Tag: remains | SpinSafe

Ransomware remains biggest threat to SMBs, says Sophos Threat Report

March 12, 2024/in Computer Security

Sophos has found that ransomware remains the principal threat to small and medium-sized businesses (SMBs), despite a stabilisation in the number of attacks.

The 2024 Threat Report identified that data and credential theft malware, including keyloggers, spyware, and stealers, also constituted nearly 50% of all malware detections targeting SMBs.

Attackers use this stolen information to gain unauthorised remote access, extort victims, deploy ransomware, and more.

Data and Credential Theft: A Rising Concern for SMBs

Christopher Budd, Director of Sophos X-Ops Research, stressed the growing allure of data as a currency among cybercriminals, especially towards SMBs that often rely on singular service or software applications for entire operations.

“There’s a reason that more than 90% of all cyberattacks reported to Sophos in 2023 involved data or credential theft,” Budd explained, highlighting the criticality of securing access to essential business applications to prevent financial theft and unauthorised access.

“Let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software.

“Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts,” said Budd.

Ransomware Dominates Cyberthreat Landscape

Despite a stabilisation in the number of attacks, ransomware remains the principal threat to SMBs.

Sophos Incident Response (IR) identified LockBit, Akira, and BlackCat as the top ransomware gangs targeting SMBs, alongside attacks by older and lesser-known ransomware variants.

The report notes a 62% increase in ransomware attacks involving remote encryption between 2022 and 2023, and highlights instances of small businesses attacked through vulnerabilities in their managed service providers’ (MSPs) software.

Evolving Tactics in Social Engineering

The Sophos report also sheds light on the sophistication of business email compromise (BEC) and social engineering attacks, now the second highest type of attacks after ransomware.

Attackers are engaging in more elaborate tactics, including extended email conversations and phone…

Source…

LockBit remains most dangerous ransomware despite fall in attacks

December 8, 2023/in Internet Security

Ransomware attacks by LockBit represent a shrinking proportion of global ransomware and digital extortion (R&DE) attacks in 2023, according to new research, but still represent the most significant threat to organizations in the UK.

Analysis shows that the group is still the primary R&DE threat to all industries globally regardless of location, according to ZeroFox.

But when compared to the total number of R&DE attacks recorded in 2023, LockBit’s share of global attacks is shown to be decreasing, which ZeroFox attributes to new threat collectives adopting alternative or homemade ransomware strains.

The research found LockBit attacks accounted for just under 30% of global RD&E attacks in the first quarter of 2023, and this fell to around 15% by Q3.

UK-specific data recorded by ZeroFox shows LockBit still poses a significant threat to organizations in the UK, but this is also expected to give way to alternative ransomware strains over the coming year.

Based on a quarterly average over the period from January 2022 to November 2023, LockBit accounted for approximately 20% of all attacks against UK-based organizations.

The most frequently targeted industries in the UK were manufacturing, retail, professional services, and legal & consulting.

The percentage of global LockBit-specific attacks that targeted UK businesses was below the proportion of all incidents targeting the UK, further highlighting the diverse array of cyber criminal groups targeting organizations across the country.

Despite this, the UK’s share of global LockBit attacks has been on the rise throughout 2023, from 3.5% in the first quarter to 7.9% in Q4 (using data as of November 30 2023).

Compared to the rest of Europe, the UK does appear to be receiving an inflated number of LockBit-based attacks, according to the report, suggesting the group is specifically targeting UK organizations.

“LockBit’s Europe-focused targeting has decreased, whereas its attacks against the UK have remained broadly consistent — meaning UK organizations represent an increasing proportion of LockBit’s Europe-focused targeting,” the report said.

“Diversification of the R&DE threat landscape is driving LockBit to account for an…

Source…

LockBit Remains Top Global Ransomware Threat

December 6, 2023/in Internet Security

The LockBit ransomware strain continues to be the primary digital extortion threat to all regions, and almost all industries globally, according to a report by ZeroFox.

