Report: Only 8 ransomware groups have attacked over 500 organizations

Kaspersky’s threat intelligence team has conducted analysis into the most common tactics, techniques, and procedures (TTPs) used by 8 of the most prolific ransomware groups during their attacks. The research revealed that different groups share more than half of the cyber kill chain and execute the core stages of an attack identically.

The researchers looked at the activity of Conti/Ryuk, Pysa, Clop (TA505), Hive, Lockbit2.0, RagnarLocker, BlackByte and BlackCat. These groups have been active in the United States, Great Britain and Germany, and have targeted over 500 organizations within industries such as manufacturing, software development and small business, between March 2021 and March 2022.

The observed attacks were often predictable, following a pattern that includes compromising the corporate network or victim’s computer, delivering malware, further discovery, credential access, deleting shadow copies, removing backups and finally achieving their objectives.

The emergence of a phenomenon called ransomware-as-a-service (RaaS) has helped lead to the similarities in behavior. Under this model, ransomware groups do not deliver malware by themselves, but only provide the data encryption services. Since the people who deliver malicious files also want to simplify their lives, they use template delivery methods or automation tools to gain access.

The researchers also noted that different groups have been reusing old and similar tools to make life easier for attackers and reduce the time it takes to prepare an attack. Although it is possible to detect recycled techniques, it’s hard to do so preventively across all possible threat vectors. Organizations can make themselves targets with slow installation of updates and patches.

Read the full report by Kaspersky.