TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Coveware

Ransomware actors pivot away from major brands in Q2 2024

Bill Siegel · 2024-07-30 · Read original ↗

ATT&CK techniques detected

24 predictions
T1486Data Encrypted for Impact
99%
“group and threaten to post the victim there if they don ’ t comply. another long standing example of this approach is a lone wolf actor / actor group that either can ’ t or won ’ t expend the resources to develop encryptors from scratch and resorts to “ borrowing ” the encryption…”
T1486Data Encrypted for Impact
98%
“draws the reader ’ s attention towards the name, and away from what is important, which are the underlying attack techniques that are often very repetitive between these groups. ransom payment amounts in q2 2024 average ransom payment $ 391, 015 + 2. 4 % from q1 2024 median ranso…”
T1219Remote Access Tools
98%
“to communicate with systems under their control within a victim network. threat actors commonly attempt to mimic normal, expected traffic to avoid detection. while instances of what would be considered “ traditional ” c2 tooling are still observed ( e. g., cobalt strike, impacket…”
T1555.003Credentials from Web Browsers
98%
“installation of the applications but the external network destinations to which they attempt to connect. credential access [ ta0006 ] : credential access consists of techniques for stealing credentials like account names and passwords. techniques used to get credentials include k…”
T1486Data Encrypted for Impact
98%
“before, but never to such magnitude, so it ’ s worth discussing why and how this happens. threat actors are compelled to deliberately rotate ransomware brands or go ‘ unaffiliated ’ for a variety of reasons, but all reasons lead back to efforts to obfuscate their identity. here a…”
T1486Data Encrypted for Impact
97%
“entities ; they don ’ t last long. most established threat actors in the ransomware space are attuned to this trend. so how do they balance the aversion to this risk with the desire to pursue a potentially substantial extortion fee? rather than put their preferred “ brand ” at ri…”
T1486Data Encrypted for Impact
96%
“phobos 4 % - 2 market share of the ransomware attacks with the elimination of blackcat / alphv and the rapid dissolution of lockbit 3. 0 following q1 and q2 law enforcement actions against them, we observed a sharp rise in the frequency of lone wolf “ unaffiliated ” extortion att…”
T1486Data Encrypted for Impact
93%
“ransomware actors pivot away from major brands in q2 2024 table of contentsunaffiliated brandingpayment ratestypes of ransomwarepayment trendsattack vectors & ttpsindustries impacted in the second quarter of 2024, we observed a large increase in attacks that appeared to have unaf…”
T1486Data Encrypted for Impact
89%
“with “ toxic ” ransomware brands. ransomware payment trends in q2 2024 in the second quarter of 2024, 36 % of clients chose to pay their ransom versus 28 % in q1. this is a marked increase but well within the bands of historical month - to - month volatility. data exfiltration on…”
T1657Financial Theft
87%
“saw a standard distribution of industries impacted by ransomware attacks. the snowflake data exfiltration campaign demonstrated how cyber extortion continues to be a crime of opportunity. individual companies are rarely targeted directly, as the majority of ransomware actors purs…”
T1486Data Encrypted for Impact
86%
“saw a standard distribution of industries impacted by ransomware attacks. the snowflake data exfiltration campaign demonstrated how cyber extortion continues to be a crime of opportunity. individual companies are rarely targeted directly, as the majority of ransomware actors purs…”
T1486Data Encrypted for Impact
84%
“companies that fall into that industry as a whole. ransomware victimology : victims size q2 2024 while much of the media attention tends to focus on large companies that create major waves of secondary disruption when they get impacted, ransomware still remains a small to mid - m…”
T1048Exfiltration Over Alternative Protocol
82%
“the threat actor directly calls an employee, or prompts the employee to call them to resolve a feigned it issue with the goal of coercing the victim to download a remote access client such as zohoassist or quickassist. if successful, the threat actor then exfiltrates as much info…”
T1486Data Encrypted for Impact
82%
“increasingly concerned about an imminent law enforcement disruption. this past quarter, we saw major disruptions to both blackcat / alphv and lockbit ransomware groups and within a few short weeks of these platforms being compromised / eliminated, we observed statistically signif…”
T1588.001Malware
74%
“increasingly concerned about an imminent law enforcement disruption. this past quarter, we saw major disruptions to both blackcat / alphv and lockbit ransomware groups and within a few short weeks of these platforms being compromised / eliminated, we observed statistically signif…”
T1598.004Spearphishing Voice
68%
“may also be attributed to shorter dwell times leading to more available forensic artifacts and better log retention covering the timeframe of compromise. two of our top 3 adversaries this quarter have average dwell times of 24 hours, which is much shorter than prior quarters. rem…”
T1078Valid Accounts
61%
“often use legitimate credentials or those created by the threat actor along with native network and operating system tools, which may be stealthier and harder to track. the usage of internal remote desktop protocol ( rdp ) remains one of the fastest and most efficient methods for…”
T1566.004Spearphishing Voice
59%
“may also be attributed to shorter dwell times leading to more available forensic artifacts and better log retention covering the timeframe of compromise. two of our top 3 adversaries this quarter have average dwell times of 24 hours, which is much shorter than prior quarters. rem…”
T1657Financial Theft
56%
“before, but never to such magnitude, so it ’ s worth discussing why and how this happens. threat actors are compelled to deliberately rotate ransomware brands or go ‘ unaffiliated ’ for a variety of reasons, but all reasons lead back to efforts to obfuscate their identity. here a…”
T1657Financial Theft
52%
“phobos 4 % - 2 market share of the ransomware attacks with the elimination of blackcat / alphv and the rapid dissolution of lockbit 3. 0 following q1 and q2 law enforcement actions against them, we observed a sharp rise in the frequency of lone wolf “ unaffiliated ” extortion att…”
T1570Lateral Tool Transfer
45%
“opportunities. threat actors more commonly leverage internally staged data that is then packaged and compressed before exfiltrating it from the network. techniques for getting data out of a target network typically include transferring stolen data over threat actor command and co…”
T1486Data Encrypted for Impact
45%
“of coveware cases with data encryption was actually 89 %. much of the observed encryption in q2 was vmware esxi encryption, which has been a favored target of many groups due to the “ jackpot ” nature of disrupting a virtualized host or cluster of hosts, impacting multiple applic…”
T1078Valid Accounts
42%
“may also be attributed to shorter dwell times leading to more available forensic artifacts and better log retention covering the timeframe of compromise. two of our top 3 adversaries this quarter have average dwell times of 24 hours, which is much shorter than prior quarters. rem…”
T1585.002Email Accounts
34%
“entities ; they don ’ t last long. most established threat actors in the ransomware space are attuned to this trend. so how do they balance the aversion to this risk with the desire to pursue a potentially substantial extortion fee? rather than put their preferred “ brand ” at ri…”

Summary

Unaffiliated ‘lone wolf’ threat actors carry out a greater share of attacks as they attempt to obfuscate their identity in Q2 2024.