Ransomware acting within 24 hours of access now: Secureworks report
The annual State of the Threat Report from Secureworks indicates that half of all ransomware deployments happen within one day of initial access. This means that threat actors can progress from initiating the ransomware attack to complete system compromise in less than 24 hours, drastically reducing the detection window for businesses.
The report was compiled by the Secureworks Counter Threat Unit (CTU) and identifies key strategies employed by cybercriminals and state-sponsored threat actors in cyberattacks. Noteworthy findings include an increase in "name and shame" attacks where the victims' details are leaked online. These were largely driven by proliferating ransomware gangs like Lockbit and Cl0p. Russia has notably targeted campaigns at relief efforts, scientific researchers, and weapons suppliers.
Ransomware median dwell time - the time between initial system access and ransomware deployment - has dropped from 4.5 days to less than one day in a year, according to the report. In some cases, ransomware was deployed within five hours of initial access. This significant decrease is attributed to a desire among cybercriminals for a lower chance of detection, as threat actors now focus on simpler and quicker operations rather than complex, enterprise-wide encryption events. However, the risk associated with these attacks remains high, according to Don Smith, VP Threat Intelligence at Secureworks' CTU. Smith also observes that despite high-profile takedowns and sanctions, cybercriminals continue to adapt and pose a significant threat.
While notorious threat actors like GOLD MYSTIC (Lockbit) still dominate the ransomware landscape, new groups are emerging, bringing about a significant rise in victim and data leaks. This has made the past four months the busiest period for victim numbers since the start of the "name and shame" attacks in 2019.
The report identifies the three main initial access vectors used by ransomware attackers as scan-and-exploit, stolen credentials, and commodity malware conveyed through phishing emails. Over half of the most exploited vulnerabilities during the report period were known vulnerabilities from 2022 and prior. Despite much discussion about AI-based attacks, most high-profile attacks in 2023 were due to unpatched infrastructure. As Smith says, "cybercriminals are reaping the rewards from tried and tested methods of attack, so organisations must focus on basic cyber hygiene".
The report also explores the activities and trends of state-sponsored threat groups from China, Russia, Iran, and North Korea. Geopolitics remains the primary motivation behind state-sponsored threat activities. Technological advancements have seen nations diversify tactics, with China focusing on Eastern Europe and Iran using fake personas to hide culpability. Meanwhile, North Korean threat groups have swindled $2.3 billion USD in crypto assets between May 2017 and May 2023.
The Secureworks State of the Threat Report provides an in-depth analysis of the evolving global cybersecurity threat landscape over the last year. It is based on the real-life incident observations of Secureworks' Counter Threat Unit and offers critical insight into the threats observed on the cybersecurity front line.