Mandiant report – a resurgence of ransomware

As revealed in a recent report by threat detection organisation Mandiant, ransomware is again on the rise.

Ransomware attacks have seen a significant resurgence in 2023, as observed by Mandiant, reversing the slight decline experienced in 2022. This past year has witnessed a 75% increase in posts on data leak sites and a more than 20% rise in Mandiant-led ransomware investigations.

Key Insights:

Increased Ransomware Activity:

2023 saw the detection of over 50 new ransomware families and variants, with one-third being variants of existing families. This surge highlights the persistent evolution and adaptation of ransomware threats.

Tools and Tactics:

Attackers have predominantly utilised commercially available and legitimate tools for their intrusions. Notably, there has been a decline in the use of Cobalt Strike BEACON, with a corresponding increase in the use of legitimate remote access tools.

Rapid Deployment:

In almost one-third of incidents, ransomware was deployed within 48 hours of initial access. Furthermore, 76% of these deployments occurred outside of standard working hours, primarily in the early morning.

Global Impact:

Ransomware attacks in 2023 have affected victims in over 110 countries, spanning various sectors. This underscores the global and widespread impact of ransomware.

New Tactics:

Innovative methods have been observed, including ALPHV operators creating a searchable victim data website and filing a complaint with the SEC against a victim.

The continued profitability of ransomware remains a driving force for threat actors. In 2023 alone, over $1 billion USD was paid to attackers. This resurgence comes after a turbulent 2022, which was marked by geopolitical events and internal disruptions among cybercriminals.

2023 has recorded the highest volume of posts on shaming sites since Mandiant began tracking them in Q1 2020. Q3 2023 broke records with more than 1,300 posts. Other indicators also support the increase in ransomware activity, including a 15% rise in unique sites with at least one post and a 30% increase in new data leak sites (DLS) compared to 2022.

Approximately 30% of posts in 2023 were on newly identified DLS associated with various ransomware families, such as ROYALLOCKER.BLACKSUIT, RHYSIDA, and REDBIKE (also known as Akira). There was limited overlap between these new DLS and previously tracked threat actors or ransomware families. This suggests that some of the new DLS activity may be due to previously established actors forming new alliances or rebranding rather than creating completely new offerings.

Mandiant observed over 50 new ransomware families and variants in 2023, consistent with the numbers seen in 2021 and 2022. However, the proportion of new variants compared to new families has increased, with around one-third of new families in 2023 being variants of previously identified ransomware families. This trend indicates that threat actors are investing their resources in updating pre-existing ransomware families rather than developing new ones from scratch.

Historically, Mandiant has identified clear patterns in the timing of ransomware execution, with a high volume of activity occurring outside of work hours. In 2023, ransomware operators appeared less deliberate in their timing. About 75% of ransomware deployments happened outside of standard business hours, slightly less than in 2021 and 2022, and execution was more evenly distributed across days of the week.

The time between the first evidence of malicious access and ransomware deployment varied widely in 2023, ranging from zero to 116 days. In about 15% of incidents, ransomware was deployed within one day of initial attacker access, and nearly one-third of incidents involved execution within the first 48 hours of access.

The most common initial access vectors in 2023 involved stolen credentials or the exploitation of vulnerabilities in public-facing infrastructure, highlighting the need for robust security measures and vigilance in protecting sensitive data and systems.

The data presented by Mandiant underscores the evolving nature of ransomware threats and the critical importance of continued vigilance and adaptation in cybersecurity practices to combat these persistent threats.