CrowdStrike Report Highlights Crucial Shift In Ransomware Tactics

0

CrowdStrike released the 9th annual edition of its Global Threat Report this week. The 42-page report reveals insights on threat actor behavior, tactics, and trends from the past year—tracking activities of more than 200 cyber adversaries. There are a number of interesting findings and notable trends in the 2023 Global Threat Report, but what stands out is the changing dynamics of ransomware attacks.

Key Highlights of 2023 Global Threat Report

The CrowdStrike Intelligence team analyzed and evaluated data from trillions of daily events from the CrowdStrike Falcon platform, combined with insights from CrowdStrike Falcon Overwatch to create the report. While it is interesting to look back and delve into the tools, techniques, and tactics employed by threat actors, the real value of a report like this is to highlight concerning trends and emerging strategies to help organizations be better prepared to defend against future threats.

CrowdStrike added 33 new adversaries to its pantheon of threat actors in 2022. They have some fun with it—naming threat actors things like Ethereal Panda and Deadeye Hawk, accompanied by artwork that make them seem like villains from an Avengers comic. There is a method to the madness as well, though. The type of animal or creature is a means of classification. Spiders represent eCrime, Bears are used for Russia-nexus adversaries, Pandas designate China-nexus adversaries, Jackals are hacktivist threat actors, and so on. The unique artwork and creative naming convention make the threat actors more memorable and helps you easily identify where the group is from or what type of threat it is. It also feels a little like Pokemon—gotta catch ‘em all!

Here are some of the key highlights from the report:

· 71% of attacks detected were malware-free (up from 62% in 2021), and interactive intrusions (hands on keyboard activity) increased 50% in 2022—Outlining how sophisticated human adversaries increasingly look to evade antivirus protection and outsmart machine-only defenses.

· 112% year-over-year increase in access broker advertisements on the dark web—Illustrating the value of and demand for identity and access credentials in the underground economy.

· Cloud exploitation grew by 95% and the number of cases involving ‘cloud-conscious’ threat actors nearly tripled year-over-year—More evidence adversaries are increasingly targeting cloud environments.

· Adversaries are re-weaponizing and re-exploiting vulnerabilities—Spilling over from the end of 2021, Log4Shell continued to ravage the internet, while both known and new vulnerabilities, like ProxyNotShell and Follina—just two of the more than 900 vulnerabilities and 30 zero-days Microsoft issued patches for in 2022—were broadly exploited as nation-nexus and eCrime adversaries circumvented patches and sidestepped mitigations.

· eCrime actors moving beyond ransom payments for monetization—2022 saw a 20% increase in the number of adversaries conducting data theft and extortion campaigns.

· China-nexus espionage surged across all 39 global industry sectors and 20 geographic regions tracked by CrowdStrike Intelligence—Rise in China-nexus adversary activity shows that organizations across the world and in every vertical must be vigilant against the threat from Beijing.

· Average eCrime breakout time is now 84 minutes—This is down from 98 minutes in 2021, demonstrating the extensive speed of today’s threat actors.

· The cyber impact of Russia-Ukraine war was overhyped but not insignificant—CrowdStrike saw a jump in Russia-nexus adversaries employing intelligence gathering tactics and even fake ransomware, suggesting the Kremlin’s intent to widen targeting sectors and regions where destructive operations are considered politically risky.

· An uptick in social engineering tactics targeting human interactions—Tactics such as vishing direct victims to download malware and SIM swapping to circumvent multifactor authentication (MFA).

Ransomware Without the Encryption

The trend that stands out the most for me is the shift in ransomware tactics.

Ransomware has been around for years, and the original concept was fairly straightforward. Cyber adversaries encrypted all of your data and locked you out of your systems unless you paid the ransom demand. Organizations responded by being more disciplined and diligent about backing up systems and data. If they were hit with ransomware, rather than paying the ransom they could simply wipe the systems and restore everything from backups. Voila!

Ransomware groups had a counter for this strategy, though. They moved on to double extortion attacks. With double extortion, threat actors first exfiltrate all of your sensitive data, then encrypt your systems and data to lock you out. You can still restore your systems from backup, but now the attackers have an added incentive for you to pay the ransom—if you don’t, they can leak or sell your data.

The new trend focuses on the data exfiltration and extortion, but skips the encryption part. I spoke with Adam Meyers, Senior VP of Intelligence at CrowdStrike, about the report and the evolution of the ransomware threat.

Meyers noted that the calculus for an organization regarding whether to pay the ransom or not with traditional ransomware attacks essentially boiled down to balancing downtime against the cost of the ransom demand. It was a simple question of which option was less expensive and enabled the organization to resume normal operations more quickly. “With data extortion, it’s a different calculus. The calculus is how much sensitive information is going to get leaked, and what will be the regulatory, legal, and compliance impact of that?”

Another potential benefit for the threat actors—and for the victims as well in many cases—is that a pure data extortion attack doesn’t make as much noise. When ransomware halts the flow of oil like it did during the Colonial Pipeline attack, or if it forces a hospital to shut down, it disrupts business and makes headlines. It brings unnecessary, and often unwanted, attention on the threat actors, and puts the victim in a tough spot where whether they do or do not pay the ransom happens publicly. Data extortion, on the other hand, enables threat actors to make ransom demands, and victim organizations to accede to the extortion without anyone having to know about it.

Meyers added that it also simplifies the process of making good on the ransom. Encryption and decryption of data is complex and it can get messy. A large percentage of organizations that pay the ransom don’t actually end up recovering all of their data. It’s a lot easier to skip the encryption and just delete or return the stolen data when the ransom is paid.

New Threats Need New Solutions

Meyers explained that cybersecurity tools have evolved over time as well—from antivirus, to endpoint protection and, more recently, to endpoint detection and response (EDR) solutions. He stressed, though, “I think data weaponization and data extortion is going to continue to escalate, and it necessitates a different solution.”

He suggested that what organizations need to defend themselves more effectively from these emerging threats is zero trust. “Zero trust is really critical to what organizations need to be thinking about because we used to say ‘Trust, but verify,’ and now it needs to be ‘Verified and trust.’ We need to change the paradigm and flip it on its head—and that requires additional technology and additional practices inside the organization.”

These are just some of the key findings and insights. I recommend you take a look at the full report. You can download the 2023 Global Threat Report here.

Stay connected with us on social media platform for instant update click here to join our  Twitter, & Facebook

We are now on Telegram. Click here to join our channel (@TechiUpdate) and stay updated with the latest Technology headlines.

For all the latest Technology News Click Here 

Read original article here

Denial of responsibility! Rapidtelecast.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.
Leave a comment