Report: Only 8 ransomware groups attacked more than 500 organizations

Kaspersky’s threat intelligence team analyzed the most common tactics, techniques and procedures (TTPs) used by 8 of the most productive ransomware groups during their attacks. The research revealed that different groups share more than half of the cyber death chain and carry out the core stages of an attack identically.

The researchers looked at the activity of Conti / Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups were active in the United States, Great Britain, and Germany, and between March 2021 and March 2022 targeted more than 500 organizations within industries such as manufacturing, software development, and small business.

The observed attacks were often predictable, according to a pattern that included compromising the corporate network or victim’s computer, delivering malware, further discovery, access to faith, deleting shadow copies, removing backups, and finally achieving their goals.

The emergence of a phenomenon called ransomware-as-a-service (RaaS) has helped lead to the similarities in behavior. Under this model, ransomware groups do not produce malware themselves, but only provide the data encryption services. Since the people who deliver malicious files also want to simplify their lives, they use template delivery methods or automation tools to gain access.

The researchers also noted that different groups have reused old and similar tools to make life easier for attackers and reduce the time it takes to prepare for an attack. While it is possible to detect recovered techniques, it is difficult to do so preventively across all possible threat vectors. Organizations can target themselves with slow installation of updates and patches.

Read the full report by Kaspersky.