US Dollars
United Arab Emirates Dirham
Euro
British Pound
Turkish Lira
Canadian Dollar
South African Rand
Indian Rupee
Brazilian Real
Indonesian Rupiah
Singapore Dollar
South Korean Won
Japanese Yen
Chinese Yuan
Mexican Peso
Qatari Rial
Saudi Riyal
Available evidence suggests vulnerability exploitation has replaced botnets as a prime infection vector.
Ransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023. Attackers have continually refined their tactics and proven quick to respond to disruption, finding new ways to infect victims.
Analysis of data from ransomware leak sites shows that attackers managed to hit significantly more victims last year (4,700) compared to 2022 (2,800). While the shutdown of the Qakbot botnet in June 2023 took a major malware distribution channel offline, attackers have quickly adapted and vulnerability exploitation now appears to be the primary vector for ransomware attacks.
Figure 1. Claimed ransomware attacks by actors operating data leak sites, 2023-2024
LockBit, the longstanding ransomware-as-service operation run by the Syrphid cybercrime group (aka Bitwise Spider), continued to be the largest ransomware threat in 2023, accounting for 21% of all attacks claimed on data leak sites. It was followed by Noberus (aka BlackCat, ALPHV) with 9% of all claimed attacks and Clop with 8%. Both LockBit and Noberus have been the target of law enforcement operations in recent weeks and it remains to be seen if these will significantly impact on activity levels from both threats over the long term.
Figure 2. Most prolific ransomware operations by claimed attacks, 2023.
Interestingly, there are significant disparities between overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit was responsible for over 21% of the 4,700 attacks claimed in 2023, they were only identified as being involved in around 17% of the attacks Symantec investigated. Conversely, Noberus claimed 9% of all attacks in 2023 but it was involved in a little over 20% of all attacks Symantec investigated.
Figure 3. Proportions of publicly claimed attacks vs proportions of ransomware attacks investigated by Symantec.
The comparison may give some indication of success rates experienced by actors linked to each operation. For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that Noberus affiliates are more likely to advance their attacks at least to the payload deployment stage.
Vectors
The evidence from recent ransomware investigations suggests that exploitation of known vulnerabilities in public facing applications is now the main vector for ransomware attacks. Likely infection vectors in recent ransomware attacks include:
- CVE-2022-47966 ZOHO ManageEngine
- Microsoft Exchange Server vulnerabilities. Exploits were unknown but first evidence of malicious activity in a number of attacks occurred on Exchange Servers.
- Citrix Bleed (CVE-2023-4966) Citrix NetScaler ADC and NetScaler Gateway
- CVE-2023-20269 Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) VPN
Tooling
The number of tools deployed by ransomware actors continues to grow. In particular, there has been a marked increase in the number of dual-use tools (legitimate software installed by attackers for malicious purposes). Tools leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique are also currently popular among attackers. New tools recently seen in ransomware attacks include:
- HopToDesk: A publicly available remote desktop tool, which was used by attackers using a variant of the leaked Conti ransomware. Remote desktop tools are frequently used by ransomware actors, with the most popular being: Atera, AnyDesk, and Splashtop.
- TrueSightKiller: A publicly available tool that leverages the BYOVD technique to disable security software.
- GhostDriver: Another tool that leverages the BYOVD technique to disable antivirus (AV) tools.
- StealBit: A custom data exfiltration tool associated with the LockBit ransomware operation. StealBit appeared to have fallen out of favour among LockBit affiliates for some time. However, usage of the tool resumed in early 2024, where it was deployed in two separate LockBit attacks.
Techniques
Noteworthy techniques that have recently been used by ransomware actors include:
- Esentutl: Dumping credentials using the Windows command-line tool that provides database utilities for the Extensible Storage Engine (ESE). A known technique, in recent weeks attackers have been using it to dump browser credentials.
- DPAPI: Using malicious tools to extract and decrypt sensitive user credentials stored using Microsoft's Data Protection API (DPAPI).
Ongoing threat
Ransomware will continue to be a major threat for organizations in 2024 and beyond. Incentivised by large payouts, ransomware attackers have proven to be persistent and adaptive, capable of responding to disruption by reorganizing themselves and consistently developing new tactics.