CyberProof’s CTI team conducted an in-depth analysis of ransomware attacks launched by major ransomware operators in 2021. We documented the Tactics, Techniques, and Procedures (TTPs) and tools that were used as well as the CVEs that threat actors exploited in their cyber attacks.
Using this data, we rated the most common MITRE ATT&CK techniques and tools used by ransomware operators, as well as the vulnerabilities that they exploited.
CyberProof rated the most common MITRE ATT&CK techniques and tools used by ransomware operators, as well as the vulnerabilities that they exploited.
Our latest report, “Understanding the Ransomware Threat,” breaks down how the ransomware business works. It explains the growing threat ransomware poses to organizations, provides a historical overview of how ransomware developed, and rates the TTPs that threat actors use most frequently in large-scale attacks. It also explores the business impact of ransomware, and what we can anticipate happening in the future. Here are some of the highlights of the report:
Behind the Scenes – Ransomware in 2022 Is a Highly Orchestrated Business
CyberProof’s CTI team explored the various roles that have evolved in the ransomware business and allowed it to expand and develop. Today, there are several different roles in the ransomware business including:
- Ransomware operator – Core member of the ransomware operation; develops payloads, performs reconnaissance on potential victims, and negotiates with victims after attack
- Ransomware affiliate – Carries out the attack, cooperating with other groups and vendors to share capabilities, malware, tools, and infrastructure
- Initial access broker – Provides ransomware operators with a first foothold within an organization’s network
Most Common Ransomware Attack Patterns & Techniques
CyberProof’s team used the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework to evaluate which techniques were most common in major ransomware operations. Each of these techniques is described in greater detail in the report.
Understanding which techniques are most commonly used by ransomware operators can offer insight into how we can improve our threat detection and what we can expect to see in future attacks.
Most Common Attack Vectors
CyberProof’s team researched how threat actors conducting ransomware attacks obtain initial access to a victim’s network.
We concluded that the most common attack vectors are phishing, vulnerability exploits, and external services. (These are explored further in CyberProof’s report.)
Note that for each of these attack vectors, entry points to the victim’s network can be obtained as part of the operation – or it can be purchased from initial access brokers.
To protect your organization from the growing risk of ransomware attack, make sure to prioritize the techniques commonly used by the most powerful ransomware operations.
How to Protect Your Organization from Ransomware
Today, attackers have learned to leverage more complex ransomware methods that include triple extortion attacks and attacks on the supply chain and IT infrastructure. These approaches increase the effectiveness of the attacks and cause even more damage. Which means you’ll need an even more sophisticated threat detection solution.
To protect your organization from the growing risk of ransomware attacks, make sure to prioritize the techniques commonly used by the most powerful ransomware operations, as presented in CyberProof’s report. In addition, put the necessary processes in place to support rapid detection of any ransomware-related activities.
If you’d like to learn more about how ransomware works and how you can protect your organization from cyber attacks and improve your threat detection and response processes, download the report.