Ransomware Dwell Time Hits Low of 24 Hours
Analysis from Secureworks annual State of The Threat Report shows ransomware median dwell time has dropped from 4.5 days to less than 24 hours in a year
SYDNEY, October 6, 2023: Ransomware is being deployed within one day of initial access in more than 50% of engagements, says Secureworks® (NASDAQ: SCWX) Counter Threat Unit™ (CTU™). In just 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has freefallen from 4.5 days to less than one day. In 10% of cases, ransomware was even deployed within five hours of initial access.
“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace,” Smith continued.
The annual State of the Threat report examines the cybersecurity landscape from June 2022 to July 2023. Key findings include:
- While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on “name and shame” leak sites. The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.
- The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit, stolen credentials and commodity malware via phishing emails.
- Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period.
Most Active Ransomware Groups
The same threat groups continued to dominate in 2023 as in 2022. GOLD MYSTIC’s LockBit remains the head of the pack, with nearly three times the number of victims as the next most active group, BlackCat, operated by GOLD BLAZER.
New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023. 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit. Analysis shows that some of the victims go back as far as mid 2022, although they were dumped at the same time. MalasLocker’s attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May. The report examines what leak site activity actually reveals about ransomware attack success rates — it’s not as straightforward as it seems.
The report also reveals that victim numbers per month from April-July 2023 were the most prolific since name and shame emerged in 2019. The highest number of monthly victims ever was posted to leak sites in May 2023 with 600 victims, three times as many as in May 2022.
Top Initial Access Vectors for Ransomware
The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit (32%), stolen credentials (32%) and commodity malware via phishing emails (14%).
Scan-and-exploit involves the identification of vulnerable systems, potentially via a search engine like Shodan or a vulnerability scanner, and then attempting to compromise them with a specific exploit. Within the top 12 most commonly exploited vulnerabilities, 58% have CVE dates of earlier than 2022. One (CVE-2018-13379) also made the top 15 most routinely exploited list in 2021 and 2020.
“Despite much hype around ChatGPT and AI style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure. At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organisations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype,” Smith continued.
The World of Nation-State Attackers
The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to China, Russia, Iran, and North Korea. Geopolitics remains the primary driver for state-sponsored threat groups across the board.
China:
China has shifted part of its attention to Eastern Europe, while also maintaining a focus on Taiwan and other near neighbors. It displays a growing emphasis on stealthy tradecraft in cyberespionage attacks — a change from its previous “smash-and-grab” reputation. The use of commercial tools like Cobalt Strike, as well as Chinese open-source tooling, minimises risk of attribution and blends with activity from post-intrusion ransomware groups.
Iran:
Iran remains focused on dissident activity, on hindering progress on the Abraham Accords, and on Western intentions towards renegotiations of nuclear accords. Iran’s main intelligence services — the Ministry of Intelligence and Security (MOIS or VAJA) and the Islamic Revolutionary Guard Corp (IRGC) — both use a network of contractors to support offensive cyber strategies. The use of personas (impersonating real people or fake created people) is a key tactic across Iranian threat groups.
Russia:
The war in Ukraine remained the focus for Russian activity. This falls into two camps; cyberespionage and disruption. This year has seen an increase in the amount of patriotic-minded cyber groups targeting organisations considered adversaries of Russia. For gangs, Telegram is the social media/messaging platform of choice for recruitment, targeting and celebrations of success. The malicious use of trusted third-party cloud services is frequently incorporated into Russian threat group operations.
North Korea:
North Korea threat groups fall into two groups: cyber espionage and revenue generation for the isolated regime. AppleJeus has been a fundamental tool for North Korea’s financial theft initiatives, and according to Elliptic, North Korean threat groups have stolen $2.3 billion USD in crypto assets between May 2017 and May 2023 (30% of this from Japan).
State of the Threat Report 2023
This latest State of the Threat Report is the seventh annual report from Secureworks providing a concise analysis of how the global cybersecurity threat landscape has evolved over the last 12 months. The information within the report is drawn from the Secureworks Counter Threat Unit’s (CTU) firsthand observations of threat actor tooling and behaviors and includes real-life incidents. Our annual threat analysis provides a deep dive insight into the threats our team has observed on the front line of cybersecurity.
The Secureworks State of the Threat Report can be read in full here: https://www.secureworks.com/resources/rp-state-of-the-threat-2023
About Secureworks
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world threat intelligence and research, improving customers’ ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions. Connect with Secureworks via Twitter, LinkedIn and Facebook and Read the Secureworks Blog
Contact:
Louise Roberts or Sonia Morris
Sphere PR for Secureworks
T: +61 (0)2 8065 0304
M: +61(0) 405 579633 or +61(0)421 672162