Microsoft revealed today that its security teams are tracking over 100 threat actors deploying ransomware during attacks. In all, the company says it monitors over 50 unique ransomware families that were actively used until the end of last year.
“Some of the most prominent ransomware payloads in recent campaigns include Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal,” Microsoft said.
“Defense strategies, however, should focus less on payloads but more on the chain of activities that lead to their deployment,” since ransomware gangs are still targeting servers and devices not yet patched against common or recently addressed vulnerabilities.
Furthermore, while new ransomware families launch all the time, most threat actors utilize the same tactics when breaching and spreading through networks, making the effort of detecting such behavior even more helpful in thwarting their attacks.
As Redmond added, attackers increasingly rely on tactics beyond phishing to conduct their attacks, with threat actors, such as DEV-0671 and DEV-0882, capitalizing on recently patched Exchange Server vulnerabilities to hack vulnerable servers and deploy Cuba and Play ransomware.
Last week, the Exchange team urged admins to deploy the latest supported Cumulative Update (CU) to secure on-premises Exchange servers and have them always ready to install an emergency security update.
Over 60,000 Internet-exposed Exchange servers are still vulnerable to attacks leveraging ProxyNotShell RCE exploits. At the same time, thousands still wait to be secured from attacks targeting the ProxyShell and ProxyLogon flaws, two of the most exploited security flaws of 2021.
Other ransomware actors are also switching to or using malvertising to deliver malware loaders and downloaders that help push ransomware and various other malware strains, such as information stealers.
For instance, a threat actor tracked as DEV-0569, believed to be an initial access broker for ransomware gangs, is now abusing Google Ads in widespread advertising campaigns to distribute malware, steal passwords from infected devices, and ultimately gain access to enterprise networks.
They use this access as part of their attacks or sell it to other malicious actors, including the Royal ransomware gang.
The ransomware as a service (RaaS) ecosystem continues to evolve and expand with numerous players bringing varying techniques, goals, and skillsets. As of end of 2022, Microsoft tracks >50 unique active ransomware families and >100 threat actors using ransomware in attacks.
— Microsoft Security Intelligence (@MsftSecIntel) January 31, 2023
Last year was marked by the end of the Conti cybercrime operation and the rise of new ransomware-as-a-service (Raas) operations, including Royal, Play, and BlackBasta.
Meanwhile, LockBit, Hive, Cuba, BlackCat, and Ragnar ransomware operators have kept breaching and trying to extort a steady stream of victims throughout 2022.
Nevertheless, ransomware gangs saw a massive revenue drop of around 40% last year as they were only able to extort roughly $456.8 million from victims throughout 2022, after a record-breaking $765 million in the previous two years, according to blockchain analytics company Chainalysis.
However, this significant decline was not driven by fewer attacks but by their victims’ refusal to pay the attackers’ ransom demands.
This year has started with a big win against ransomware groups after the Hive ransomware data leak and Tor payment dark web sites were seized as part of an international law enforcement operation involving the U.S. Department of Justice, the FBI, the Secret Service, and Europol.
After hacking into Hive’s servers, the FBI distributed more than 1,300 decryption keys to Hive victims and gained access to Hive communication records, malware file hashes, and details on 250 Hive affiliates.
The same day, the U.S. State Department offered up to $10 million for any information that could help link the Hive ransomware gang (or other threat actors) with foreign governments
