Microsoft details threat actors techniques for deploying ransomware

Share post:

Last year, over 100 threat actors carried out ransomware attacks, and the number of active ransomware families used in attacks surpassed 50, with Microsoft security teams tracking each and every one of them.

Microsoft claims that while threat actors continue to rely on phishing for initial access, they have become more reliant on other techniques. The use of malvertising to surface links leading to various first-stage malware that eventually deliver ransomware or other payloads is one of the most common.

In 2022, the most popular ransomware payloads were LockBit Black, BlackCat/ALPHV, Vice Society, Black Basta, Play, and Royal, says Microsoft. It goes on to say that the threat actor DEV-0569, uses malicious ads to distribute Batloader, which then delivers post-exploitation tooling associated with DEV-0846, resulting in the deployment of Royal ransomware.

However, Microsoft stated that defense strategies should prioritize activity chains prior to deployment rather than payloads themselves, in light of the persistent targeting of unpatched servers and devices to facilitate attacks.

Such a technique was observed in the exploitation of Exchange Servers vulnerable to recently patched flaws by DEV-0671 and DEV-0882 in order to enable the deployment of the Cuba and Play ransomware. It used newly patched vulnerabilities, including those in Exchange Server, to deploy the Play and Cuba ransomware, highlighting the importance of applying security patches as soon as possible.

In conclusion, Microsoft says; “Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed. Get insights and guidance for defending against ransomware attacks.”

The sources for this piece include an article in BleepingComputer.

SUBSCRIBE NOW

Related articles

Hackers Plant False Memories in ChatGPT to Steal User Data

A security researcher has uncovered a vulnerability in ChatGPT that could allow hackers to store false information and...

“Octo2” Trojan Targets Bank Accounts by Posing as VPN or Chrome Apps on Android

A new malware variant called “Octo2” is spreading across Android devices by posing as popular apps like NordVPN...

Evilginx – Open source tool can bypass Multi-Factor Authentication (MFA)

Security vendor Abnormal Security is reporting a new cybersecurity tool that is gaining traction among cybercriminals. The tool,...

Kaspersky’s exit from US market frightens some customers

Kaspersky, the Russian cybersecurity firm, has unexpectedly removed its antivirus software from U.S. customers' computers, replacing it with...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways