Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption

Ransomware activity remains on an upward trend despite the number of attacks claimed by ransomware actors decreasing by slightly more than 20% in the fourth quarter of 2023. Attackers have continually refined their tactics and proven quick to respond to disruption, finding new ways to infect victims. 

Analysis of data from ransomware leak sites shows that attackers managed to hit significantly more victims last year (4,700) compared to 2022 (2,800). While the shutdown of the Qakbot botnet in June 2023 took a major malware distribution channel offline, attackers have quickly adapted and vulnerability exploitation now appears to be the primary vector for ransomware attacks. 

LockBit, the longstanding ransomware-as-service operation run by the Syrphid cybercrime group (aka Bitwise Spider), continued to be the largest ransomware threat in 2023, accounting for 21% of all attacks claimed on data leak sites. It was followed by Noberus (aka BlackCat, ALPHV) with 9% of all claimed attacks and Clop with 8%. Both LockBit and Noberus have been the target of law enforcement operations in recent weeks and it remains to be seen if these will significantly impact on activity levels from both threats over the long term.

Interestingly, there are significant disparities between overall, publicly claimed activity levels and ransomware activity investigated by Symantec. While LockBit was responsible for over 21% of the 4,700 attacks claimed in 2023, they were only identified as being involved in around 17% of the attacks Symantec investigated. Conversely, Noberus claimed 9% of all attacks in 2023 but it was involved in a little over 20% of all attacks Symantec investigated. 

The comparison may give some indication of success rates experienced by actors linked to each operation. For Symantec to positively identify an attack as associated with a certain ransomware family, the attack has to advance to the stage where the attackers attempt to deploy a payload. This suggests that Noberus affiliates are more likely to advance their attacks at least to the payload deployment stage. 

Vectors

The evidence from recent ransomware investigations suggests that exploitation of known vulnerabilities in public facing applications is now the main vector for ransomware attacks. Likely infection vectors in recent ransomware attacks include:

• CVE-2022-47966 ZOHO ManageEngine
• Microsoft Exchange Server vulnerabilities. Exploits were unknown but first evidence of malicious activity in a number of attacks occurred on Exchange Servers. 
• Citrix Bleed (CVE-2023-4966) Citrix NetScaler ADC and NetScaler Gateway
• CVE-2023-20269 Cisco Adaptive Security Appliance (ASA) and Cisco Firepower Threat Defense (FTD) VPN 
   

Tooling

The number of tools deployed by ransomware actors continues to grow. In particular, there has been a marked increase in the number of dual-use tools (legitimate software installed by attackers for malicious purposes). Tools leveraging the Bring Your Own Vulnerable Driver (BYOVD) technique are also currently popular among attackers. New tools recently seen in ransomware attacks include:

• HopToDesk: A publicly available remote desktop tool, which was used by attackers using a variant of the leaked Conti ransomware. Remote desktop tools are frequently used by ransomware actors, with the most popular being: Atera, AnyDesk, and Splashtop.
• TrueSightKiller: A publicly available tool that leverages the BYOVD technique to disable security software.
• GhostDriver: Another tool that leverages the BYOVD technique to disable antivirus (AV) tools.
• StealBit: A custom data exfiltration tool associated with the LockBit ransomware operation. StealBit appeared to have fallen out of favour among LockBit affiliates for some time. However, usage of the tool resumed in early 2024, where it was deployed in two separate LockBit attacks. 
   

Techniques

Noteworthy techniques that have recently been used by ransomware actors include:

• Esentutl: Dumping credentials using the Windows command-line tool that provides database utilities for the Extensible Storage Engine (ESE). A known technique, in recent weeks attackers have been using it to dump browser credentials.
• DPAPI: Using malicious tools to extract and decrypt sensitive user credentials stored using Microsoft's Data Protection API (DPAPI).
   

Ongoing threat

Ransomware will continue to be a major threat for organizations in 2024 and beyond. Incentivised by large payouts, ransomware attackers have proven to be persistent and adaptive, capable of responding to disruption by reorganizing themselves and consistently developing new tactics.

Protection/Mitigation

For the latest protection updates, please visit the Symantec Protection Bulletin.

Indicators of Compromise

If an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.

7ebe51d5a48cc3c01878e06c6db3f4f0189c4f9788bfe57b763b03f4ab910e26 – StealBit

ce26642327aa55c67a564f695ae3038d5afee9b8d14bb5146bf30dd0f1af24e5 – StealBit

c06e320ad2568e15baae155346c6fb92e18fc038e7465adfb5fc2a3f8af9caa5 – HopToDesk

8d5c521d7a52fd0b24d15c61c344a8f87b3b623a1ab3520ab55197b772377155 – TrueSightKiller 

09f7622eb9ed3bbd375575c8a190ff152ef3572a717a20c1b2dd5556b8cc9eba – TrueSightKiller

005cfd8a4dd101c127bcb0f94f1fa143b24d91442ee9e1525b4c540c9fe88c63 – TrueSightKiller

4c1346eab3fb23ca0613d73bbd2dd87fedb6ca8b1ba7bf48d69a57868d05854d – TrueSightKiller

13d525588d2f6babe0b6de7d1456a6f3f39a0947128280a94b6f676dd5684201 – TrueSightKiller

6ec7a25adc9bf516e9150bebd773feafa64787769156ffbcb6eccabc579ee03a – GhostDriver 

19707b18f750bae0214e2a6d36735b6723549899bf83751d3650b9ec8125b91f – DPAPI credential dumper