Has ransomware hit a ceiling? We doubt it, but the pause outlined in a new report on active adversaries tells us ransomware has either saturated the available targets or enterprise defenses are starting to bear fruit.
In its active adversaries report for the first half of 2024, Sophos’ X-Ops team analyzed more than 150 incident response cases. Through such a large analysis, the report provides good insights into the current tactics, techniques and procedures attackers currently employ. This is useful for anyone trying to better defend their systems.
Sophos concludes that, despite a pause in the rise of ransomware, organizations are failing to take the steps necessary to adequately defend themselves against the increase in attacks to come.
Ransomware topped the charts, but plateaued.
While the Sophos’ X-Ops team found that ransomware remained the predominate attack type and was part of the investigation in 70 % of the cases they evaluated, Sophos also concluded that ransomware prevalence had reached a plateau. The leading ransomware strains Sophos’ X-Ops team identified include LockBit (22% of cases), Akira (11%), ALPHV/BlackCat (9%), Play (6%) and Royal (6%). Many strains trace back to the notorious Conti ransomware gang.
While ransomware hitting a ceiling is good news, it’s not all that good when we look below the surface. Ransomware is still a plague, still wreaking havoc on business-technology systems everywhere, and at 70% of cases, it is still way too prevalent.
Sophos also found that ransomware gangs are detonating their ransomware payloads more quickly than ever. Ransomware payloads were activated in just five days, compared to 9 days in 2022. The good news here may be that with more organizations keeping a better eye on what’s occurring within their environments, adversaries feel they must respond by moving more quickly.
Compromised credentials: A concurrent enterprise plague
Cyber criminals have long focused on compromising credentials to further their attacks, and organizations have long neglected good authentication practices and hygiene. So it’s no surprise that compromised credentials topped the list of root causes at 56% of cases Sophos investigated. When viewed across 2020-2023 data, compromised credentials were the #1 all-time root cause involved in nearly a third of incidents. One could say enterprise credential neglect is a great favor bestowed by organizations to criminals.
Consider that 43% of organizations still had not implemented multifactor authentication(MFA) by the end of 2023. That’s just astounding today, following decades of industry reports showing failure to use strong and multifactor authentication being one of the most common initial entryways.
Sophos deems lack of MFA as "willful negligence." Following compromised credentials, the analysis finds the next most common attack vectors being exploitation of vulnerabilities (16% of cases) and remote desktop protocol (RDP) abuse, which proved to be part of 65% of initial access for attackers.
Evolving exfiltration threats
Data exfiltration occurred in 40% of cases and was possible but unconfirmed in 14% more. Lack of confirmation is often due to poor log maintenance. And in this report, there were insufficient logs in 53% of cases and cleared logs in 11% of cases. It’s safe to assume that exfiltration occurred at quite a higher rate than 40%.
For confirmed ransomware cases, 44% involved data exfiltration and 18% had possible exfiltration attempts. There was an inverse relationship between time-to-Active Directory access and data theft likelihood.
The report recommends treating any detected exfiltration as a potential ransomware precursor and to accelerate incident response procedures accordingly.
More on that attacker dwell time decline
Sophos found median attacker dwell times have decreased annually over the past three years across all attack types:
- 2021: 13 days
- 2022: 10 days
- 2023: 6 days
For ransomware attacks specifically, the 2023 median dwell time was just 5 days, down from 9 in 2022. Sophos assesses this decrease is likely due to improved attacker tradecraft coupled with stagnant defender capabilities in detection and response.
Lateral movement highlights
The report highlights two interesting, yet disturbing, lateral movement trends:
1) Rampant RDP abuse, featuring in a staggering 90% of cases to facilitate internal movement after gaining initial access.
2) Widespread use of living-off-the-land binaries (LOLBins) like PowerShell (78% of cases), cmd.exe and PsExec for execution, persistence and lateral movement.
Stagnant defenses
While attackers continue evolving their methods, the report finds defender mistakes and oversights remain largely unchanged year-over-year:
- Missing or cleared logs hampered investigations in 54% of cases in 2023.
- 43% of organizations lacked MFA on external services.
- 90% of ransomware deployments occurred outside business hours to avoid detection.
The report stresses that prioritizing basic security hygiene - patching vulnerabilities, enforcing MFA, reducing exposed services - could prevent most attacks, yet organizations still neglect these fundamentals.
In one alarming case study, a Sophos customer suffered four separate attacks over six months due to continually exposing RDP ports despite repeated recommendations to restrict access.
The report concludes that while the current threat landscape is relatively calm, defenders must urgently learn from previous mistakes and prioritize basic security practices. Failing to bolster defenses now will only ease attackers' impending sieges as they continue sharpening their capabilities.
