Cisco Talos conducted an analysis of the top 14 ransomware groups from 2023 to 2024 to explore their attack chain and highlight Tactics, Techniques, and Protocols. The study also revealed the vulnerabilities most commonly exploited by ransomware actors.
The ransomware attack chain typically follows a set pattern. The first step involves gaining access to the targeted entity, often through social engineering techniques such as phishing emails containing malicious files or links. Attackers may also exploit vulnerabilities or misconfigurations in internet-facing systems. Once access is gained, the attacker seeks to establish persistence by modifying registry keys or creating accounts.
The next step is to scan the network environment to identify valuable data for ransom. Attackers often use tools to elevate their privileges and navigate the network. Sensitive data is then collected and exfiltrated using various tools before the ransomware is deployed.
In some cases, attackers may test the ransomware in the environment before encrypting the network and demanding payment. Three commonly exploited vulnerabilities include Zerologon, FortiOS SSL VPN, and GoAnywhere MFT, which allow attackers to gain initial access and manipulate systems.
Cisco Talos also observed notable Tactics, Techniques, and Procedures (TTPs) used by ransomware groups, such as obfuscating malicious code, modifying registry settings, and accessing credentials stored in memory. To mitigate the ransomware threat, organizations are advised to apply patches, enforce strict password policies, segment networks, monitor endpoints, and limit exposure to the internet.
Disclosure: The views expressed in this article are those of the author and not necessarily reflective of Trend Micro.