Akamai’s ransomware report released at Black Hat 2023 revealed that exploitation of zero-day and one-day vulnerabilities has led to a 143% increase in total ransomware victims with data exfiltration of files at the end of the kill chain, now the primary source of extortion.
Jump to:
- LockBit in the lead, CL0P in 2nd place
- Two clear trends show how threats are evolving
- Mid-sized organizations are the ‘Goldilocks zone’ for threat actors
- LockBit: a turnkey solution
- Manufacturing, health care in hot seat
- Mitigation is best defense
- Defense is best offense
LockBit in the lead, CL0P in 2nd
The report, Ransomware on the Move, looked at how exploitation techniques are evolving — including attackers’ sharpened focus on zero-day vulnerabilities. It showed how victims of multiple ransomware attacks were more than six times more likely to experience the second attack within three months of the first attack.
The authors from Akamai’s Security Intelligence Group reviewed data from the fourth quarter of 2021 to the second quarter of 2023. The authors reported that LockBit ensnared around 39% of all victim organizations tracked by Akamai, which said LockBit’s victim count is three times that of its nearest competitor, the CL0P group. Number three in volume of victims, ALPHV, aka Black Cat, focused its efforts on developing and exploiting zero-day points of entry (Figure A).
Figure A
- Top ransomware groups by victim count. Image: Akamai
Anthony Lauro, director of security technology and strategy at Akamai, explained that LockBit looks for high value targets with zero day vulnerabilities that companies can’t fix quickly. They tend to target and retarget these organizations and the sectors — like manufacturing and technology for example — where security operations are lagging, generally. Also, he explained, malware writers can choose tools and services from a growing dark ecosystem.
Two clear trends show how threats are evolving
The report spotlighted two trends that speak to how large groups — with reach and breadth of products including RaaS — have a stable growth and smaller groups focus on opportunities as they arise:
- The first is exemplified by LockBit, characterized by a steady count of 50 victims per month, and activity seems tied to its number of affiliates and its resources.
- The second, typified by groups like CL0P, feature spikes in activity from abusing critical zero-day vulnerabilities as they appear, and highly targeted security flaws.
“Malware writers can now split off operations, which is a change,” said Lauro. “It used to be that the attackers were a single entity or group that would be responsible for malware payload delivery, exploitation and follow up.” He added that, because of the open nature of the malware marketplace, groups like LockBit and Cl0P have been able to co-opt others to perform various tasks in the supply kill chain.
ALPHV: Rust never sleeps
Lauro said within the tactics found more often in the second trend group, “Are the tried and true methodologies, like Windows system vulnerabilities that are not necessarily high severity because these systems aren’t usually available to outside queries. Attackers can still access them. So, there are two major trends: spreading the victim base across easy targets and tactics and ones leveraging CVE and zero days looking at big players as targets.”
ALPHV, for example, second on Akamai’s list of attackers in terms of victim volume, uses the Rust programming language to infect both Windows and Linux systems. Akamai said the group exploited vulnerabilities in Microsoft Exchange server to infiltrate targets.
According to Akamai, the group spoofed a victim’s website last year (using a typosquatted domain). The new extortion technique included publishing the stolen files and leaking them on their website in order to tighten the thumbscrews on victims and encourage ransom payment.
Mid-sized organizations are the ‘Goldilocks zone’ for threat actors
In Akamai’s study, 65% of targeted organizations had reported revenue of up to $50 million dollars, while those worth $500 million dollars and up constituted 12% of total victims, according to Akamai. They also reported that the ransomware data used was collected from the leak sites of approximately 90 different ransomware groups.
Let’s call it ‘Cyberfracking’
If you had invested in a natural gas mining operation, you might “accidentally on purpose” reach out sideways to assets under other peoples’ lawns once you’d tapped out the target. LockBit attackers are likewise reaching out to victim’s customers, informing them about the incident and employing triple extortion tactics with the inclusion of Distributed Denial-of-Service attacks.
Lauro said different stages of exploitation and delivery and execution are the first two steps. Defense is predicated on edge defense elements like visibility, but the rest of it is after the fact, moving laterally and tricking systems, or making requests that look like a “friendly” — all inside the network.
