Cisco Talos conducted an analysis of the top 14 data kidnapping groups from 2023 to 2024 to reveal their attack chains and highlight their tactics, techniques, and protocols. They also identified the most exploited vulnerabilities used by ransomware actors.
The typical ransomware attack chain begins with the threat actor gaining access to the targeted entity through techniques such as social engineering, exploiting vulnerabilities, or misconfigurations. The attacker then establishes persistence on the system and scans the network environment to identify valuable data for ransom demands. Once the data is collected, it is exfiltrated to attacker-controlled servers before executing the ransomware to encrypt the network.
Three vulnerabilities commonly exploited by ransomware threat actors were identified by Cisco Talos. These include Zerologon (CVE-2020-1472), Fortinet FortiOS SSL VPN vulnerability (CVE-2018-13379), and GoAnywhere MFT vulnerability (CVE-2023-0669a). These vulnerabilities allow initial access for ransomware actors to manipulate systems and execute malicious payloads within compromised networks.
Cisco Talos also examined the tactics, techniques, and procedures (TTPs) of the 14 ransomware groups based on their attack volume, customer impact, and behavior. The analysis revealed that many groups prioritize evading defenses and establishing initial engagement during their attacks. Common techniques include hiding malicious code, dumping LSASS memory for credentials, and utilizing commercially available tools for C2 activities.
To mitigate the threat of ransomware, organizations are advised to regularly patch and update all systems and software, enforce strict password policies, implement multi-factor authentication, and apply best practices to harden systems and environments. Network segmentation, monitoring endpoints, and implementing security information and event management systems are also recommended to enhance cybersecurity defenses.
Disclosure: The author is employed by Trend Micro, but the opinions expressed in this article are their own.
Article Source
https://www.techrepublic.com/article/cisco-talos-ransomware-ttps/