Ransomware is a severe and growing threat to businesses of all sizes. Our new research showed that double-extortion ransomware attacks increased by 29.9% over the past quarter, making Q1 2023 the most prolific quarter we have ever observed for that type of attack.

This alarming rise highlights the urgent need for organizations to have robust cybersecurity measures that will detect and prevent ransomware attacks. These attacks can inflict severe financial and reputational repercussions.

In this blog, we offer: approaches for managing ransomware threats, an overview of key vulnerabilities exploited for ransomware use in Q1 2023, and ways ReliaQuest can help security teams better detect and defend ransomware threats.

Download the full report >

Beware Key Vulnerabilities

Ransomware operators exploit a wide array of new and older vulnerabilities in their attacks. Identifying and patching commonly exploited flaws can be crucial in preventing or minimizing the impact of cyber attacks. Three important vulnerabilities were exploited over the past quarter, leading to widespread ransomware attacks:

  • GoAnywhere zero-day (CVE-2023-0669) – The “Clop” ransomware gang exploited this flaw to claim an alleged 130-plus victims globally. Unlike typical attacks by Clop, the group did not encrypt files in this campaign, but simply exfiltrated data. Fewer than 2,000 devices were believed to be vulnerable; meaning Clop’s attacks were likely very calculated and effective.
    • To mitigate this vulnerability, GoAnywhere MFT users should upgrade to version 7.1.2.
  • ESXiArgs vulnerability (CVE-2021-21974) – In February 2023, a large ransomware campaign exploited this vulnerability in VMware ESXi servers, to encrypt an alleged 3,800 ESXi servers. The attackers tried to exploit the flaw to deploy new ransomware, “ESXiArgs,” which is thought to be based on the “Babuk” ransomware’s source code.
  • IBM Aspera Faspex code execution vulnerability (CVE-2022-47986) – The operators of the “IceFire” and “Buhti” ransomware allegedly exploited this flaw to deploy malware specifically on the Linux systems of media and entertainment companies, mainly in Turkey, Iran, Pakistan, and the UAE.
    • As IBM Aspera Faspex 4.4.2 Patch Level 1 and earlier versions are affected, users should immediately apply Patch Level 2 (PL2) to version 4.4.2 to eliminate this issue.

To learn more about vulnerabilities exploited by cybercriminals over the past quarter, check out our Q1 2023 Vulnerability Report.

Ransomware Resilience

The tactics, techniques, and procedures (TTPs) of ransomware groups vary widely, even within groups, because many groups operate ransomware-as-a-service (RaaS) programs. With RaaS, affiliates conduct attacks on behalf of the operators, and those affiliates’ TTPs are likely to differ from attack to attack. So, it’s difficult to identify an attacker before they deploy their ransomware.

Building resilience against ransomware requires organizations to use a defense-in-depth (DiD) strategy, taking into account the many different vectors of attack. Below are general recommendations for building resilience, for organizations of all sizes. They provide a foundation for preventing ransomware attacks.

Network Recommendations

  • Segment networks: Ensure proper network segmentation of devices so that they can only communicate with other devices needed to support their specific business functions.
  • Monitor external-facing assets: Remove any accidental exposure and patch any out-of-date services, prioritizing services that have known vulnerabilities. (Threat actors frequently scan the internet for public-facing assets that have an exploitable vulnerability and gain initial access that way.)

Internal System Recommendations

  • Use application control: Where appropriate and, if possible, only permit the execution of signed scripts. Consider redirecting the default application for JavaScript, Visual Basic, and other executable script formats to open in notepad.exe instead of wscript.exe by default. The use of weaponized script files is used heavily by initial-access malware.
  • Get comprehensive coverage: Ensure coverage is enabled for antivirus (AV) or endpoint detection and response (EDR) tools within your environment, to gain as much visibility as possible into exploit or threat activity. Valuable detection use-cases require endpoint logging or visibility.
  • Use automatic updates: Use the auto-software update feature on your computers, mobile devices, and other connected devices, wherever possible and pragmatic.

Account Recommendations

  • Inventory accounts: Service and other privileged accounts in the environment should be accounted for. Ensure they follow the principle of least privilege and are configured with long, complex passwords. (Service accounts are highly prized in ransomware intrusions, given that they are often configured improperly with domain administrator rights.)
  • Use standard user accounts: Internal systems should only use standard user accounts, not administrative accounts, which allow for overarching administrative system privileges and don’t ensure least privilege.

Detect Ransomware with ReliaQuest

ReliaQuest customers can use ReliaQuest GreyMatter Detect to help gain visibility into ransomware threats. GreyMatter Detect is a robust library that covers all phases of the ransomware attack lifecycle and helps customers work toward comprehensive coverage, following a DiD strategy. To maximize the value of detection, endpoint logging or visibility is required, in addition to regular reviews to pre-emptively address limited visibility.

Analysis of post-exploitation activity suggests that threat actors favor the techniques listed below; this list can be used to identify coverage gaps in customer environments.

Suspicious Service Installation

This detects an installed service that has a suspicious name. Most legitimate services have descriptive names that make it easy to identify their function.

  • T1543 – Windows Service
  • T1569 – Service Execution

Service Installation in Suspicious Directory

Typically, legitimate services are installed in their respective program folders. Receiving alerts for services executing files from anomalous directories, such as high-level directory or temp directory, can help detect potential lateral movement on persistence.

  • T1543 – Windows Service
  • T1569 – Service Execution
  • 002 – System Services: Service Execution

PowerShell Scheduled Task Creation

Threat actors can use PowerShell Scheduled Task Creation to execute malicious commands on a victim’s computer as a persistence mechanism.

  • T1053 – Scheduled Task/Job
  • T1059 – PowerShell

Impacket Lateral Movement

Impacket is found to be favored by many threat actors because they use MWindows management protocols to execute remote commands from a compromised user account. This creates a unique detection opportunity during the lateral movement phase of an attack.

  • T1021 – Remote Services
  • T1047 – Windows Management Instrumentation
  • T1053 – Scheduled Task/Job
  • T1059 – Command and Scripting Interpreter

Digging Deeper

Our full quarterly ransomware report offers:

  • Comprehensive analysis of ransomware activity in Q1 2023
  • Intelligence on the most active ransomware groups that quarter, including background information, TTPs, and victimology
  • MITRE ATT&CK techniques to provide insight into the TTPs used by top ransomware groups
  • Breakdown of ransomware targeting, by sector
  • Analysis of the most targeted countries
  • General recommendations to protect against ransomware
  • Ways to protect yourself against ransomware with ReliaQuest’s help

You can also check out other ransomware-related blogs, such as our analysis of a Qbot campaign that ended with Black Basta ransomware and a SocGholish FakeUpdates campaign aimed at deploying ransomware. In addition, our threat research podcast, ShadowTalk, provides weekly discussions of new ransomware and cybercrime.