A recently released report by cybersecurity company Sophos highlights the ever-evolving tactics used by cybercriminals and the challenges faced by security teams. The 2023 Sophos Active Adversary Report for Business Leaders is based on more than 150 incident response cases and identifies over 500 unique tools and techniques used by attackers.
One key finding of the report is the persistent threat posed by ransomware. The majority of incidents examined by the Sophos incident response team (68%) were linked to ransomware, making it a prevalent and potent threat. This consistent pattern is evident in Sophos’ incident response investigations over the past three years, where ransomware has accounted for nearly three-quarters of all cases.
The report identifies several ransomware gangs that have been particularly active in 2022. LockBit tops the list, accounting for 15.24% of the cases handled by Sophos. It is closely followed by BlackCat (13%), Hive (12%), and Phobos (11%). The data also reveals an increase in the number of active ransomware gangs, with 31 identified in 2022 compared to 28 in 2021.
Another significant finding is the prevalence of data exfiltration in ransomware attacks. Out of the investigated cases, 55% involved confirmed data exfiltration, and an additional 12% showed signs of possible exfiltration or data staging. In 2022, there were a total of 65 confirmed data exfiltration events, accounting for almost half (42.76%) of the cases. The report also suggests that data exfiltration may have occurred in cases where no conclusive evidence was found, highlighting the challenges faced by organizations in accurately assessing the extent of a breach.
The report also sheds light on the shrinking “dwell time” for attackers, which refers to the duration they remain undetected within a network. In 2022, the dwell time for all types of attacks decreased from 15 to 10 days, and for ransomware attacks specifically, it reduced from 11 to 9 days. This decline signifies that attackers are becoming more efficient and urgent in their execution of exploits. However, it may also indicate improvements in the detection capabilities of defenders.
Despite these improvements, the report emphasizes the importance of a proactive defense strategy. It highlights the ongoing problem of unpatched vulnerabilities, which continue to be exploited by attackers. In fact, exploited vulnerabilities accounted for 37% of the root causes of attacks, the highest contribution for the second consecutive year. The report emphasizes the need for organizations to prioritize patch management to address these vulnerabilities and minimize the potential entry points for cybercriminals.
The report concludes by reminding business leaders that no organization is immune from compromise. Complacency can leave networks vulnerable to attacks and data exfiltration. To strengthen defenses and evaluate cybersecurity posture, the report recommends seeking assistance from cybersecurity experts like Sophos.
In conclusion, the 2023 Sophos Active Adversary Report for Business Leaders highlights the persistent threat of ransomware, the prevalence of data exfiltration, the shrinking dwell time for attackers, and the ongoing problem of unpatched vulnerabilities. It serves as a reminder for organizations to stay vigilant and proactive in their cybersecurity efforts.