Analysis from Secureworks annual State of The
Threat Report shows ransomware median dwell time has dropped from
4.5 days to less than 24 hours in a year
ATLANTA, Oct. 5, 2023
/PRNewswire/ -- Ransomware is being deployed within one day of
initial access in more than 50% of engagements, says
Secureworks® (NASDAQ: SCWX) Counter Threat Unit™ (CTU™).
In just 12 months the median dwell time identified in the annual
Secureworks State of the Threat Report has freefallen from 4.5 days
to less than one day. In 10% of cases, ransomware was even deployed
within five hours of initial access.
"The driver for the reduction in median dwell time is likely due
to the cybercriminals' desire for a lower chance of detection. The
cybersecurity industry has become much more adept at detecting
activity that is a precursor to ransomware. As a result, threat
actors are focusing on simpler and quicker to implement operations,
rather than big, multi-site enterprise-wide encryption events that
are significantly more complex. But the risk from those attacks is
still high," said Don Smith, VP
Threat Intelligence, Secureworks Counter Threat Unit.
"While we still see familiar names as the most active threat
actors, the emergence of several new and very active threat groups
is fuelling a significant rise in victim and data leaks. Despite
high profile takedowns and sanctions, cybercriminals are masters of
adaptation, and so the threat continues to gather pace," Smith
The annual State of the Threat report examines the
cybersecurity landscape from June
2022 to July 2023. Key
- While some familiar names including GOLD MYSTIC (LockBit), GOLD
BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the
ransomware landscape, new groups are emerging and listing
significant victim counts on "name and shame" leak sites.
The past four months of this reporting period have been the most
prolific for victim numbers since name-and-shame attacks started in
- The three largest initial access vectors (IAV) observed
in ransomware engagements where customers engaged Secureworks
incident responders were: scan-and-exploit, stolen credentials and
commodity malware via phishing emails.
- Exploitation of known vulnerabilities from 2022 and
earlier continued and accounted for more than half of the most
exploited vulnerabilities during the report period.
Most Active Ransomware Groups
The same threat groups continued to dominate in 2023 as in 2022.
GOLD MYSTIC's LockBit remains the head of the pack, with nearly
three times the number of victims as the next most active group,
BlackCat, operated by GOLD BLAZER.
New schemes have also emerged and posted numerous victims.
MalasLocker, 8BASE and Akira (which ranked at number 14) are all
newcomers that made an impact from Q2 2023. 8BASE listed nearly 40
victims on its leak site in June
2023, only slightly fewer than LockBit. Analysis shows that
some of the victims go back as far as mid 2022, although they were
dumped at the same time. MalasLocker's attack on Zimbra servers
from the end of April 2023 accounted
for 171 victims on its leak site in May. The report examines what
leak site activity actually reveals about ransomware attack success
rates — it's not as straightforward as it seems.
The report also reveals that victim numbers per month from
April-July 2023 were the most
prolific since name and shame emerged in 2019. The highest number
of monthly victims ever was posted to leak sites in May 2023 with 600 victims, three times as
many as in May 2022.
Top Initial Access Vectors for Ransomware
The three largest initial access vectors (IAV) observed in
ransomware engagements where customers engaged Secureworks incident
responders were: scan-and-exploit (32%), stolen credentials (32%)
and commodity malware via phishing emails (14%).
Scan-and-exploit involves the identification of vulnerable
systems, potentially via a search engine like Shodan or a
vulnerability scanner, and then attempting to compromise them with
a specific exploit. Within the top 12 most commonly exploited
vulnerabilities, 58% have CVE dates of earlier than 2022. One
(CVE-2018-13379) also made the top 15
most routinely exploited list in 2021 and 2020.
"Despite much hype around ChatGPT and AI style attacks, the two
highest profile attacks of 2023 thus far were the result of
unpatched infrastructure. At the end of the day, cybercriminals are
reaping the rewards from tried and tested methods of attack, so
organizations must focus on protecting themselves with basic cyber
hygiene and not get caught up in hype," Smith continued.
The World of Nation-State Attackers
The report also examines the significant activities and trends
in the behavior of state-sponsored threat groups belonging to
China, Russia, Iran,
and North Korea. Geopolitics
remains the primary driver for state-sponsored threat groups across
China has shifted part of its
attention to Eastern Europe, while
also maintaining a focus on Taiwan
and other near neighbors. It displays a growing emphasis on
stealthy tradecraft in cyberespionage attacks — a change from its
previous "smash-and-grab" reputation. The use of commercial tools
like Cobalt Strike, as well as Chinese open-source tooling,
minimizes risk of attribution and blends with activity from
post-intrusion ransomware groups.
Iran remains focused on
dissident activity, on hindering progress on the Abraham Accords,
and on Western intentions towards renegotiations of nuclear
accords. Iran's main intelligence
services — the Ministry of Intelligence and Security (MOIS or VAJA)
and the Islamic Revolutionary Guard Corp (IRGC) — both use a
network of contractors to support offensive cyber strategies. The
use of personas (impersonating real people or fake created people)
is a key tactic across Iranian threat groups.
The war in Ukraine remained the
focus for Russian activity. This falls into two camps;
cyberespionage and disruption. This year has seen an increase in
the amount of patriotic-minded cyber groups targeting organizations
considered adversaries of Russia.
For gangs, Telegram is the social media/messaging platform of
choice for recruitment, targeting and celebrations of success. The
malicious use of trusted third-party cloud services is frequently
incorporated into Russian threat group operations.
North Korea threat groups fall
into two groups: cyber espionage and revenue generation for the
isolated regime. AppleJeus has been a fundamental tool for
North Korea's financial theft
initiatives, and according to Elliptic, North Korean threat groups
have stolen $2.3 billion USD in
crypto assets between May
2017 and May 2023 (30% of this
State of the Threat Report 2023
This latest State of the Threat Report is the seventh annual
report from Secureworks providing a concise analysis of how the
global cybersecurity threat landscape has evolved over the last 12
months. The information within the report is drawn from the
Secureworks Counter Threat Unit's (CTU) firsthand observations
of threat actor tooling and behaviors and includes real-life
incidents. Our annual threat analysis provides a deep dive insight
into the threats our team has observed on the front line of
The Secureworks State of the Threat Report can be read in full
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that
secures human progress with
Secureworks® Taegis™, a SaaS-based, open
XDR platform built on 20+ years of real-world threat
intelligence and research, improving customers' ability to detect
advanced threats, streamline and collaborate on investigations, and
automate the right actions. Connect with Secureworks
via Twitter, LinkedIn and Facebook
and Read the Secureworks Blog
View original content to download
SOURCE Secureworks, Inc.