The increasing sophistication of attacks coupled with a growing number of threat actors makes ransomware one of the most dangerous cyber threats nowadays. Ransomware attacks can lead to data loss, disrupt business operations and compromise sensitive information, causing significant financial losses and reputational damage that can be devastating to individuals and organizations.
Open-source tracking of close to 100 ransomware groups indicates an average of 231 breaches per month between September 2022 and February 2023, with the top three groups alone executing 157 attacks in the past 30 days (February 15 to March 15). At the same time, the FBI’s recently released 2022 Internet Crime Report revealed ransomware breaches of 2,385 organizations, including 860 in critical infrastructure sectors, last year. Healthcare was the most impacted sector with 210 breaches, followed by manufacturing (157) and government (115). The top three groups active in these sectors were LockBit (149 breaches), ALPHV (114) and Hive (which was recently disrupted but had 87 breaches last year).
These raw statistics hide the fact that ransomware has been evolving rapidly, especially since 2020, with the following changes:
• The use of double extortion, which involves not only encrypting the victim’s files but also stealing data and threatening to publish it unless the ransom is paid. The pressure on victims has been continually increasing. In 2023, groups such as ALPHV and Medusa started releasing pictures of patients getting cancer treatments and leaked student records to shame victim organizations into paying.
• The increased focus on targeted attacks against specific organizations rather than casting a wide net. These attacks are often conducted after extensive reconnaissance and can be much more successful in terms of both encrypting data and obtaining payment.
• The use of zero-day exploits, which have no patch available and are harder to detect and defend against, in attack campaigns. Recent examples include a zero-day used to circumvent Windows SmartScreen and deploy the Magniber ransomware and a zero-day in the Fortra GoAnywhere MFT secure file-sharing solution used by Clop to exfiltrate data.
Although ransomware groups continue to evolve and refine their operations, their most common technical tactics, techniques, and procedures (TTPs) remain mostly constant. Forescout’s Vedere Labs has been consistently analyzing and reporting on ransomware payloads, incidents and behaviors, such as the rise in Linux and ESXi targets, for the past few years. In this report, we revisited those analyses and focused on campaigns observed in the past year to determine the TTPs commonly used by ransomware adversaries. We categorized each observed TTP using the MITRE ATT&CK framework. Families analyzed include the top three currently active (LockBit, ALPHV and Royal) as well as past operations such as Ryuk, REvil, Conti and Hive.
Our analysis indicates that adversaries often follow similar patterns in their attacks. This provides an opportunity to systematize recommendations to prevent and detect these attacks. However, it’s important to note that the TTPs in this report are just the most common examples. It is critical for organizations to implement strong security practices and stay vigilant against the evolving nature of cyber threats.
The table below summarizes the common TTPs we observed. In Section 2, we describe each TTP in detail and in Section 3 we provide general mitigation recommendations and recommendations against specific TTPs.