Researchers found that LockBit was leveraged in more than a quarter of global ransomware and digital extortion (R&DE) attacks in the seven quarters analyzed from January 2022 to September 2023.

This includes 30% of all R&DE attacks in Europe and 25% in North America during the period.

However, ZeroFox said that the overall proportion of attacks that LockBit accounts for is on a downward trajectory. This is likely due to increasing diversification of the R&DE landscape, with ransomware-as-a-service (RaaS) offerings lowering the barriers to entry for threat actors.

LockBit Trends in North America

The researchers noted that historically LockBit has been consistently under-deployed in attacks against North America compared to other regions, such as Europe. An average of 40% of LockBit victims were based in North America, but there is evidence this is on an upward trajectory, expected to reach 50% by the end of 2023.

The industries most frequently targeted by LockBit in North America between January 2022 and September 2023 were manufacturing, construction, retail, legal & consulting and healthcare.

Meanwhile, LockBit made up 43.41% of R&DE attacks in Europe in Q1 2022, but decreased to 28.48% in the final quarter of the period, Q3 2023.

LockBit Intrusion Vectors

Due to the wide range of LockBit operators, a variety of intrusion methods have been used to deploy the payload.

The primary techniques identified were:

Exploiting Internet-Facing Applications. These were primarily a range of remote code execution and privilege escalation vulnerabilities.
Phishing. LockBit affiliates leveraged a variety of phishing lures to access victims’ networks, including attaching malicious documents and fraudulent resume and copyright-related emails.
External Remote Services. Threat actors leverage legitimate user credentials obtained via credential harvesting to access external-facing remote working services.
Drive-by Compromise. Operators have been observed accessing systems via a user visiting a website, often targeting…

Source…

Rapid7 Says ROI for Ransomware Remains High; Zero-Day Usage Expands

August 18, 2023/in Internet Security

The Rapid7 mid-year review of the threat landscape is not reassuring. Ransomware remains high, basic security defenses are not being used, security maturity is low, and the return on investment for criminality is potentially enormous.

The review is compiled from the observations of Rapid7’s researchers and its managed services teams. It finds there were more than 1500 ransomware victims worldwide in H1 2023. These included 526 LockBit victims, 212 Alphv/BlackCat victims, 178 ClOp victims, and 133 BianLian victims. The figures are compiled from leak site communications, public disclosures, and Rapid7 incident response data.

These figures should be seen as conservative. They won’t include organizations that quietly and successfully pay the ransom as if nothing happened. Furthermore, downstream victims are still being calculated – for example, notes the report, “The number of incidents attributed to Cl0p in this chart is likely to be (significantly) low, since the group is still actively claiming new victims from their May 2023 zero-day attack on MOVEit Transfer.”

Ransomware is successful for two reasons: the very high profit potential for the criminals, and the inadequate security posture of many potential targets. Three factors illustrate the latter. Firstly, nearly 40% of incidents were caused by missing or lax enforcement of MFA (multi factor authentication) – despite many years of exhortations to implement this basic defense.

Secondly, the general security posture remains low for many organizations. Rapid7 consultants have performed multiple security assessments for clients, “with only a single organization so far in 2023 meeting our minimum recommendations for security maturity, as measured against CIS and NIST benchmarks.”

While security for these companies may well improve after the assessment, the figures illustrate that a substantial number of organizations fail to meet minimum standards for security.

Thirdly, and reinforcing the second factor, old vulnerabilities remain successful for the attackers. “Two notable examples from 1H 2023 are CVE-2021-20038, a Rapid7-discovered vulnerability in SonicWall SMA 100 series devices, and CVE-2017-1000367, a…

Source…

Tag Archive for: remains

Data and Credential Theft: A Rising Concern for SMBs

Ransomware Dominates Cyberthreat Landscape

Evolving Tactics in Social Engineering

LockBit Trends in North America

LockBit Intrusion Vectors