Ransomware Rebounds: Extortion Threat Surges in 2023, Attackers Rely on Publicly Available and Legitimate Tools

Written by: Bavi Sadayappan, Zach Riddle, Jordan Nuce, Joshua Shilko, Jeremy Kennelly


 

<

div class=”block-paragraph_advanced”>

A version of this blog post was published to the Mandiant Advantage portal on April 18, 2024.

Executive Summary

  • In 2023, Mandiant observed an increase in ransomware activity as compared to 2022, based on a significant rise in posts on data leak sites and a moderate increase in Mandiant-led ransomware investigations.
  • Mandiant observed an increase in the proportion of new ransomware variants compared to new families, with around one third of new families observed in 2023 being variants of previously identified ransomware families. 
  • Actors engaged in the post-compromise deployment of ransomware continue to predominately rely on commercially available and legitimate tools to facilitate their intrusion operations. Notably, we continue to observe a decline in the use of Cobalt Strike BEACON, and a corresponding increase in the use of legitimate remote access tools.
  • In almost one third of incidents, ransomware was deployed within 48 hours of initial attacker access. Seventy-six percent (76%) of ransomware deployments took place outside of work hours, with the majority occurring in the early morning. 
  • Mandiant’s recommendations to assist in addressing the threat posed by ransomware are captured in our Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities and Endpoints white paper.

Introduction

Threat actors have remained driven to conduct ransomware operations due

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.

This article has been indexed from Threat Intelligence

Read the original article: