{"id":89054,"date":"2023-04-25T06:00:00","date_gmt":"2023-04-25T06:00:00","guid":{"rendered":"https:\/\/cloudnewshub.com\/?p=89054"},"modified":"2023-04-25T06:00:00","modified_gmt":"2023-04-25T06:00:00","slug":"almost-three-quarters-of-cyber-attacks-involve-ransomware","status":"publish","type":"post","link":"https:\/\/cloudnewshub.com\/?p=89054","title":{"rendered":"Almost three-quarters of cyber attacks involve ransomware"},"content":{"rendered":"
<\/div>\n

Ransomware<\/a> continues to be the most common \u201cend game\u201d scenario in a cyber attack, accounting for 68.4% of all incidents to which the Sophos X-Ops<\/a> incident response (IR) team responded in 2022, according to data drawn from the supplier\u2019s latest Active adversary report for business leaders<\/i>, an in-depth look at the evolving attack techniques and behaviours of threat actors.<\/p>\n

Although the exponential growth rate of ransomware attacks observed for the past few years tapered off somewhat last year \u2013 for a number of reasons, not least the impact of the Ukraine war<\/a> on Russia\u2019s criminal ecosystem \u2013 it remains vastly more common than all other forms of attacks, according to Sophos. In comparison, the second most common incident type \u2013 simple network breaches without a ransomware element \u2013 accounted for just 18.4% of incidents.<\/p>\n

Sophos said ransomware would always loom large in the overall statistics, given it is a disruptive, noisy and visible form of cyber attack, and requires a good deal of expert help. The X-Ops team additionally noted that many of the network breaches they responded to had no clear motive, so may well have developed into ransomware incidents had they run their course.<\/p>\n

Elsewhere, 4% of X-Ops responses related to incidents of data exfiltration and 2.6% to data extortion, usually hallmarks of a ransomware incident, but increasingly used as tactics by threat actors without encrypting data; 3.3% related to the deployment of malware loaders; 2.6% to the deployment of web shells; and 0.7% to the deployment of illicit cryptominers.<\/p>\n

\u201cThe variety of different attack types in this year\u2019s data showed a slight rise,\u201d wrote the report\u2019s author, John Shier, field chief technology officer for Sophos\u2019s commercial business. \u201cIt may be that this diversity is due to attackers not achieving their end objectives. More companies are adopting technologies like EDR [Endpoint Detection and Response], NDR [Network Detection and Response] and XDR [Extended Detection and Response], or services like MDR [Managed Detection and Response], all of which allow them to spot trouble sooner<\/a>.<\/p>\n

\n

\u201cFaster attacks necessitate earlier detection. The race between attackers and defenders will continue to escalate and those without proactive monitoring will suffer the greatest consequences\u201d <\/figure>
John Shier, Sophos<\/strong> <\/figcaption><\/i> <\/p>\n<\/blockquote>\n

\u201cThis, in turn, means they can stop an attack in progress and evict the intruders before the primary goal is achieved \u2013 or before another, more malignant intruder finds a protection gap first located by a lesser adversary. While a coinminer or a web shell on your network is still not acceptable, it is much better to detect and remediate threats such as these before they turn into full-blown ransomware attacks, or exfiltration, or extortion, or a reportable breach,\u201d he observed.<\/p>\n

Perhaps linked to this, the X-Ops team observed decreases in average attacker dwell times across the board, down from 11 days in 2021 to nine days in 2022 in ransomware incidents, and 34 days to 11 days in others, in the same timeframe.<\/p>\n

Shier posited that this was again linked to effective defensive posture. \u201cOrganisations that have successfully implemented layered defences with constant monitoring are seeing better outcomes in terms of attack severity, [but] the side effect of improved defences means that adversaries have to speed up to complete their attacks,\u201d he said.<\/p>\n

\u201cTherefore, faster attacks necessitate earlier detection. The race between attackers and defenders will continue to escalate and those without proactive monitoring will suffer the greatest consequences.\u201d<\/p>\n

\n

<\/i>Logging in, not breaking in<\/h3>\n

The X-Ops team\u2019s latest data also reveals some insight into how threat actors are accessing their victims\u2019 networks to begin with, and what else they are doing once they are inside.<\/p>\n

The team found that unpatched vulnerabilities were the single most common access method \u2013 fully half of X-Ops\u2019 2022 investigations involved the exploitation of the Log4Shell and ProxyShell vulnerabilities<\/a>. The next most common root cause of attacks was compromised credentials \u2013 as Shier put it, \u201cwhen today\u2019s attackers aren\u2019t breaking in, they\u2019re logging in\u201d. This was followed by unknown access methods \u2013 which is troubling because when IR teams cannot identify the root cause, it makes remediation significantly harder \u2013 the use of malicious documents, brute force attacks and phishing.<\/p>\n

In the course of its day-to-day work, the team also identified 524 unique tools and techniques that threat actors are using. Among them were 204 offensive or hacking tools, with use of the Cobalt Strike post-exploitation framework reliably the most popular, followed by AnyDesk, mimikatz, SoftPerfect\u2019s Network Scanner, Advanced IP Scanner and TeamViewer.<\/p>\n

Additionally, X-Ops found almost 120 living-off-the-land binaries (LOLBins), which are legitimate executables that are \u201cnaturally\u201d occurring on operating systems and are then co-opted by malicious actors. This makes it considerably harder for security teams to spot \u2013 and block \u2013 them. PowerShell led the way in terms of LOLBin use, followed by cmd.exe, PSExec, Task Scheduler and net.exe. Remote Desktop Protocol (RDP) exploitation counts as a LOLBIn too, but was excluded from the sampling due to its \u201cutter ubiquity\u201d.<\/p>\n

In general, Sophos advises that given the wide diversity of options in play, zeroing in on one of them is not going to help much \u2013 security teams should really try to limit the tools that are allowed to be present, limit what they can do, and audit all use of them. For example, Cobalt Strike should probably always be blocked, but some use of TeamViewer can be safely allowed on a highly controlled basis.<\/p>\n

Similarly, blocking LOLBins outright is not useful as some of them are essential to daily running \u2013 security teams would be better off developing triggers for detection tools to catch activity involving them.<\/p>\n

\u201cThe reality is that the threat environment has grown in volume and complexity to the point where there are no discernible gaps for defenders to exploit,\u201d said Shier.<\/p>\n

\u201cFor most organisations, the days of going it alone are well behind them. It truly is everything, everywhere, all at once. However, there are tools and services available to businesses that can alleviate some of the defensive burden, allowing them to focus on their core business priorities.\u201d<\/p>\n<\/section>\n","protected":false},"excerpt":{"rendered":"

Ransomware continues to be the most common \u201cend game\u201d scenario in a cyber attack, accounting for 68.4% of all incidents to which the Sophos X-Ops incident response (IR) team responded in 2022, according to data drawn from the supplier\u2019s latest Active adversary report for business leaders, an in-depth look at the evolving attack techniques and […]<\/p>\n","protected":false},"author":1,"featured_media":89055,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[533],"tags":[],"class_list":["post-89054","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it"],"_links":{"self":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/89054","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=89054"}],"version-history":[{"count":0,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/posts\/89054\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=\/wp\/v2\/media\/89055"}],"wp:attachment":[{"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=89054"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=89054"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cloudnewshub.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=89054"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}