According to research by Microsoft Intelligence, more than 100 cybercriminals or criminal groups are currently actively using ransomware as their primary weapon. Also to offer ransomware as a service. This is what the tech giant says in a Twitter thread about ransomware.
According to the Twitter posts, the tech giant’s security teams have more than 100 “threat actors” in their sights who spread ransomware during attacks. Meanwhile, more than 50 unique ransomware families are also said to be actively tracked. Currently, the tech giant identifies the Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, & Royal ransomware payloads as the most prominent threats.
Notes on attack strategies
In the study, Microsoft further notes that ransomware spreaders are increasingly using the same strategy. The break-in and the way they move through networks is increasingly monitorable.
In addition, Microsoft indicates that attackers are increasingly relying on attack tactics that go beyond phishing, for example. For example, recently discovered attacks such as DEV-0671 and DEV-0882 target recently patched Exchange vulnerabilities. Their goal is to compromise vulnerable servers and deploy Cuba and Play ransomware on them.
Defense not just focusing on payloads
In response, the Twitter thread further reveals, Microsoft indicates that defence strategies against ransomware should focus less on the payloads themselves. More important is to focus on the chain of events that allow them to be deployed. Especially since ransomware criminals are increasingly attacking servers or devices that have not yet been patched against common or recently known vulnerabilities.
For example, more than 60,000 Internet-connected Exchange servers are still vulnerable to ProxyNotShell RCE exploits, among others. Also, thousands of servers have yet to be woed against attacks based on the ProxyShell ProxyLogon vulnerabilities.
Tip: Microsoft “strongly urges” admins to update their Exchange Servers