Ransomware operators continue to change tactics in their effort to target small and medium-sized businesses (SMBs). That's one of the big take aways from the 2024 Sophos Threat Report, "Cybercrime on Main Street."
The Sophos report found that between 2022 and 2023 the number of ransomware attacks involving remote encryption increased by 62%. These attacks occur when threat actors use an unmanaged device on organizations’ networks to encrypt files on other systems in the network.
Sophos’ MDR team responded to five cyberattacks involving small businesses (less than 500 employees) during 2023 through an exploit in their remote monitoring and management (RMM) software. RMM is a core component of MSP technology stacks. In 2023, more than 75% of customer incident response cases that Sophos’ X-Ops Incident Response service handled were for small businesses.
One recent example is the LockBit ransomware group exploit against ConnectWise ScreenConnect software.
Stolen Data as Currency Grows
According to the Sophos report, nearly 50% of malware detections for SMBs in 2023 were keyloggers, spyware and stealers — malware that attackers use to steal data and credentials. Threat actors use this stolen information to gain unauthorized remote access, extort victims, deploy ransomware and more, Sophos said.
Sophos also wrote about initial access brokers (IABs). These are cybercriminals who specialize in breaking into computer networks. IABs use the dark web to advertise their ability and services to break into SMB networks or sell ready-access to SMBs they’ve already cracked, Sophos said in the report.
Christopher Budd, director of Sophos X-Ops research, said that the value of data as currency has increased exponentially among cybercriminals. He believes this is particularly true for SMBs. SMBs sometimes use a single password for the whole company to access a SaaS service or software application, and that can be a problem in terms of cybersecurity.
As Budd explained, “For example, let’s say attackers deploy an infostealer on their target’s network to steal credentials and then get hold of the password for the company’s accounting software. Attackers could then gain access to the targeted company’s financials and have the ability to funnel funds into their own accounts."
Data Protection: 90% of Attacks Involve Credential Theft
Data protection is the greatest cybersecurity challenge facing small businesses. Sophos found that more than 90% of attacks reported by their customers involve data or credential theft.
Business email compromise (BEC) whereby a cybercriminal overtakes email accounts for the purpose of fraud or other malicious purposes, is also a substantial problem for SMBs, Sophos said. In 2023, Sophos’ Incident Response team identified BEC attacks more often than any other type of incident, with the exception of ransomware.
Sophos cautions that BEC attacks and other social engineering campaigns contain an increasing level of sophistication. No longer are attackers simply sending an email with a malicious attachment. They’re now more likely to target victims by sending a series of conversational emails back and forth or even calling them.
While the number of ransomware attacks against SMBs has stabilized, it continues to be one of the biggest cyberthreats to SMBs. LockBit was the top ransomware gang wreaking havoc, while Akira and BlackCat were second and third, respectively, Sophos said. SMBs also face attacks by lingering older and lesser-known ransomware, such as BitLocker and Crytox, according to the report.
Increasingly, ransomware and other malware developers are using cross-platform languages to build versions for macOS and Linux operating systems and supported hardware platforms, Sophos noted. A Linux variant of Cl0p ransomware was used in a December 2022 attack. Since then, Sophos has seen leaked versions of LockBit ransomware targeting macOS on Apple’s own processor and Linux on multiple hardware platforms.
The Proliferation of Malware-as-a-Service
Sophos continues to spot Malware-as-a-Servic” (MaaS) activities — cybercriminals’ using malware delivery methods provided through underground marketplaces to other threat actors. The good news is that a combination of improvements in platform security and industry and law enforcement intervention has had some impact on MaaS operators, according to Sophos.
Emotet, after a decade of dominance, has receded since its takedown by Europol and Eurojust in January 2021, Sophos said. Qakbot and Trickbot were hit in August 2023, although Qakbot has returned in some limited form and has been largely succeeded by Pikabot and DarkGate. Remote access trojan AgentTesla has moved to the top of the MaaS market.
The Sophos report asserts that criminal syndicates are counting on smaller companies to be less well-defended and to not have deployed modern, sophisticated tools (the sort that an MSSP or MSP could offer as part of their service delivery) to protect their users and assets.