LockBit 3.0, Black Basta Lead Barrage of Q3 Ransomware Attacks
There were 27 ransomware variants that carried out 455 attacks during the third quarter (Q3) of 2022, a decrease of 72 attacks recorded from the second quarter (Q2) of 2022, according to an Intel 471 ransomware report. Â
According to the study, the most prevalent ransomware variants were LockBit 3.0—responsible for 42.2% of all reported incidents, followed by Black Basta, Hive and ALPHV (aka ALPHV-ng) and BlackCat.
The most-impacted regions were North America and Europe and the top targeted sectors included consumer and industrial products, manufacturing and professional services and consulting.Â
The report also noted that the dissolution of the Conti ransomware group likely impacted the overall quantity of breaches as well as the placement of the most impactful ransomware variants in the third quarter.
Even Ransomware Gangs Face Insider Threats
Beth Allen, senior threat intelligence analyst at Intel 471, explained that ransomware groups are increasingly impacted by disgruntled affiliates, such as this quarter when LockBit files containing builder code were leaked by a disgruntled coder.Â
“This shows that even well-established affiliate groups can struggle with operational security,” she said. “This trend is likely to continue in the future as more affiliates become disgruntled.”
This will likely create a power vacuum within the cyber underground, spawning a plethora of new ransomware variants and groups, making it increasingly more difficult for law enforcement agencies to track and thwart them. It is also difficult for businesses to defend against these threats due to alternate tactics, techniques and procedures (TTPs) used, Allen said. She pointed out that businesses from large to small are at different stages of preparedness when it comes to defending against ransomware threats.
“This is because cybersecurity maturity across all sectors is highly varied and organizations that neglect or lack sufficient cybersecurity are more likely to be the victim of ransomware, as well as being less prepared to recover from such an incident,” she said.
Moreover, ransomware groups are constantly evolving their TTPs or exploiting zero-day vulnerabilities to gain initial access, establish footholds or move laterally within networks, she added.
“Security leaders across all sectors must continue to invest in the right combination of technology and expertise from both private and public sector entities, transitioning their approach from reactive to proactive, to improve the ability to defend against ransomware,” Allen advised.Â
Joseph Carson, chief security scientist and advisory CISO at Delinea, added that ransomware attacks used to focus on targeting a single computer or limited network. When an employee clicked on a link, they unknowingly downloaded malware which would then encrypt the computer or server. That threat has metastasized with today’s increasingly interconnected networks.
“A restore from backup could usually help fix the problem,” he explained. “Today, attackers focus on compromising user credentials and passwords to gain an entry point from which they can exploit our vast connected networks.”
Once inside the network, undetected, the cybercriminals seek to elevate credential privileges, traverse the network, locate sensitive data and plan how to exfiltrate and encrypt the data.
Carson noted that this dwell time—the time between the point of entry until the actual launch of ransomware and detection of the attack—enabled attackers to understand the network and find and exfiltrate critical data.
“They will then leave cryptolocking malware on your systems to launch when they are ready,” he cautioned. “Typically, once an attacker gains access to domain administrator privileges, it is usually only a matter of hours before the ransomware is deployed and business comes to a halt.”
Improving Defense Posture
Allen said the first steps to improving any defense posture are to ensure appropriate backups are in place and regularly test restoring from those backups, users’ access is limited to their required job role, multifactor authentication (MFA) and network segmentation are implemented.
“Additionally, it is important to track and understand all prevalent ransomware groups, not just variants that are impacting an organization’s operating region, country, sector or industry,” she explained. “This gives a holistic overview of different groups and insight into different TTPs being employed by affiliates.”
Allen adds that monitoring for specific threats—such as compromise of a third-party vendor or an insider threat—can also help leaders be aware of any potential cybersecurity incidents before they happen.
“Ransomware groups are almost certain to continue evolving and adapting their TTPs, along with using well established ones such as utilizing double extortion tactics,” she said. “The end goal of any ransomware group is to make as much money as possible in the shortest amount of time, while inflicting as much disruption as possible.”
