Getty Images/iStockphoto
Mandiant: Ransomware investigations up 20% in 2023
The cybersecurity company observed a sharp rise in activity on data leak sites in 2023 as well as an increase in ransomware actors using legitimate commercial tools during attacks.
Mandiant is the latest vendor to report alarming ransomware trends throughout 2023, particularly related to increases in data theft and public data leak site activity.
In a blog post on Monday, Google Cloud's Mandiant detailed an overall increase in the number of ransomware families, shifts in deployment timelines and prevalent tools threat actors used during attacks. The research was based on incident response cases where victim organizations directly engaged Mandiant's services.
In addition to a rise in ransomware activity between 2022 and 2023, Mandiant also observed a significant increase in the use of public data leak sites intended to shame victims into paying the ransom demand. Mandiant observed a 30% increase in the creation of new data leak sites, filled with posts by ransomware threat actors.
"Mandiant observed an increase in ransomware activity in 2023 compared to 2022, including a 75% increase in posts on data leak sites (DLS), and an over 20% increase in Mandiant-led investigations involving ransomware from 2022 to 2023," Mandiant wrote in the blog post. "This illustrates that the slight dip in extortion activity observed in 2022 was an anomaly, potentially due to factors such as the invasion of Ukraine and the leaked CONTI chats."
Mandiant referred to 2023 as "the year with the highest volume of posts on shaming sites" since the vendor started tracking the data in 2020. During the third quarter of 2023, researchers recorded more than 1,300 posts to leak sites. Mandiant found that 30% of the 2023 posts were on newly identified data leak sites attributed to various ransomware families including RoyalLocker/BlackSuit, Rhysida and RedBike/Akira.
Mandiant analyzed more than 50 new ransomware variants and families last year, which aligns with previous years. However, Mandiant observed a new trend in that one-third of the new strains were offshoots of previously identified families.
"It is plausible that at least some portion of the newly identified DLS activity is the result of previously established actors forming new alliances or rebrands rather than creating completely new offerings," the blog post said.
The leak sites contained sensitive data allegedly stolen from the victim organizations during attacks. The blog post highlighted the risk that threat actors took to exfiltrate that data: During investigations, Mandiant observed that nearly 60% of incidents involved confirmed or suspected data theft even though the process took considerably longer than simply dropping a ransomware payload to encrypt systems.
Mandiant found that the median time between initial access and ransomware deployment during data theft incidents was 6.11 days, while the median time in incidents without data theft was 1.76 days. However, those numbers had decreased compared with the previous year.
"2022 incidents had a larger range between incidents with or without data exfiltration, with missions involving data theft having a median time of nine days compared to one day for those without data theft. This could suggest that threat actors are becoming more efficient when performing data theft," the blog post said.
Mandiant also observed that attackers used Rclone, a common open source command-line tool, to exfiltrate data to commercial storage services or attacker-controlled infrastructure in around 30% of intrusions where data theft was confirmed or suspected. Overall, Mandiant discovered that Rclone was used in around 20% of ransomware incidents.
Bavi Sadayappan, Mandiant senior threat analyst at Google Cloud, told TechTarget Editorial there are multiple factors that likely contributed to threat actors becoming increasingly efficient at data theft. She stressed that data theft alongside ransomware in multifaceted extortion operations has been a growing trend for years.
"Most notably, actors have likely become more effective with time and experience -- they have developed a better understanding of where and how organizations store their data, and the types of data likely to create the most leverage," Sadayappan said. "The tools actors are using may also contribute to this efficiency, including the increasing prevalence of remote access tools used for both system and data access, and rare but emergent use of semiautomated data theft tools."
Attackers abuse legitimate tools
More alarmingly, Mandiant discovered that ransomware actors have increasingly leveraged legitimate remote management tools during attacks. Alex Stamos, chief trust officer at SentinelOne, also warned that ransomware groups are using legitimate tools, or living-off-the-land techniques, to avoid endpoint detection and response products.
Mandiant observed that the use of legitimate tools in intrusions surged from 23% in 2022 to 41% in 2023. The report noted that the percentage of intrusions involving AnyDesk nearly doubled.
While attackers used more legitimate tools to avoid detection, they shifted away from developing or purchasing zero-day vulnerability exploits to gain initial access to networks, which Mandiant said was a notable shift. Instead, threat actors increasingly exploited known vulnerabilities or N-days with a proof-of-concept exploit publicly available.
"In one instance, threat actors were suspected to have exploited a 2017 vulnerability in Liferay Portal," the blog post said.
Mandiant listed other vulnerabilities threat actors exploited for initial access. For example, the LockBit ransomware gang used a Citrix NetScaler ADC unauthenticated buffer-related vulnerability, tracked as CVE-2023-4966, against aerospace giant Boeing last year. Attackers also exploited an Atlassian Confluence vulnerability, tracked as CVE-2023-22518, to conduct widespread attacks against vulnerable servers.
Other common vectors for initial access in 2023 included stolen credentials, brute-force attacks and phishing emails.
"In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments, either through the use of stolen credentials or brute-force attacks. The vast majority of these incidents involved authentication to a victim's corporate VPN infrastructure," the blog post said.
Once attackers gained initial access to a victim organization, deployment was imminent. In nearly one-third of incidents Mandiant responded to, ransomware was deployed within 48 hours. In addition, the company said 76% of ransomware deployments occurred outside of work hours and often in the early morning. Cybersecurity vendor Sophos also found that ransomware deployment occurred outside of traditional business hours during 91% of attacks in 2023.
Cryptocurrency and law enforcement actions
The Mandiant blog post also addressed a shift in cryptocurrency usage. Mandiant observed that several newer ransomware as a service (RaaS) operations, such as Trigona and Kuiper, accept payments in other cryptocurrencies besides bitcoin. That might be due to an increase in tracing efforts by private sector firms and law enforcement agencies. Insurance provider Corvus and blockchain analytics vendor Elliptic, for example, traced payments made to the ransomware group Black Basta, some through bitcoin wallets, and found that operators obtained more than $100 million between 2022 and the first half of 2023.
"For example, the Kuiper ransomware operators appear to prefer to be paid in Monero given the analyzed ransom notes indicate the ransom demand is increased 20% if victims pay in Bitcoin. The preference for being paid in Monero suggests actors are taking additional steps to obscure their activity," the blog post said.
Zach Riddle, Mandiant principal analyst at Google Cloud, told TechTarget Editorial that a limited number of RaaS operations appear to prefer Monero over bitcoin. Riddle added that threat actors commonly attempt to obscure their activity to hinder investigations, including analysis of cryptocurrency transactions.
"Despite the anonymity benefits provided by Monero, we anticipate RaaS operators will continue to rely primarily on Bitcoin over other cryptocurrencies for the foreseeable future due to wider availability of Bitcoin on most popular exchanges, making it easier for victims to convert fiat to cryptocurrency when paying ransoms," Riddle said.
While ransomware activity did increase significantly in 2023, Mandiant applauded recent law enforcement efforts that disrupted the LockBit and BlackCat/Alphv ransomware groups. One significant action occurred early last month when law enforcement indicted and sanctioned the alleged LockBit ringleader known as "LockBitSupp." Not included in the report was another major coordinated law enforcement operation, dubbed "Endgame," that occurred last week to successfully shut down botnets and malware droppers commonly used by ransomware gangs.
"While the impact of these operations is yet to be fully understood, previous reactions to disruptive actions suggest that threat actors are resilient in the face of obstacles," Mandiant said. "However, we have observed at least some short term impacts, including ALPHV dropping out of the top three most prolific DLS, based on volume of posts in Q1 2024."
Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.