SEE: Look at your APIs! Akamai says observability tools sorely lacking (TechRepublic)
“Once you’re inside most organizations are wide open, because as then, an attacker I don’t have to download special toolkits; I can use installed tools. So there is a lack of good localized network security. We are finding more and more environments in bad shape in terms of internal visibility and over time,” he said.
CL0P for a day … a zero day
CL0P, which is number three in terms of its volume of victims over the course of Akamai’s observation period, tends to abuse zero-day vulnerabilities in managed file transfer platforms. Akamai said the group exploited a legacy file transfer protocol that has been officially out of date since 2021, as well as a zero-day CVE in MOVEit Transfer to steal data from several organizations.
“It is worth noting how CL0P has a relatively low victim count until its activity spikes whenever a new zero-day vulnerability is exploited as part of its operation,” said the Akamai report authors. “And unlike LockBit, which has a semblance of consistency or pattern, CL0P’s attacks are seemingly tied to the next big zero-day vulnerability, which is hard to predict (Figure B).”
Figure B
- A comparison of quarterly victim counts among the top three ransomware groups: LockBit, ALPHV and CL0P. Image: Akamai
LockBit: a turnkey solution
Akamai noted that LockBit, whose website looks like a legitimate web concern, is touting new tools and even a bug bounty program in its latest 3.0 version. Just like white hats, the group is inviting security researchers and hackers to submit bug reports in their software for rewards ranging up to $1 million.
Akamai noted that while the bug bounty program is principally defensive, “It’s unclear if this will also be used to source vulnerabilities and new avenues for LockBit to exploit victims.” (Figure C).
Figure C
- LockBit seeks ethical and unethical hackers. Source: Akamai via Bleeping Computer.
On its site, LockBit seeks ethical AND Unethical hackers. Source: Akamai via Bleeping Computer.
Manufacturing, health care in hot seat
Of all vertical industries, manufacturing saw a 42% increase in total victims during the period Akamai investigated. LockBit was behind 41% of overall manufacturing attacks.
The health care vertical saw a 39% increase in victims during the same period, and was targeted primarily by the ALPHV (also known as BlackCat) and LockBit ransomware groups.
SEE: Akamai focused on fake sites in research released at RSA
Mitigation is best defense
Akamai’s recommendations on lessening the chance of attack and mitigating the effects of an incursion include adopting a multilayered approach to cybersecurity that includes:
- Network mapping to identify and isolate critical systems and limit network access in and out to put fences up in the face of threat actors’ efforts at lateral movement.
- Patch, patch, patch: update software, firmware and operating systems.
- Tale snapshots: maintain regular offline backups of critical data and establish an effective disaster recovery plan.
- Develop and regularly test an incident response plan that outlines the steps to be taken in case of a ransomware attack. This plan should include clear communications channels, roles and responsibilities and a process for engaging law enforcement and cybersecurity experts.
- Train, and train again: Don’t give employees, vendors and suppliers access to organizational sites or systems until they’ve had (regular) cybersecurity awareness training on phishing attacks, social engineering and other ransomware vectors.
- If you see something, say something: Encourage employees and stakeholders to report suspicious activities.
Defense is best offense
Defense tactics, according to Akamai, should include:
Blocking exfiltration domains
Limit access to services that can be abused for data exfiltration by either using solutions that block known malicious url and DNS traffic, or by using solutions or controls that allow blocking access to specific domains.
Hang those honey-coated fly strips
Honeypots: use them. Akamai said they can help trap probing attackers, luring them into servers where their activities can be monitored
Scan and scan again
Use an intrusion detection system to do suspicious network scans. Akamai noted that attackers use identifiable tools to finger targets within an organization’s network. You can detect them.
Check passports at the gate
Akamai suggests using tools for inspection of outgoing internet traffic to block known malware C2 servers. “Solutions must be able to monitor your entire DNS communications in real time and block communications to malicious domains, preventing the malware from running properly and accomplishing its goals,” the firm said.