The Ransomware Surge & Techniques Revealed in the Wave of Attacks

An examination of threat activity during the fourth quarter of 2023, reveals a concerning escalation of ransomware activity. Identified through research by Cisco Talos' IR engagements, Cisco Talos intel analyst, Nicole Hoffman outlines the rise in activity noting a 17 percent increase from the previous quarter. Talos IR encountered ransomware strains such as Play, Cactus, BlackSuit, and NoEscape for the first time, indicating the evolving and expanding landscape of cyber threats. During the period they also witnessed a diverse array of cyber incidents, including insider threats sophisticated phishing campaigns employing malicious QR codes, and MFA fatigue attacks reflecting a complex threat environment where adversaries employ a variety of tactics to compromise targets.

The education and manufacturing sectors emerged as primary targets, together accounting for nearly half of all incident response engagements, followed closely by healthcare and public administration. The education sector's vulnerability, attributed to limited cybersecurity resources, makes it a prime target for ransomware attacks and data breaches involving sensitive personal information. Meanwhile, the manufacturing sector's critical role in the supply chain presents unique challenges, as disruptions can have far-reaching impacts beyond the initial target. Talos IR's findings reveal an opportunistic approach by adversaries, leveraging every available means—from social engineering to exploiting vulnerabilities in public-facing applications—to gain unauthorized access and escalate their attack campaigns.

Cisco Talos has reported on several ransomware engagements, emphasizing the importance of implementing Multi-Factor Authentication (MFA) as a preventive measure. Incidents involving Play, BlackSuit, and Cactus ransomware could have been mitigated with MFA in place. Amidst their intrusion post-exploitation, an arsenal of familiar tools such as PsExec and remote access software like AnyDesk, ScreenConnect, and Splashtop were featured. Hoffman of Talos mentioned an uncommon use of the "ITarian remote monitoring and management (RMM) solution" adding the software was not previously observed in Cisco Talos' telemetry. Notably, the NoEscape ransomware group leveraged the Citrix authentication bypass vulnerability (CVE-2023-4966 or CitrixBleed) for initial access, highlighting the exploitation of vulnerabilities. Additionally, BlackSuit employed the older ZeroLogon vulnerability (CVE-2020-1472) to advance their intrusions with elevated permissions. Remote services employing RDP, SSH, and SMB were observed in 24% of Cisco Talos' IR engagements.

These groups also attempt to bypass multi-factor authentication (MFA), highlighting the importance of robust MFA implementation across all user accounts. Cisco Talos' insights into these evolving threats stress the need for comprehensive cybersecurity measures, specifically the deployment of MFA. "A lack of MFA or proper MFA implementation across all user accounts as well as misconfigured or unpatched systems each played a part in 36 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as RDP," as Hoffman emphasizes.

The insights provided in Cisco Talos' report offer valuable guidance for enhancing detection coverage and strengthening security defenses against the growing ransomware threats. Additionally, reports from Unit 42, which delve into the Medusa and BianLian ransomware, further contribute to detection guidance by revealing adversarial techniques employed in their attacks.