2023 Ransomware Trends & Strategies

The FBI and CISA issued a joint cybersecurity statement in early June that the CL0P Ransomware Gang, also known as TA505, had begun exploiting a SQL injection vulnerability in Progress Software’s MOVEit Transfer web application. Although the vendor on May 31 disclosed and announced it had patched the vulnerability, within a month, hundreds of organizations reportedly had been breached.

The takeaway? While ransomware may recede from the headlines, the threat never goes away.

The MOVEit vulnerability is believed to have compromised as many as 20 million accounts at banks, universities, retirement systems, and government agencies around the world.

It’s the latest known assault from TA505, which has operated Ransomware as a Service and employed the “double extortion” tactic that such groups use to turn up the heat on victims who don’t immediately pay up: Not only will your files remain encrypted and inaccessible to you, but your organization will also be “named and shamed” when the attacker leaks stolen data and publicizes details of who and what was attacked.

Like all things, ransomware stands on the brink of disruption from artificial intelligence. “It will only be a matter of months before malicious threat actors use widely available AI source code to perfect their techniques,” CSO declared in a recent article profiling Finish security expert Mikko Hypponen. "What I'm really waiting for, and it's going to happen in the next couple of months, is complete automation of malware campaigns," Hypponen told CSO.

Another troubling development is the proliferation of small, emerging groups of hackers who are leveraging source code that is widely available to “roll their own ransomware,” says Nick Biasini, Head of Outreach with the Cisco Talos threat intelligence group. Many of those smaller groups are targeting small-dollar payoffs while larger “extortion and ransom cartels” are working with affiliates on large-scale, big-money attacks, he said.

Security and IT leaders need to be thinking three steps ahead to combat ransomware attacks as they become more advanced and mature over time, with constant sharing of knowledge across the cyber-attacker universe and reworking of older attack tools and tactics.

Biasini says one priority should be protecting credentials with multi-factor authentication at multiple levels of the network--even after an attacker has gained access--and installing services to prevent escalation of privileges to protect assets. That also requires having a full understanding of what assets are in use and which are most critical to defend.

Most important, he adds, is protecting the endpoint, “because that’s usually where the compromise occurs and where the actor is going to be running commands.” Security teams also need appropriate logging tools in order to track where and when a compromise occurred. Alongside these strategies, organizations need vulnerability management to ensure that software patching eliminates known exposures.

Cloud security services, such as Cisco Umbrella, can provide an integrated set of tools to ensure flexible security protection on and off the network, along with consistent policies across remote locations. “That tends to be a relatively light lift that is easy to implement and gets a lot of wins very quickly,” he says. “Most malicious activity is going to involve domains at some level.”

Through Cisco's latest enhancements, organizations are now able to automatically recover from ransomware attacks with first-of-its-kind capabilities in Cisco Extended Detection and Response (XDR). Learn more.