Top Highlights
- Ransomware attackers are shifting from loud, disruptive tactics to stealthy, long-term infiltration, utilizing evasion techniques and routing through trusted services to avoid detection.
- The volume of ransomware attacks and active groups remain high, with attackers increasingly using exploitation chains and extortion methods focused on data theft and exfiltration rather than encryption.
- Notable ransomware groups like Qilin, Cl0p, and Akira are evolving rapidly, targeting advanced infrastructure like hypervisors and operating more like platform businesses, often offering extortion as a service.
- Defensive strategies should prioritize strengthening identity controls, monitoring trusted applications, and focusing on detecting persistence, data exfiltration, and supply chain vulnerabilities.
Problem Explained
Ransomware attackers are shifting from loud, disruptive attacks to stealthy, prolonged intrusions. According to Picus Security, they now focus on maintaining silent access and evading detection, often routing command-and-control traffic through trusted services like AWS and OpenAI. This change aims to avoid immediate exposure, making attacks harder to detect and stop. The attackers now exploit vulnerabilities in chains, rather than isolated points, to undermine trust and operational control. Meanwhile, they are increasingly exfiltrating data without encrypting it, prioritizing extortion through data theft over outright disruption, which has led to a 38% drop in encryption activities.
Many experts dispute claims of a decline in ransomware activity, citing rising numbers of active groups and increased victim reports. Groups such as Qilin, Cl0p, and Akira are among the most active, with some, like Akira, targeting hypervisor levels to bypass protections. Cybercriminals now operate like platforms, renting tools to less skilled individuals, which has expanded the scale and diversity of threats. As these tactics evolve, security leaders are urged to strengthen identity controls, monitor trusted systems, and focus detection efforts on persistence and data exfiltration to effectively defend against these sophisticated, stealthy attacks.
Potential Risks
Ransomware groups are changing their tactics; instead of quick attacks, they now focus on stealth and prolonged access. This shift means that a business may be compromised without immediate detection. Once inside, hackers can quietly expand their access, making it harder to spot their presence. Over time, they might siphon data or prepare for a later, more damaging attack. Consequently, the longer the intrusion remains hidden, the greater the risk of severe data loss, financial damage, and reputational harm. In essence, even a typically secure business can suffer unexpected, extensive consequences if these advanced threats go unnoticed.
Possible Actions
In an era where ransomware groups are increasingly adopting stealthy tactics and maintaining long-term access to compromised systems, timely remediation becomes crucial. Rapid detection and response can prevent these threats from evolving into persistent hazards that can cause prolonged disruption and severe data loss.
Proactive Measures
Implement real-time monitoring tools to identify unusual activity early, enabling swift action before attackers deepen their foothold.
Threat Hunting
Conduct regular threat hunting exercises to uncover hidden threats within network infrastructure, helping to locate and neutralize undetected breaches.
Vulnerability Management
Maintain a rigorous patch management process to close security gaps exploited for prolonged access, reducing attack surfaces.
Network Segmentation
Segment networks to contain breaches, preventing lateral movement and limiting attacker persistence.
Access Control
Enforce strict access controls and multi-factor authentication to reduce the risk of attackers maintaining long-term access through compromised credentials.
Incident Response Planning
Develop and regularly update incident response and remediation plans, ensuring quick, coordinated efforts to contain and remediate breaches.
Monitoring and Logging
Enhance logging and continuous monitoring to swiftly detect and understand attack behaviors, enabling prompt and effective responses.
Continue Your Cyber Journey
Stay informed on the latest Threat Intelligence and Cyberattacks.
Learn more about global cybersecurity standards through the NIST Cybersecurity Framework.
Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.
Cyberattacks-V1cyberattack-v1-multisource
