Mandiant, a cybersecurity vendor, recently released a report highlighting concerning trends in ransomware activities in 2023. The report specifically focused on the increase in data theft and the use of public data leak sites by threat actors during ransomware attacks.
According to Mandiant’s blog post, there has been a noticeable rise in the number of ransomware families, changes in deployment timelines, and prevalent tools used by threat actors in attacks. The research was based on incident response cases where victim organizations sought Mandiant’s services directly.
One significant trend observed by Mandiant was the surge in the use of public data leak sites to shame victims into paying the ransom demand. The report noted a 30% increase in the creation of new data leak sites, where ransomware threat actors posted stolen data. This trend indicates a shift towards a more aggressive approach by threat actors to pressure victims into compliance.
The report also highlighted that 2023 saw the highest volume of posts on shaming sites since Mandiant started tracking the data in 2020. During the third quarter of the year, over 1,300 posts were recorded on leak sites, with 30% attributed to newly identified data leak sites associated with ransomware families like RoyalLocker/BlackSuit, Rhysida, and RedBike/Akira.
Mandiant also analyzed more than 50 new ransomware variants and families in 2023, with a notable trend being the emergence of offshoots of previously identified families. This suggests that threat actors may be forming new alliances or rebranding rather than creating entirely new offerings.
Furthermore, the report highlighted the risk that threat actors take to exfiltrate stolen data from victim organizations. Mandiant noted that nearly 60% of incidents involved confirmed or suspected data theft, indicating a growing trend of combining data theft with ransomware attacks for increased leverage.
In terms of attack tactics, Mandiant observed that threat actors increasingly used legitimate remote management tools during intrusions to avoid detection by endpoint detection and response products. The use of legitimate tools in attacks surged from 23% in 2022 to 41% in 2023, with AnyDesk being a popular choice among attackers.
Additionally, the report pointed out a shift in how threat actors gained initial access to networks. Instead of developing or purchasing zero-day exploits, threat actors increasingly exploited known vulnerabilities or N-days where proof-of-concept exploits were publicly available. This shift in tactics highlights the adaptability of ransomware actors in evading detection and gaining unauthorized access.
Despite the alarming trends in ransomware activities, Mandiant recognized recent law enforcement efforts that disrupted major ransomware groups like LockBit and BlackCat/Alphv. These actions demonstrate a proactive approach to combatting ransomware threats, although threat actors remain resilient and adaptable in the face of obstacles.
Overall, the report by Mandiant underscores the evolving nature of ransomware attacks and the need for continued vigilance and proactive measures to protect organizations from the growing threat of data theft and extortion.