Microsoft revealed today that its security teams are tracking more than 100 malicious actors deploying ransomware in attacks. In total, the company says it monitors more than 50 unique ransomware families that were actively used through the end of last year.

“Some of the most prominent ransomware payloads from recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal,” Microsoft said.

“Defense strategies, however, should focus less on payloads and more on the chain of activities that lead to their deployment,” as ransomware gangs still target servers and devices that are not yet patched against common or recently patched vulnerabilities.

Additionally, while new ransomware families are released all the time, most threat actors use the same tactics as they penetrate and spread through networks, making the effort to detect these behaviors even more useful in thwarting their attacks.

As Redmond added, attackers are increasingly relying on tactics beyond phishing to carry out their attacks, with threat actors, such as DEV-0671 and DEV-0882, capitalizing on vulnerabilities. of Exchange Server recently patched to hack vulnerable servers and deploy Cuba and Play ransomware.

Last week, the Exchange team urged administrators to deploy the latest supported Cumulative Update (CU) to secure on-premises Exchange servers and have them always ready to install an emergency security update.

More than 60,000 Exchange servers exposed to the Internet are always vulnerable to attacks take advantage of ProxyNotShell RCE exploits. At the same time, thousands are still waiting to be protected from attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited security vulnerabilities of 2021.

Other ransomware actors also turn to or use malicious advertising to provide malware loaders and downloaders that help push ransomware and various other strains of malware, such as infostealers.

For example, a threat actor tracked as DEV-0569, believed to be an initial access broker for ransomware gangs, is now abuse Google Ads in large-scale advertising campaigns to distribute malware, steal passwords from infected devices, and ultimately gain access to corporate networks.

They use this access as part of their attacks or resell it to other malicious actors, including the Royal ransomware gang.

Last year saw the end of the Conti cybercrime operation and the rise of new ransomware-as-a-service (Raas) operations, including Royal, Play and BlackBasta.

Meanwhile, ransomware operators LockBit, Hive, Cuba, BlackCat and Ragnar continued to rape and try to extort a steady stream of victims throughout 2022.

Nevertheless, ransomware gangs have seen a massive revenue drop of around 40% last year, as they were only able to extort around $456.8 million from victims throughout 2022, after a record high of $765 million in the previous two years, according to the analytics firm Chainalysis blockchain.

However, this significant drop was not caused by fewer attacks, but by their victims’ refusal to pay the attackers’ ransom demands.

This year started with a big win against ransomware groups after the Hive ransomware data leak and dark Tor payment websites were seized as part of an international law enforcement operation involving the US Department of Justice, FBI, Secret Service and Europol.

After hacking Hive’s servers, the FBI distributed over 1,300 decryption keys to Hive victims and gained access to Hive communication records, malicious file hashes, and details of 250 Hive affiliates.

On the same day, the US State Department offered up to $10 million for any information that may help establish a link between the Hive ransomware gang (or other threat actors) and foreign governments


Source link