Ransomware only managed to slip off the top spot for most attacks in Q2. In Q3, the Cisco Talos Report lists that for the first time, education is the sector hardest hit by cyberattacks - by ransomware.
According to Cisco Talos Incident Response (CTIR) analysis, ransomware returned to the top of all cyber attacks in the third quarter of 2022. As in the first quarter, blackmail attempts were the most common attack method. In addition to well-known ransomware representatives such as Hive and Vice Society, new variants such as Black Basta were used. There has also been a change in the sectors most affected: education has replaced the telecommunications sector.
Attack List: Education then Finance
Talos, one of the world's largest commercial threat intelligence organizations, has released its quarterly threat assessment for the third quarter of 2022. According to this, attackers most often targeted the education sector, closely followed by finance, government and energy.
"For the first time in 2022, the telecom sector was no longer the most attacked industry," said Holger Unterbrink, technical leader at Cisco Talos in Germany. “This could indicate that companies around the world have significantly increased their protective measures and are therefore less lucrative targets for attackers. Currently, the education system, the public sector and energy suppliers have to strengthen their defenses, especially through multi-factor authentication and threat detection solutions.”
Old and new ransomware
🔎 In the 3rd quarter of the Talos Report, ransomware is again the No. 1 threat of attack (Image: Cisco).
In the third quarter, Talos increasingly observed attacks via the well-known ransomware families Hive and Vice Society. Vive Society was used disproportionately often for cyber attacks on educational institutions, as illustrated by a case from Austria. By analyzing the event logs, Talos security researchers found numerous attempts by an infected host to connect to other parts of the network via the Remote Desktop Protocol (RDP). This indicated a so-called "sideways movement" of the attackers. What is meant is a hacker's attempt from a compromised system to find user information with access authorizations in client computers, with which he can then move across the network.
Talos also found indicators for the use of the remote access software AnyDesk and TeamViewer, with over 50 systems accessing TeamViewer-related URLs. At the same time, Windows Defender was supplemented with an exception for the execution of "AnyDesk.exe" through the SYSTEM account.
Black Basta ransomware at the forefront
In addition to well-known ransomware families, the new variant Black Basta, which first appeared in April 2022, was also increasingly used. For example, their injection was prepared by Qakbot activities that used thread hijacking and password-protected ZIP files. In an attack on a US company, the attackers probably first sent a phishing email with an HTML attachment. When opened, it initiated a JavaScript that then downloaded a malicious ZIP file. This then installed the Qakbot Trojan, which the attackers used to launch the Black Basta ransomware. The double blackmail technique based on this is particularly perfidious: if the victim does not pay a ransom for their encrypted files, there is a risk that the sensitive information collected will be published.
The Talos results make it clear that the threat posed by ransomware has not been averted. For the first time, the report recorded an equal number of ransomware and pre-ransomware cases in Q40, which together accounted for nearly XNUMX percent of threats. Pre-ransomware activities prepare ransomware for later deployment, as in the Black Basta case described above.
While each activity leading up to a ransomware threat is unique, there are commonalities. These include host enumeration, credential gathering, and privilege escalation. If no ransomware is used later, the attacker may have stolen enough data to cause significant damage.
More at Cisco.com
About Cisco
Cisco is the world's leading technology company that makes the Internet possible. Cisco is opening new possibilities for applications, data security, infrastructure transformation and the empowerment of teams for a global and inclusive future.