Trend Micro, a leading provider of cybersecurity solutions, recently Cybersecurity annual report. In addition to sharing valuable data on advanced persistent threats (APTs), this report also explores trends in ransomware, phishing, and malware, and how the industrial sector is improving its cybersecurity efforts compared to other industries. It also provided an interesting analysis of how it is being approached.
Specific ransomware trends include:
- Trend Micro sees ransomware activity becoming more sophisticated. This includes the increased use of remote encryption strategies employed by Akira, BlackMatte, and notorious adversaries of industry, including his BlackCat, LockBit, and Royal. This approach requires mapping the drives to be encrypted at the target endpoint, rather than moving laterally across the network. The idea behind this strategy is that by leaving a smaller footprint, attacks become more difficult to detect.
- The report also confirms that ransomware groups are taking advantage of the convenience of intermittent encryption. Manufacturing-savvy groups like BlackBasta and BlackCat are taking this approach when encrypting chunks of data, rather than encrypting all the data they capture at once. The advantage of this process is that while the affected data becomes useless to the victim, it increases the speed of encryption and adds an additional layer of complexity to the decryption effort.
- Another tactic involves endpoint detection and response (EDR) bypass using unmonitored virtual machines. Threat actors Akira and BlackCat have been identified as key proponents of this approach. This involves him bypassing EDR by creating an unsupervised VM to move, map, and encrypt files within the Windows Hyper-V hypervisor system and attached VMs. These are often used in remote monitoring applications.
- Capitalizing on the continuing theme of increasing attack complexity, Trend Micro sees more RaaS groups collaborating in attacks. This means, for example, that one attacker specializes in access, sells stolen credentials to another attacker, and uses the purchased malware to run an extortion campaign.
We also discuss key points regarding the recent downward trend in ransomware attacks. The number of detections from 2021 to 2023 was on average less than half the number recorded in 2020. According to Trend Micro, previous ransomware attacks were often launched in large scale or bulk deployments with spam campaigns. Contains malicious links. However, hackers quickly learned that attacks that focused on volume were easier to block.
Current data suggests that attackers are using more effective methods to evade proactive detection by leveraging domicile and settlement attacks, as well as zero-day exploits. I am. Some of the additional data included in the report can be downloaded here.
- StopCrypt and LockBit maintained their top spot among the most prolific ransomware families.
- Manufacturing experienced the highest risk events of any industry, more than healthcare or financial markets.
- Manufacturing followed only government and healthcare organizations in malware attacks.
- PDFs were the most common email attachment used to launch malware campaigns.
