The exploitation in remote services has become the primary initial access vector (IAV) in ransomware attacks over the past year, accounting for 52% of ransomware incidents, cybersecurity company Secureworks reveals in its annual State of the Threat Report. In addition, Secureworks reports a 150% rise in the use of “infostealers” — a key precursor to ransomware.
Secureworks’ 2022 report provides an overview of how the global cybersecurity threat landscape has evolved over the last 12 months, with a focus on the Secureworks Counter Threat Unit's firsthand observations of threat actor tooling and behaviors.
Barry Hensley, chief threat intelligence officer for Secureworks, added context to the study:
"We conduct thousands of incident response engagements every year. While ransomware remains the most prominent threat to businesses, we are tracking notable shifts in threat actor behaviors and their approach to campaigns. It's too simple to claim that ransomware-as-a-service is slowing. Our research clearly shows a rise in infostealers use and an evolution of tools and adversaries. The threat is changing, but it is not going away. It's critical for organizations to stay ahead of the adversary with solutions that effectively prioritize risk, based on the most up-to-date intelligence. When businesses understand the nature of the threat, they can better focus resources and move quickly to optimize response."
Highlights from the report include:
- A shift to exploiting vulnerabilities as primary initial access vector (IAV) over credentials-based attacks
- Accelerated use of infostealers as a means of enabling ransomware operations
- Insights into the changing groups and threats associated with the continued dominance of ransomware
- Changes and newcomers in the loader landscape
- Tools and tactics of hostile government-sponsored groups across the world
The Onward March of Ransomware
Ransomware continues to remain the primary threat facing organizations, accounting for more than a quarter of all attacks, Secureworks reports. And, despite a series of high-profile law enforcement interventions and public leaks, and a small slow down over the summer months, ransomware operators have maintained high levels of activity.
The median detection window in 2022 is four and a half days, compared to five days in 2021, according to Secureworks. The mean dwell time in 2021 was 22 days, but so far in 2022 it is down to 11 days. Thus, companies effectively have one working week to respond to and mitigate damage.
The number of victims listed on public "name and shame" sites continues to remain high with no year-over-year reduction, Secureworks reports. Despite some monthly fluctuations, the number of victims named in the first six months of 2022 is slightly higher at 1,307 than the 1,170 named in the first six months of 2021.
Based on Secureworks' incident response engagements, this year's biggest offenders (all tied to Russia) are:
Secureworks found that in some instances the bad actors are making use of the fear surrounding ransomware to undertake lower tech crimes. Hack and leak operations, where data is stolen and a ransom is demanded but no ransomware is deployed, continued into 2022, with GOLD TOMAHAWK and GOLD RAINFOREST among the top culprits.
The Rise of Infostealers
Secureworks’ researchers report an increase in the sale of network access sourced from credentials acquired by information stealers. In a single day in June 2022, researchers observed more than 2.2 million credentials obtained by infostealers available for sale on just one underground marketplace. Last year, this figure on the same market and with respect to the same stealers was 878,429. That's an increase year on year of more than 150%.
The three main stealer markets include: Genesis Market, Russian Market and 2easy, according to Secureworks. There are many infostealers selling data on underground forums, but some of the major ones include Redline, Vidar, Raccoon, Taurus and AZORult.
Secureworks CTU has tracked several significant activities that can be attributed to nation-state sponsored threat groups, including their motivations, behaviors and tactics. To learn more, read the full report.