Understanding Ransomware: A Deep Dive into the Threats and Trends  

Ransomware continues to be one of the most pervasive and destructive cyber threats today and it stands as the most prevalent modus operandi for threat actors. With new methods of attack and increasingly sophisticated ransomware groups, it is essential to stay informed about how these threats operate and the industries most at risk. Our Advanced Threat Operations team explored the initial access methods used by ransomware threat actors, highlighted the most active ransomware groups in 2023, and identified the industries that are most frequently targeted. 

Initial Access Methods 

Ransomware attacks often begin with gaining initial access to a victim’s network. Here are the primary methods used by threat actors: 

Phishing Emails 

One of the most common methods is phishing. Threat actors commonly deploy phishing emails embedded with remote access trojans (RATs) to establish initial persistence on user endpoints. From this foothold, they can perform lateral movements across the IT environment, escalating their access. Additionally, they often use credential harvesters to compromise user accounts, leveraging these credentials for initial network access. 

Exploiting RDP Vulnerabilities 

Remote Desktop Protocol (RDP) vulnerabilities are another significant entry point. RDP allows remote access to systems, and threat actors exploit weaknesses in this protocol to gain unauthorized access to networks. By identifying and exploiting these vulnerabilities, they can infiltrate a system without the need for user interaction. Ontinue has seen a significant increase in threat actors socially engineering users into establishing remote desktop sessions on their endpoints using legitimate software such as AnyDesk and TeamViewer. This typically involved threat actors impersonating help desk personnel and contacting users via phone calls about a fictitious issue with their device. 

Exploiting Software Vulnerabilities 

Software vulnerabilities present another opportunity for threat actors. Exploits in widely-used software, such as the Citrix Bleed or WinRAR vulnerabilities, provide a pathway for unauthorized access. Keeping software up to date is crucial to mitigate these risks. 

Social Engineering 

Social engineering remains a powerful tool in the arsenal of cybercriminals. Techniques such as impersonation and manipulation deceive individuals into providing sensitive information or system access. These methods rely on human psychology rather than technical vulnerabilities, making them particularly challenging to defend against. 

The Most Targeted Industries 

The ransomware threat landscape showed a clear preference for certain industries: 

Information Technology 

The information technology sector is a prime target due to its large attack surface and the critical nature of its operations. Almost half of the ransomware attacks in 2023 targeted this sector, aiming to exploit its financial resources and operational significance. 

Construction 

The construction industry also saw a high number of ransomware attacks. Similar to the IT sector, construction companies often have large networks and valuable data, making them attractive targets for ransomware groups. The financial impact and operational disruptions caused by these attacks can be devastating. 

Ransomware continues to remain a significant threat in 2024, with advanced techniques and persistent threat actors like LockBit and 8Base continuing to launch successful attacks. Industries such as information technology and construction are particularly vulnerable due to their large attack surfaces and valuable data. Understanding the methods used for initial access and staying vigilant against these threats is essential for protecting against ransomware. 

By staying informed and proactive, businesses and individuals can better defend themselves against the ever-evolving ransomware threat landscape. 

Read our full End of Year 2023 Threat Intelligence report from our Advanced Threat Operations team.  

 
Stay tuned for our 1H 2024 Threat Intelligence Report coming soon!