The State of Ransomware Heading into 2023

Intel 471 has released its new report, Leading Ransomware Variants Q3 2022. This report highlights how many victims, countries, sectors and industries have been impacted by the 27 different ransomware variants that appeared in Q3 2022. We sat down with Brad Crompton, Intelligence Director at Intel 471, to discuss how the state of ransomware has changed, and how organizations should fortify their defenses heading into 2023.

Brad Crompton, Intel 471

How has the state of ransomware changed in the past year - and more recently this past quarter?

The main state change observed is disgruntled affiliates of ransomware groups leaking content or ransomware builder(s). By doing so these individuals provide a platform from which new ransomware groups can spawn, basing themselves on the skeleton of another. This has resulted in a number of new ransomware variants being observed in Q3 2022. Utilizing leaked source code doesn’t necessarily mean that these new groups will be successful, in fact, the leaking of source code helps blue teamers build better defenses, but the more ransomware groups that are out there the bigger the threat to businesses.

We have not observed any specific changes in TTPs utilized by ransomware groups, but as attacks change or intensify, we will possibly witness the emergence of these changes in 2023. These changes will likely come from newer variants of ransomware that exploit vacuums in the market and adapt to ‘mistakes’ made by their predecessors.

Additionally, due to increased law enforcement and CTI researcher activity, we have observed groups constantly seeking to improve their Operational Security (OPSEC) to evade being identified.

What types of organizations are top targets? Has that changed or vastly remained the same?

No organizations are specifically top targets. Most of these groups are opportunistic in nature, meaning that they will often target any organization if they have gained access easily or can gain access easily, either through vulnerabilities or offerings on the cyber underground such as compromised credentials.

What are the common gaps in organizations that you see that make them susceptible to ransomware?

Many organizations are susceptible to ransomware through compromised employee credentials, including compromised Virtual Private Network and Remote Desktop Protocol Solutions. Other gaps identified were:

  • Lack of 2FA/MFA

  • Limited Phishing training/awareness

  • Unpatched vulnerabilities

  • Lack of privilege account management considerations

How should organizations fortify their defenses against ransomware heading into 2023?

The best method of protection is utilizing a CTI vendor or publicly available security advice to identify all of the TTPs employed by ransomware groups and track any changes they make, enabling you to build your defenses around these specific TTPs. However, generally speaking, I would recommend the following:

  • Ensuring Multi-Factor Authentication Solutions are in place

  • Having a strong password policy in place that mandates a password update frequently and prevents the reuse of old or similar passwords

  • Monitoring for compromised access to your own organization or third parties

  • Monitoring for insider threats

  • This is likely to increase as individuals seek financial security during a potential global recession

  • Privileged account management

  • Frequent security audits

  • Phishing awareness training for all employees

  • Do not prioritize productivity over security

  • Security often impacts productivity, however, by prioritizing productivity over security you create an opportunity for ransomware groups (or other threat actors) to exploit - leading to a far worse impact than less productivity.

###