Dive Brief:
- Ransomware activity surged last year as attackers flocked to legitimate remote access tools to break into enterprise networks, Mandiant said in a Monday report.
- There were 4,520 posts on data leak sites last year, a 75% increase from 2022. Threat groups use data leak sites to make claims and ramp up pressure on alleged victims. The number of posts surged to more than 1,300 in the third quarter, setting a quarterly record, Mandiant said. The firm tracked more than 1,200 data leak site posts in the second quarter.
- In 2023, Mandiant led 20% more investigations involving ransomware than the previous year, underscoring further evidence of a swell in attacks. “The slight dip in extortion activity in 2022 was an anomaly,” the incident response and research firm said.
Dive Insight:
Mandiant’s findings accentuate the industry’s collective inability to reduce ransomware attacks and the significant damage they inflict on businesses and people.
Mandiant conducted a record number of ransomware incident response investigations last year, as it saw the highest volume of data leak site posts since it began tracking shaming sites in 2020. The alleged victim organizations named on data leak sites spanned more than 110 countries last year.
Nearly 3 in 5 ransomware attacks Mandiant observed last year involved confirmed or suspected data theft.
Most initial access vectors for ransomware attacks in 2023 involved stolen credentials or exploited vulnerabilities in public-facing infrastructure, according to Mandiant’s research.
“In almost 40% of incidents where the initial access vector was identified, threat actors used compromised legitimate credentials to gain access to victim environments, either through the use of stolen credentials or brute-force attacks,” Mandiant researchers said in the report. “The vast majority of these incidents involved authentication to a victim's corporate VPN infrastructure”
Exploited vulnerabilities accounted for almost 30% of ransomware attacks last year, up from 24% in 2022, according to Mandiant.
“The observed increasing reliance on legitimate tools likely reflects efforts by attackers to conceal their operations from detection mechanisms and reduce the time and resources required to develop and maintain custom tools,” the report said. “Similarly, while we still consistently see vulnerability exploitation as a popular method to gain initial access to a victim environment, threat actors more commonly relied on known vulnerabilities.”