IBM X-Force has analyzed multiple ransomware attack investigations and shared multiple insights. It analyzed ransomware attacks that occurred between 2019 and 2021 and initial access brokers were leveraged by attackers.
Research on ransomware attacks
The research revealed that the average duration of an enterprise ransomware attack was reduced by 94.34% between 2019 and 2021. In 2019, attacks were taking an average of 1,600 hours, from initial access to ransomware deployment.
- The use of TrickBot as an initial access path for Ryuk deployment resulted in a 90% increase in ransomware attacks.
- In 2020, the average time was reduced to 9.5 days. The continuous evolution of the RaaS model and initial access broker adoption were the key factors of this reduction.
- The average attack time got reduced to 3.85 days in 2021. This reduction was mainly due to large-scale IcedID and BazarLoader campaigns and the broker's relationships with the Conti ransomware.
Key changes from 2020 to 2021
One main reason that increased the speed and efficiency of ransomware attacks in 2020 was the quick exploitation of the ZeroLogon (CVE-2020-1472) flaw to get privileged access to Active Directory and the use of Cobalt Strike as the C2 framework. The trend continued well into 2021, resulting in an accelerated attack pace. - Further, the use of Cobalt Strike continued to increase from 2020 to 2021 and accounted for 50% of interactive session activity.
- One behavioral change observed in 2021 was a decrease in Mimikatz usage and an increase in operators obtaining credentials from the Local Security Authority Subsystem Service (LSASS) process within Windows OS.
Preventive Measures
X-Force disclosed five main security controls to stop the ransomware attack lifecycle, such as implementing MFA and PAM for privileged accounts. Other safety measures include managing service accounts, restricting SMB/RDP/RPC, software execution on domain controllers, and securing administrative systems.