Carding Forum
Professional
- Messages
- 2,788
- Reaction score
- 1,334
- Points
- 113
Cisco Talos has revealed a full analysis of the tactics of leading ransomware groups.
In recent months, a series of large-scale ransomware attacks have had a significant impact on various sectors of the economy, from hospitals to airports. In light of these developments, Cisco Talos conducted a thorough analysis of the current leaders among ransomware groups to understand the current state of threats.
The Cisco Talos study covers the period from 2023 to 2024 and is based on an analysis of 14 ransomware groups. The sample included groups that were distinguished by the scale of attacks, the impact on customers, and atypical behavior. The sources of data were both public leaks, as well as internal investigations and open reports. The list includes such well-known groups as LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal, Rhysida, Hunters International, Akira and Trigona.
Among all groups, AlphV/Blackcat and Rhysida stand out especially due to the wide range of tactics used. At the same time, the BlackBasta, LockBit, and Rhysida groups not only encrypt data, but also damage victims ' systems to increase the impact of the attack. The Clop group, unlike others, focuses on extortion through data theft, rather than encryption.
A typical attack chain begins with gaining initial access through social engineering, network scanning, and open source research. Further, cybercriminals provide long-term access by using automated mechanisms to maintain a network presence. Once secure access is established, ransomware analyzes the target environment, increases its privileges, and prepares data for theft or encryption.
At the final stage, the attackers launch a ransomware program and notify the victim about the hacking. If the goal is extortion only through data theft, then this stage is skipped.
Recently, there has been an increase in the number of attacks that use known vulnerabilities for penetration. For example, vulnerabilities CVE-2020-1472 (Zerologon), CVE-2018-13379 (Fortinet FortiOS SSL VPN), and CVE-2023-0669 (GoAnywhere MFT) are regularly exploited for initial access and privilege escalation.
With the shift to double ransomware tactics, where attackers not only encrypt data, but also steal it, some more mature ransomware-as-a-service (RaaS) groups have started developing customized malware to steal data. For example, the BlackByte and LockBit groups have created their own data exfiltration tools.
The analysis also revealed a trend towards using legitimate commercial management and monitoring tools, such as AnyDesk and ScreenConnect. Using these programs allows attackers to mix with corporate traffic and reduce the cost of developing their own tools.
Another notable trend is the use of security circumvention tactics to increase the time spent on the victim's network. Attackers use tools to disable or modify antivirus programs, as well as operating system functions designed to detect malicious loads.
Recently, there has also been an increase in the use of infostilers among ransomware groups. Stealers are often used by Initial Access Brokers (IABS) to collect victims ' credentials and personal information, making it easier for initial hacking of systems.
During the period under review, numerous attacks were observed, especially targeting the United States. Industries such as manufacturing and IT technologies have come under attack. The attacks resulted in significant financial losses and disruptions to businesses.
To protect against such threats, Cisco Talos recommends:
These measures will help reduce the risk of hacking and protect organizations from the serious consequences of ransomware attacks.
Source
In recent months, a series of large-scale ransomware attacks have had a significant impact on various sectors of the economy, from hospitals to airports. In light of these developments, Cisco Talos conducted a thorough analysis of the current leaders among ransomware groups to understand the current state of threats.
The Cisco Talos study covers the period from 2023 to 2024 and is based on an analysis of 14 ransomware groups. The sample included groups that were distinguished by the scale of attacks, the impact on customers, and atypical behavior. The sources of data were both public leaks, as well as internal investigations and open reports. The list includes such well-known groups as LockBit, ALPHV, Play, 8base, BlackBasta, BianLian, CLOP, Cactus, Medusa, Royal, Rhysida, Hunters International, Akira and Trigona.
Among all groups, AlphV/Blackcat and Rhysida stand out especially due to the wide range of tactics used. At the same time, the BlackBasta, LockBit, and Rhysida groups not only encrypt data, but also damage victims ' systems to increase the impact of the attack. The Clop group, unlike others, focuses on extortion through data theft, rather than encryption.
A typical attack chain begins with gaining initial access through social engineering, network scanning, and open source research. Further, cybercriminals provide long-term access by using automated mechanisms to maintain a network presence. Once secure access is established, ransomware analyzes the target environment, increases its privileges, and prepares data for theft or encryption.
At the final stage, the attackers launch a ransomware program and notify the victim about the hacking. If the goal is extortion only through data theft, then this stage is skipped.
Recently, there has been an increase in the number of attacks that use known vulnerabilities for penetration. For example, vulnerabilities CVE-2020-1472 (Zerologon), CVE-2018-13379 (Fortinet FortiOS SSL VPN), and CVE-2023-0669 (GoAnywhere MFT) are regularly exploited for initial access and privilege escalation.
With the shift to double ransomware tactics, where attackers not only encrypt data, but also steal it, some more mature ransomware-as-a-service (RaaS) groups have started developing customized malware to steal data. For example, the BlackByte and LockBit groups have created their own data exfiltration tools.
The analysis also revealed a trend towards using legitimate commercial management and monitoring tools, such as AnyDesk and ScreenConnect. Using these programs allows attackers to mix with corporate traffic and reduce the cost of developing their own tools.
Another notable trend is the use of security circumvention tactics to increase the time spent on the victim's network. Attackers use tools to disable or modify antivirus programs, as well as operating system functions designed to detect malicious loads.
Recently, there has also been an increase in the use of infostilers among ransomware groups. Stealers are often used by Initial Access Brokers (IABS) to collect victims ' credentials and personal information, making it easier for initial hacking of systems.
During the period under review, numerous attacks were observed, especially targeting the United States. Industries such as manufacturing and IT technologies have come under attack. The attacks resulted in significant financial losses and disruptions to businesses.
To protect against such threats, Cisco Talos recommends:
- Regular patch and update management;
- Implement strong password policies and multi-factor authentication;
- Strengthen systems and environments, minimize open attack surfaces;
- Network segmentation and device authentication before granting access;
- Implementation of incident monitoring and response systems (SIEM and EDR/XDR);
- The principle of minimum privileges for users and systems;
- Minimization of IT systems accessible from the Internet.
These measures will help reduce the risk of hacking and protect organizations from the serious consequences of ransomware attacks.
Source
