Sophos: Ransomware present in 70% of IR investigations

Sophos said the majority of cyberattacks it investigated in 2023 involved ransomware, while 90% of all incidents included abuse of remote desktop protocol.

The security vendor published its Active Adversary Report of 2024 Wednesday that drew on data from more than 150 incident response (IR) investigations it conducted in 2023. Breaking down the data set, 88% of the investigations were derived from organizations with fewer than 1,000 employees, while 55% involved companies with 250 employees or fewer. Twenty-six sectors were represented, and manufacturing remained the No. 1 sector to engage the Sophos IR team for the fourth consecutive year.

For the report, Sophos tracked attack types, initial access vectors and root causes, and found that trends have remained consistent for the past two years. While attackers frequently abuse remote desktop protocol (RDPs) and credential access to infiltrate a victim's network, enterprises continue to leave RDPs exposed and often lack multifactor authentication (MFA) protocols.

Sophos added that enterprises also fell short regarding sufficient log visibility, which can hinder IR investigations.

"Often, the sole differences between organizations that are breached and ones that aren't are 1) the preparation entailed by selecting and putting the proper tools in place and 2) the knowledge and readiness to act when required," Sophos wrote in the report. "Most of the tools and techniques described in this report have solutions, or at the very least, mitigations to limit their harm, but defenses are simply not keeping up."

Like many other vendors, Sophos found ransomware to be the most prevalent attack type in 2023; the threat accounted for 70% of its investigations. The vendor responded to 108 ransomware attacks. Network breach placed second but accounted for only 19% of investigations. However, Sophos deduced a possible link between the two attack types. "While we can't be certain in all cases, there is mounting evidence that many network breaches are indeed unsuccessful ransomware attacks," the report said.

Sophos confirmed known ransomware gangs conducted five of the network breaches it investigated. The vendor also compared network breaches with ransomware attacks by quarter and found that breaches increased when ransomware activity decreased. While 44% of ransomware attack cases involved data exfiltration, Sophos found that 72% of network breach investigations had "no evidence of data exfiltration."

Sophos also tracked the ransomware deployment timelines and found a consistent pattern. Last year, 91% of ransomware payloads were deployed outside of traditional business hours, down just 3% from 2022. Sophos categorized "traditional business hours" as Monday through Friday from 8 a.m. to 6 p.m., but the report noted that data also accounted for countries that don't follow that schedule.

Another consistent trend was ransomware family distribution. Sophos found the LockBit ransomware group continued to be the most prolific gang last year. The report attributed 24 ransomware attacks, or 22% of IR investigations to LockBit. It's difficult to say if LockBit will continue to dominate the landscape throughout 2024. The infamous group was temporarily disrupted by an international law enforcement effort in February. While LockBit operators quickly restored their servers, the gang's attempted comeback has struggled.

John Shier, field CTO of threat intelligence at Sophos, told TechTarget Editorial that the law enforcement action dubbed, "Operation Cronos" was successful in disincentivizing affiliates to join LockBit. Shier said brokers and affiliates have expressed that sentiment on underground forums following the disruption. "LockBit thrived partly due to its scale. Without criminal partners to work with and an erosion of trust we'll hopefully see LockBit continue its downward slide into irrelevance."

LockBit was one of many ransomware groups, including Cuba and Snatch, that have been part of investigations since Sophos published the first Active Adversary report in 2021.

The ransomware gang Akira, which emerged in March 2023, took second place last year, with 12 attacks. Sophos was surprised that Akira outpaced the Alphv/BlackCat ransomware gang, which took third place.

Operators are known to target healthcare organizations, and claimed responsibility for a notable attack against MGM Resorts last year. In December, the U.S. Department of Justice announced that the FBI temporarily disrupted Alphv/BlackCat and developed a decryption tool to help victim organizations, but the group remains active. Alphv/BlackCat actors were behind the massive attack against UnitedHealthcare's Change Healthcare in February.

"Ransomware attacks have reached a stasis point with respect to prevalence, tooling and timelines. Unfortunately, we are also still seeing the same mistakes being made by defenders every year. It's with this in mind that we think organizations need to urgently participate in their own rescue," the report said.