Resurgence of Ransomware: Mandiant Observes Sharp Rise in Criminal Extortion Tactics

Mandiant has published new threat research based on an analysis of the Tactics, Techniques, and Procedures (TTPs) used by ransomware actors and observed by the security firm throughout 2023.

Google-owned Mandiant’s research derives from combining its own ransomware investigations with observation of data leak sites (DLS) during 2023. The company’s ransomware investigations increased by more than 20% in 2023, and it observed a 75% increase in DLS postings compared to 2022. This indicates a resurgence in criminal extortion following a slight dip in 2022. The combination of Russia’s invasion of Ukraine and the Conti chat leaks likely caused a temporary resetting of the criminal world during 2022 – but normality returned in 2023 and criminal extortion is again increasing.

The growing use of DLS (the number of observed sites increased by more than 30% in 2023) reflects the expanding use of data exfiltration and breach-shaming as part of a ransomware attack. Both file encryption and sensitive data blackmail are merely tools for the fundamental purpose: extortion. We can expect criminals to experiment with other methods to find whatever works best. For example, in November 2023, ALPHV/BlackCat-affiliated actors claimed they had lodged a complaint with the SEC against an alleged victim, MeridianLink, for failing to disclose a data breach they had themselves initiated. Such threats could potentially be used in the future to add extra pressure for future ransom payments.

Other extortion developments included contacting individual patients from impacted healthcare facilities and threatening to reveal personal data (dubbed ‘patient swatting’) – all designed to increase pressure on the victim facility to pay the ransom.

Some of the newer RaaS operations show criminals exploring payment in the Monero cryptocurrency – indeed, the Kuiper operators offer a discount for payment by Monero rather than Bitcoin. Mandiant suggests this may indicate that “actors are taking additional steps to obscure their activity”. (Other methods include log tampering, using legitimate tools, and disabling malware defense systems.)

Mandiant also noted overlaps in some new DLS sites and some known actors, suggesting the new DLS sites may be related to new alliances and rebrands rather than new attacker offerings.

The company observed more than 50 new ransomware families and variants in 2023. This was similar to 2022 and 2021. However, the proportion of variants over new families increased in 2023, leading Mandiant to suspect that the actors have spent time improving and upgrading what already exists rather than developing new products from scratch.

Most ransomware deployments (about 75%) seem to occur outside of standard business hours; but this figure is slightly down from 2022 and 2021. Furthermore, there is less preference for a particular day of the week for an attack,

The median time between initial access and ransomware deployment increased from five days in 2022 to six days in 2023. This likely reflects the growing addition of data exfiltration to data encryption – discovery and exfiltration before encryption takes longer than just finding and encrypting. “The median time between initial access and ransomware deployment in incidents with confirmed or suspected data theft was 6.11 days, while the median time in incidents without data exfiltration was 1.76 days,” notes the report.

Initial access was most commonly achieved through stolen credentials or vulnerability exploits. In nearly 40% of incidents access was through stolen credentials or brute force, mostly via the victim’s corporate VPN infrastructure.

Almost 30% of incidents involved exploits against public-facing systems (up from 24% in 2022, but down from more than 50% in 2021). In all cases in 2023, attackers used known vulnerabilities with a publicly available exploit.

“Multiple incidents involving vulnerability exploitation for initial access had a total time-to-ransom value that was less than five minutes, suggestive of automated mass exploitation and ransomware deployment to vulnerable systems accessible via the internet,” comments Mandiant.

Mandiant didn’t observe the use of zero-day exploits, but notes that public reporting suggests at least three zero-days were used in other ransomware incidents.

Once access had been achieved, Beacon was the most frequently used tool to establish a foothold (10% of incidents). Other frameworks included BoldBadger and Metasploit. Occasionally, actors employed backdoors, such as LightDuty, GoReverse, and BankShot.

Beacon was also used to maintain presence, but this use declined from 37% in 2022 to just 14% in 2023. The use of legitimate remote access tools remains a favored approach, being used in 35% of incidents. The use of custom backdoors and malware continues but was less common in 2023 than in 2022.

Privilege escalation within the victim infrastructure continues to use Mimikatz, but other approaches have used Nanodump to target the Windows LSASS process, and various forms of kerberoasting. Known vulnerabilities, such as CVE-2022-24521, CVE-2021-43226, and CVE-2023-28252 have also been used for privilege escalation.

The reconnaissance phase frequently used built-in Windows utilities and searched internal resources such as SharePoint drives. In 50% of incidents, attackers used publicly available network scanners including Advanced IP Scanner, Softperfect Network Scanner, and Advanced Port Scanner.

Lateral movement frequently involved the use of multiple commands, software, tools, and utilities. The use of Beacon here, as elsewhere, has declined; but reliance on RDP and SMB protocols continues. “In multiple incidents,” says the report, “threat actors enabled restricted admin mode for RDP; this enables actors with access to administrative privileges to bypass MFA when moving laterally within the victim environment.”

Ransomware is now typically, but not always, multifaceted, combining stolen data blackmail and encrypted file extortion. The exfiltration process most commonly used legitimate data synchronization tools such as Rclone (used in about 30% of observed incidents) and Megasync.

Encryption deployment is achieved through multiple methods. However, the report notes, “The most frequently observed methods include manual execution of ransomware payloads by threat actors who have interactive access to hosts via RDP or SSH and the use of PsExec with and without the use of pre-built deployment scripts. Notably, the PsExec utility was used in nearly 40% of the analyzed ransomware intrusions.”

In about 20% of all ransomware incidents, attackers manually executed the encryption while logged in via SSH, RDP or a remote management tool. Mandiant saw the use of 14 different remote management tools – twice as many as they saw in 2022. This was particularly common where a virtualization hypervisor such as ESXi or Hyper-V was targeted.

A wide range of tools were used by the attackers (possibly reflecting the wide range of attack teams). However, the evidence suggests greater focus on evolving existing tools rather than developing new tools.

The report provides a mapping of the ransomware techniques to the MITRE ATT@CK framework in an extensive appendix.

The extortion threat remains rampant. There may be periodic lulls, but these are usually temporary, caused either by global events or relatively minor targeted law enforcement successes. The 2022 relative lull is over.

Ransomware actors are resilient and resourceful. LEA takedowns are best considered as simple disruptions. Un-arrested actors move on, realign, and resurface.

Criminal access is usually with stolen or brute-forced credentials (40%). Fewer incidents (30%) stem from known vulnerability exploits against public-facing assets (30%), and zero-day usage is rare. Attacks against known vulnerabilities indicate the importance of patching.

The huge number of different tools and techniques in the ransomware ecosphere relates to the large number of operational gangs. Existing tools work – there is more emphasis on upgrading these tools than in developing new tools.

Use of legitimate and /or publicly available tools continues to grow. Using these tools is cost-effective and useful for stealth.

Untargeted encryption-only attacks are rapid. Detonation can occur within one day of access (the median time was 1.76 days).

Attackers experiment with additional threats to increase their blackmail pressure.

The number of new data leak sites continues to grow. Apart from shaming non-paying victims, they are also used to recruit new affiliates to the RaaS ecosphere, Mandiant said.