The IT Nerd

Secureworks has just shared information on a scam that is targeting people in the guise of Sextortion. The scam suggests victims have been caught on video and demands payment in bitcoin to have the video deleted. In reality, the alleged videos do not exist, and it is an attempt to leverage the fear of a real Sextortion scam.

Though Sextortion is not a new tactic, Secureworks Counter Threat Unit (CTU) researchers have tracked the scams since at least 2018, and observed that very little has changed in these attacks, suggesting that the tactics continue to be successful.

Commenting on the findings, Rafe Pilling, Director of Threat Intelligence, Secureworks Counter Threat Unit says:

“Cyber criminals are opportunistic, always looking for a way to make money fast at the expense of others. Sextortion is a horrendous crime, and one that the public is increasingly aware of. So, while this scam is awful in its methods, it is not surprising to see it being deployed. One of the key triggers of any scam is fear, creating concern and an instant feeling of urgency that is designed to panic people into making fast decisions that can be very costly. It’s important that people are aware of these scams so that they can avoid falling victim.”

The full blog is available here: https://www.secureworks.com/blog/phorpiex-continues-to-deliver-sextortion-spam

According to Secureworks’ 2023 State of the Threat report published on Thursday, in the four months from March to June 2023, the number of victims named on ransomware leak sites reached “unprecedented levels” putting the year on track to be the biggest year on record for victim naming.  
 
The report, which presented insights from July 2022 to June 2023, revealed that three vulnerabilities exploitations were the main factors for the record numbers:

• March – Fortra GoAnywhere, exploited by Clop
• May – Zimbra mail server, exploited by MalasLocker
• June – MOVEit Transfer, exploited by Clop

As leak sites only list victims who have not paid the ransom and are not used by all ransomware groups, the researchers acknowledged that leak sites alone do not paint a complete picture of the state of ransomware.
 
Also noteworthy from the report, researchers found that the median dwell time was under 24 hours, a meaningful difference from 4.5 days during the previous 12 months with 10% of cases seeing ransomware deployed within five hours of initial access.
 
“[…] threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” Don Smith, VP threat intelligence, Secureworks Counter Threat Unit said.

Emily Phelps, Director, Cyware had this comment:

   “Secureworks’ report highlights the consistency and speed at which threats evolve. With median dell times decreasing to under 24 hours, adversaries appear to be moving to more efficient attacks that reduce the window of mitigation and response.

The accelerated nature of attack deployments and the noted move towards less complex, yet potent, operational tactics necessitate that enterprises leverage integrated security solutions, facilitating real-time intelligence sharing and automated responses to navigate the ever-changing ransomware landscape.

Dave Ratner, CEO, HYAS had this comment:

   “The reduction in dwell time highlights just how important visibility and observability solutions are; once bad actors breach the network, you may have very little time to react before damage ensues.  Relatedly, the examples of new entry points and supply-chain attacks highlight how difficult it is for traditional mechanisms to prevent these breaches. Combined, both data points demonstrate the criticality of a security-in-depth strategy for operational resiliency — specifically one that can address visibility of what is happening inside the environment and on the network in real-time.”

This should serve as a warning that ransomware attacks are in a place where you cannot afford to not do everything possible to detect and prevent these attacks in your environments. Because given the facts in this report, failure to do so will result in bad things happening to your environment.