The report, Ransomware on the Move, looked at how exploitation techniques are evolving — including attackers’ sharpened focus on zero-day vulnerabilities. It showed how victims of multiple ransomware attacks were more than six times more likely to experience the second attack within three months of the first attack.
The authors from Akamai’s Security Intelligence Group reviewed data from the fourth quarter of 2021 to the second quarter of 2023. The authors reported that LockBit ensnared around 39% of all victim organizations tracked by Akamai, which said LockBit’s victim count is three times that of its nearest competitor, the CL0P group. Number three in volume of victims, ALPHV, aka Black Cat, focused its efforts on developing and exploiting zero-day points of entry (Figure A).
Anthony Lauro, director of security technology and strategy at Akamai, explained that LockBit looks for high value targets with zero day vulnerabilities that companies can’t fix quickly. They tend to target and retarget these organizations and the sectors — like manufacturing and technology for example — where security operations are lagging, generally. Also, he explained, malware writers can choose tools and services from a growing dark ecosystem.
The report spotlighted two trends that speak to how large groups — with reach and breadth of products including RaaS — have a stable growth and smaller groups focus on opportunities as they arise:
“Malware writers can now split off operations, which is a change,” said Lauro. “It used to be that the attackers were a single entity or group that would be responsible for malware payload delivery, exploitation and follow up.” He added that, because of the open nature of the malware marketplace, groups like LockBit and Cl0P have been able to co-opt others to perform various tasks in the supply kill chain.
Lauro said within the tactics found more often in the second trend group, “Are the tried and true methodologies, like Windows system vulnerabilities that are not necessarily high severity because these systems aren’t usually available to outside queries. Attackers can still access them. So, there are two major trends: spreading the victim base across easy targets and tactics and ones leveraging CVE and zero days looking at big players as targets.”
ALPHV, for example, second on Akamai’s list of attackers in terms of victim volume, uses the Rust programming language to infect both Windows and Linux systems. Akamai said the group exploited vulnerabilities in Microsoft Exchange server to infiltrate targets.
According to Akamai, the group spoofed a victim’s website last year (using a typosquatted domain). The new extortion technique included publishing the stolen files and leaking them on their website in order to tighten the thumbscrews on victims and encourage ransom payment.
In Akamai’s study, 65% of targeted organizations had reported revenue of up to $50 million dollars, while those worth $500 million dollars and up constituted 12% of total victims, according to Akamai. They also reported that the ransomware data used was collected from the leak sites of approximately 90 different ransomware groups.
If you invest in the drilling operation, you might as well reach out sideways to assets under other peoples’ lawns once you’ve reached the target. LockBit attackers are likewise reaching out to victim’s customers, informing them about the incident and employing triple extortion tactics with the inclusion of Distributed Denial-of-Service (DDoS) attacks.
Lauro said different stages of exploitation and delivery and execution are the first two steps. Defense is predicated on edge defense elements like visibility, but the rest of it is after the fact, moving laterally and tricking systems, or making requests that look like a “friendly” — all inside the network.
SEE: Look at your APIs! Akamai says observability tools sorely lacking (TechRepublic)
“Once you’re inside most organizations are wide open, because as then, an attacker I don’t have to download special toolkits; I can use installed tools. So there is a lack of good localized network security. We are finding more and more environments in bad shape in terms of internal visibility and over time,” he said.
CL0P, which is number three in terms of its volume of victims over the course of Akamai’s observation period, tends to abuse zero-day vulnerabilities in managed file transfer platforms. Akamai said the group exploited a legacy file transfer protocol that has been officially out of date since 2021, as well as a zero-day CVE in MOVEit Transfer to steal data from several organizations.
“It is worth noting how CL0P has a relatively low victim count until its activity spikes whenever a new zero-day vulnerability is exploited as part of its operation,” said the Akamai report authors. “And unlike LockBit, which has a semblance of consistency or pattern, CL0P’s attacks are seemingly tied to the next big zero-day vulnerability, which is hard to predict (Figure B ).”
Akamai noted that LockBit, whose website looks like a legitimate web concern, is touting new tools and even a bug bounty program in its latest 3.0 version. Just like white hats, the group is inviting security researchers and hackers to submit bug reports in their software for rewards ranging up to $1 million.
Akamai noted that while the bug bounty program is principally defensive, “It’s unclear if this will also be used to source vulnerabilities and new avenues for LockBit to exploit victims.” (Figure C).
On its site, LockBit seeks ethical AND Unethical hackers. Source: Akamai via Bleeping Computer.
Of all vertical industries, manufacturing saw a 42% increase in total victims during the period Akamai investigated. LockBit was behind 41% of overall manufacturing attacks.
The health care vertical saw a 39% increase in victims during the same period, and was targeted primarily by the ALPHV (also known as BlackCat) and LockBit ransomware groups.
SEE: Akamai focused on fake sites in research released at RSA
Akamai’s recommendations on lessening the chance of attack and mitigating the effects of an incursion include adopting a multilayered approach to cybersecurity that includes:
Defense tactics, according to Akamai, should include:
Limit access to services that can be abused for data exfiltration by either using solutions that block known malicious url and DNS traffic, or by using solutions or controls that allow blocking access to specific domains.
Honeypots: use them. Akamai said they can help trap probing attackers, luring them into servers where their activities can be monitored
Use an intrusion detection system to do suspicious network scans. Akamai noted that attackers use identifiable tools to finger targets within an organization’s network. You can detect them.
Akamai suggests using tools for inspection of outgoing internet traffic to block known malware C2 servers. “Solutions must be able to monitor your entire DNS communications in real time and block communications to malicious domains, preventing the malware from running properly and accomplishing its goals,” the firm said.
