Record high ransomware leak site victims, record low dwell times

According to Secureworks’ 2023 State of the Threat report published on Thursday, in the four months from March to June 2023, the number of victims named on ransomware leak sites reached “unprecedented levels” putting the year on track to be the biggest year on record for victim naming.  
The report, which presented insights from July 2022 to June 2023, revealed that three vulnerabilities exploitations were the main factors for the record numbers:

  • March – Fortra GoAnywhere, exploited by Clop
  • May – Zimbra mail server, exploited by MalasLocker
  • June – MOVEit Transfer, exploited by Clop

As leak sites only list victims who have not paid the ransom and are not used by all ransomware groups, the researchers acknowledged that leak sites alone do not paint a complete picture of the state of ransomware.
Also noteworthy from the report, researchers found that the median dwell time was under 24 hours, a meaningful difference from 4.5 days during the previous 12 months with 10% of cases seeing ransomware deployed within five hours of initial access.
“[…] threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” Don Smith, VP threat intelligence, Secureworks Counter Threat Unit said.

Emily Phelps, Director, Cyware had this comment:

   “Secureworks’ report highlights the consistency and speed at which threats evolve. With median dell times decreasing to under 24 hours, adversaries appear to be moving to more efficient attacks that reduce the window of mitigation and response.

The accelerated nature of attack deployments and the noted move towards less complex, yet potent, operational tactics necessitate that enterprises leverage integrated security solutions, facilitating real-time intelligence sharing and automated responses to navigate the ever-changing ransomware landscape.

Dave Ratner, CEO, HYAS had this comment:

   “The reduction in dwell time highlights just how important visibility and observability solutions are; once bad actors breach the network, you may have very little time to react before damage ensues.  Relatedly, the examples of new entry points and supply-chain attacks highlight how difficult it is for traditional mechanisms to prevent these breaches. Combined, both data points demonstrate the criticality of a security-in-depth strategy for operational resiliency — specifically one that can address visibility of what is happening inside the environment and on the network in real-time.”

This should serve as a warning that ransomware attacks are in a place where you cannot afford to not do everything possible to detect and prevent these attacks in your environments. Because given the facts in this report, failure to do so will result in bad things happening to your environment.

Leave a Reply

%d bloggers like this: