“X-Force recommends organizations properly invest in protection, detection, and response efforts to effectively combat the increasing speed of the attack lifecycle.”
“From these engagements, Sodinikibi/REvil prevailed to be the most common ransomware variant involved,” said Dwyer. “X-Force analysis of the 2020 incidents revealed, evidence of initial access was obtained through various initial access malware including IcedID, Gootkit, Valak, TrickBot, QBot, and Dridex indicating more RaaS affiliates opting to purchase initial access rather than obtaining independently.”
In 2021, the average ransomware attack duration then dropped to 3.85 days, with researchers observing “significant reductions in both how quickly access was transferred from the broker to the ransomware operator, and how rapidly the ransomware operator was able to obtain privileged access to Active Directory.” This was driven in part by the explosion of Conti’s affiliate model program and its relationship with access brokers, and also by large malspam campaigns, including ones involving BazarLoader and IcedID.
The increased speed of ransomware attacks puts further pressure on enterprise security defense teams, reducing their time to react once an attack hits. At the same time, researchers found that while enterprises’ detection capabilities increased between 2019 and 2021, it appears to have had little impact in slowing down this ransomware attack lifecycle.
“X-Force discovered that responders were able to recover more alerts within existing security tools (including EDR) over the years between 2019 and 2021 indicating that security tooling has increased in volume and ability to detect ransomware operators prior to deploy of the ransomware but victims did not build out effective response policies and procedures to act on these detections,” said Dwyer.
Researchers recommended that enterprises adopt five security controls that are “specifically targeted to disrupt the ransomware attack lifecycle.” These include restricting and implementing multi-factor authentication and privileged access management for privileged accounts; prohibiting workstation logon with domain admin credentials; restricting SMB/RDP/RPC for internal communication; implementing managed service accounts; and restricting software execution on domain controllers and secure administrative systems.
“A critical first step within this control is to establish a least privilege model within the organizations to prevent privilege escalation and credentials harvesting which is often to a critical step in a domain-wide compromise,” said Dwyer. “X-Force recommends all organizations remove local administrator rights for all accounts unless absolutely necessary.”