There has been an alarming increase in ransomware attacks over the past year, underscoring the need for organizations to implement around-the-clock monitoring and investigation of cyber threats.
The news (and advice) comes via a new report from Malwarebytes, “ThreatDown 2024 State of Ransomware,” which shows significant shifts in the tactics and strategies employed by cybercriminals. Accordingly, Malwarebytes urges security teams to “be smart” about how they allocate their limited time and resources and be vigilant to changes in the threat landscape.
“The ever-evolving and often escalating threat landscape has meant that many organizations are turning to MSPs and MSSPs to help manage their IT and security,” Brian Kane, senior director of global channel at Malwarebytes, told MSSP Alert. “It is essential that these service organizations stay informed of the latest trends and adapt their offerings so they safeguard their customers against cyber threats and scams."
Kane noted that report analyzes the recent trends in ransomware, including threat actors’ focus on specific industries and their preference for launching attacks in the early hours of the morning.
“I advise MSPs and MSSPs to review these tactics, techniques and procedures against their current cybersecurity posture and practices, both for themselves and for their customers,” said Kane, who oversees the Malwarebytes’ MSP and global distribution business supporting alliances around the world along with more than 6,000 MSP customers.
Key Findings From the Report
The U.S. experienced a dramatic 63% increase in ransomware attacks, with the U.K. seeing an even greater rise of 67%. The share of attacks carried out by gangs outside the top 15 increased from 25% to 31%, indicating that ransomware is becoming more accessible to a broader range of cybercriminals, according to the report.
Malwarebytes notes that while attacks are increasing the barrier to entry for new cybercriminals appears to lowering, attacks are getting faster and stealthier. The good news hidden within the bad is that recent changes in ransomware tactics are a response to organizations improving their defenses. As such, EDR can identify attackers before they launch malware and have pushed ransomware gangs to work more quickly and put more effort into hiding themselves.
Malwarebytes founder and CEO Marcin Kleczynski reminded how ransomware gangs have time and motivation on their side.
“They constantly evolve to respond to the latest technologies chasing at their tails,” Kleczynski said in a statement “We've seen this very distinctly over the past year as widespread adoption of technologies like EDR (endpoint detection & response) has helped identify attackers before they launch malware, pushing ransomware gangs to work more quickly and put more effort into hiding themselves. Organizations and MSPs need additional support and continuous coverage to outmaneuver today's criminals."
Other findings from the report include:
- The U.S. accounts for 48% of all ransomware attacks worldwide but suffers 60% of the world's attacks on education and 71% of attacks on healthcare.
- The manufacturing sector saw a staggering 71% year-on-year increase in ransomware attacks, highlighting the need for robust cybersecurity measures in this rapidly digitizing industry.
- Between July 2023 and June 2024, known ransomware attacks increased 33% year-on-year. The growth in attacks was accompanied by a shift away from a small number of big gangs to a larger number of smaller gangs, suggesting that ransomware attacks are becoming easier and the barrier to entry for criminals has been lowered.
- The share of ransomware attacks carried out by gangs outside the top 15 grew from 25% to 31%, while the dominant RaaS group, LockBit, saw its share of the pie shrink, even as it recorded an increase in attacks. Pretenders to the number one position like PLAY, 8Base, and Akira all increased their activity significantly without ever coming close to matching LockBit’s impact
Top 3 Ransomware Trends
The report features insights from Malwarebytes’ ThreatDown MDR team on three key shifts in the tactics and techniques of ransomware gangs:
- Living off the land techniques. Ransomware gangs are increasingly relying on built-in system administration tools to carry out their attacks, making detection and prevention more challenging for teams without a dedicated Security Operations Center (SOC).
- Nighttime attacks. Most ransomware attacks now occur between 1 a.m. to 5 a.m., targeting organizations when IT staff are less likely to be present.
- Faster attack timelines. The entire ransomware attack chain, from initial access to data encryption, has reduced from weeks to mere hours, necessitating rapid detection and response capabilities.
Malwarebytes Debuts Unified Platform
On August 15, Malwarebytes announced support for ARM-based architecture across its ThreatDown suite of endpoint security solutions. This support allows ThreatDown solution customers and partners to fully leverage the improved power and battery life of Windows ARM devices while maintaining robust cybersecurity defenses, the company ssid.
Additionally, Malwarebytes shared new ThreatDown product enhancements for the channel in July, including:
- Security advisor with AI. Malwarebytes AI-powered chat feature for ThreatDown Security Advisor enables users to interact in natural language to quickly identify vulnerabilities, update security measures, and optimize their defense systems without navigating through complex menus.
- Enhanced EDR flight recorder features simplify search. New fields on the Flight Recorder Search (parent process name, parent process path, and file written) enable ThreatDown EDR power users to search on threats in their environment with more granularity, enabling them to perform more efficient and deeper investigations of threats.
- Expanded DNS filtering capabilities streamline blocking. Users can create rules to block top-level domains and block/allow specific IP addresses that are known to be malicious, do not meet compliance standards, or are associated with high-risk geopolitical areas.
- ThreatDown admin app unifies notifications. Notifications are available on the ThreatDown Admin app for all Nebula customers. This release adds a highly requested feature, allowing customers to be notified of any critical incidents from their mobile devices.
- New patch history report bubbles up cybersecurity faps. Unpatched devices continue to be an active entry point for attackers. A new report gives visibility into what OS patches were applied, their status, and some additional information to help users understand cybersecurity gaps.
- Quarantine for MSP reduces one-off tactics. The site selector in the Quarantine page of the multi-tenant console OneView is being removed so that customers can view quarantine events across all sites at once, instead of selecting one site at a time.