monitor your systems and networks for unusual or suspicious activities. Early detection can prevent the spread of ransomware.