Trend Micro, a leading provider of cybersecurity solutions, recently unveiled their Annual Cybersecurity Report. In addition to sharing valuable data on advanced persistent threats (APTs), the report also offered some interesting analysis of ransomware, phishing and malware trends, as well as how the industrial sector is faring in its cybersecurity efforts when compared to other industries.
Some specific ransomware trends include:
- Trend Micro sees ransomware activities growing more sophisticated. This includes an increase in the use of remote encryption strategies employed by the likes of Akira, BlackMatte and notorious adversaries to the industrial sector - BlackCat, LockBit and Royal. This approach entails mapping drives to encrypt on a targeted endpoint instead of moving laterally throughout the network. The thought behind this strategy is that by leaving a smaller footprint, the attack becomes more difficult to detect.
- The report also sees ransomware groups leveraging the convenience of intermittent encryption. Groups familiar to manufacturing, such as BlackBasta and BlackCat, take this approach in encrypting chunks of data instead of encrypting all the captured data at once. The benefits being that this process speeds up encryption while still rendering the affected data useless to the victim, and adding another layer of complexity to decryption efforts.
- Another tactic involves endpoint detection and response (EDR) bypass using unmonitored virtual machines. Threat actors Akira and BlackCat are identified as leading proponents of this approach. It entails bypassing the EDR by creating unmonitored VMs to navigate, map and encrypt files within Windows Hyper-V hypervisor systems and the attached VMs. These are often utilized in remote monitoring applications.
- Playing off the continued theme of increased attack complexity, Trend Micro sees more RaaS groups working in concert on an attack. This means, for example, one attacker specializing in access and selling stolen credentials to another who is using purchased malware in order to carry out an extortion campaign.
Takeaways pertaining to a recent downward trend in ransomware attacks is also discussed, with detections from 2021 to 2023 averaging less than half of the recorded detections in 2020. According to Trend Micro, previous ransomware attacks were often launched in mass or bulk deployments with spam campaigns containing malicious links. However, hackers soon learned that attacks focused on quantity are easier to block.
Data now suggests that attackers are using more effective ways to evade preliminary detection by utilizing living-off-the-land, or dwelling attacks, as well as zero-day exploits. Some additional data found in the report, which can be downloaded here, includes:
- StopCrypt and LockBit maintained the top spots in terms of most prolific ransomware families.
- Manufacturing had the most risk events of any industry - more than healthcare or financial markets.
- Manufacturing trailed only government and healthcare in malware attacks.
- A PDF was the most common email attachment used to launch a malware campaign.