CrowdStrike: Threat actors shifting away from ransomware

CrowdStrike's '2023 Global Threat Report' showed a 20% increase in the number of threat actors using data theft and extortion tactics without deploying actual ransomware.

Threat actors are shifting away from traditional ransomware and toward malware-free cyber attacks, according to a new report from CrowdStrike.

The cybersecurity vendor this week published its "2023 Global Threat Report," which annually compiles CrowdStrike's research related to cybercrime, or "eCrime," from the previous year. Major topics covered in the 2023 report include malware-free extortion attacks, cloud-related attacks and ongoing geopolitical conflicts.

The vendor observed a 20% increase in the number of threat actors using data theft and extortion without deploying actual ransomware. CrowdStrike illustrated an example of this through Lapsus$, which the vendor refers to as "Slippy Spider."

Lapsus$ gained attention in early 2022 for its extortion-led attacks against Microsoft, Nvidia and others. The attacks primarily involved source code, and it's unknown if any of Lapsus$'s large ransom demands were met, but the gang's "name-and-shame" activity was one of the high-profile examples of extortion-led attacks last year.

Adam Meyers, senior vice president of intelligence at CrowdStrike, told TechTarget Editorial that the rise in extortion speaks to the adaptability of cyber adversaries. He added that while ransom payments were down slightly in 2022, both extortion and ransomware-as-a-service (RaaS) saw significant boosts.

CrowdStrike noted an overall shift away from malware. The vendor said malware-free activity accounted for 71% of its threat detections in 2022, up from 62% in 2021.

"This was partly related to adversaries' prolific abuse of valid credentials to facilitate access and persistence in victim environments," the report read. "Another contributing factor was the rate at which new vulnerabilities were disclosed and the speed with which adversaries were able to operationalize exploits."

Despite the shift away from traditional ransomware deployment, CrowdStrike noted that RaaS networks have proven to be resilient, and warned that affiliated hackers will continue to be a primary threat as they shift from one network to another.

"Even our wins on the security front were tempered by the adversaries' ability to adapt," the report said. "Collaboration between the government and private sector dramatically improved, resulting in the arrest and dismantling of some of the world's most notorious ransomware gangs -- only to see splinter groups recalibrate and flourish."

Cloud attacks on the rise

Another major data point involved cybercrime against cloud environments. Cloud exploitation cases increased by 95% over the course of 2022, CrowdStrike said, and attacks against cloud environments by "cloud-conscious" threat actors nearly tripled.

"This growth indicates a larger trend of eCrime and nation-state actors adopting knowledge and tradecraft to increasingly exploit cloud environments," the report read.

CrowdStrike listed a number of the most popular tactics, techniques and procedures that cloud actors have used. Adversaries primarily used valid accounts to gain initial access to cloud environments, with other techniques involving password resets or deploying web shells.

For gaining lateral movement, protocols such as remote desktop protocol, SSH and Microsoft's Server Message Block protocol were commonly used; actors gained privilege escalation by obtaining higher-privilege accounts; and threat actors often evaded defenders by deactivating security products running inside virtual machines.

One of the more notable data points involved impact. The report claimed that destruction, not resource hijacking, was the most common impact-centered technique seen in 2022. Destruction, CrowdStrike said, included "actors removing access to accounts, terminating services, destroying data and deleting resources."

Asked about a potential solution to increasing cloud threats, Meyers said organizations need "unified protection across endpoint, workload, identity, and data," such as a CNAPP.

"By combining protection of the workload with identity and data, organizations will be able to build a more complete picture of enterprise risk," he said. "On top of that, stopping cloud breaches requires both agent and agentless capabilities to protect against misconfiguration, control plane and identity-based attacks, combined with runtime security that protects cloud workloads. A strong CNAPP solution that unifies posture and infrastructure entitlement management with breach protection for cloud workloads in a single platform enables organizations to get end-to-end protection from the host to the cloud."

Alexander Culafi is a writer, journalist and podcaster based in Boston.

Dig Deeper on Data security and privacy