44% of foiled ransomware attacks are caught during lateral movement

Barracuda’s ransomware review of 2023/24 also shows that healthcare remains the top attack target.

  • Thursday, 22nd August 2024 Posted 3 months ago in by Phil Alsop

Barracuda Networks has released new research showing that lateral movement is the clearest sign of an unfolding ransomware attack, catching just under half (44%) of incidents. A quarter (25%) of incidents were detected when the attackers started writing or editing files, and 14% were unmasked by behaviour that didn’t fit with known activity patterns. The findings are included in Barracuda’s annual Threat Spotlight on ransomware, which explores the main ransomware attack patterns over the last 12 months.

The ransomware threat landscape in 2023/24

Barracuda researchers analysed a sample of 200 reported incidents covering August 2023 to July 2024, involving 37 countries and 36 different ransomware groups.

The sample shows that 21% of incidents hit healthcare organisations, up from 18% a year ago, while 15% of reported attacks were against manufacturing and 13% targeted technology companies. Incidents involving education halved from last year’s 18% to account for 9% in 2023/24.

Ransomware for rent

The most prevalent ransomware groups were ransomware-as-a-service (RaaS) models. These include LockBit, which in the last 12 months was behind one in six, or 18% of attacks where the identity of the attacker is known.

ALPHV/BlackCat ransomware accounted for 14% of attacks, while Rhysida, a relatively new ransomware group accounted for 8% of named attacks.

“Ransomware-for-rent attacks can be hard to detect and contain. Different cybercriminal customers can use different tools and tactics to deploy the same payload, resulting in considerable variation,” said Adam Khan, VP, Global Security Operations at Barracuda Networks. “Fortunately, there are tried and tested approaches that most attackers rely on, such as scanning, lateral movement, and malware download. These can trigger security alerts that provide security teams with several opportunities to detect, contain, and mitigate ransomware incidents before they have a chance to fully unfold. This is particularly important in IT environments where not all machines are completely secured.”

Top attack tools and behaviors detected in 2024

According to detection data from Barracuda Managed XDR’s Endpoint Security, in the first six months of 2024 the top indicators of likely ransomware activity include:

· Lateral movement: Just under half (44%) of the ransomware attacks were spotted by detection systems monitoring for lateral movement.

· File modifications: A quarter (25%) were detected by the system that notes when files are being written or modified and analyses them to see if they match any known ransomware signatures or suspicious patterns.

· Off-pattern behavior: 14% were caught by the detection system that identifies abnormal behavior within a system or network. This system learns the typical behavior of users, processes, and applications. When it detects deviations (such as unusual file access, tampering with operating system components, or suspicious network activity), it triggers an alert.

The detailed investigation of a mitigated PLAY ransomware attack targeting a health technology business and an 8base incident hitting a car care company found that attackers try to establish footholds on unprotected devices to launch the next phase of their attack and hide malicious files in rarely used music and video folders.

Defense-in-depth

Multiple detection layers are essential in the battle against active threats such as ransomware, where attackers often leverage commercially available tools used legitimately by IT teams and can make real-time adjustments in their behavior and tactics to succeed.

Barracuda recommends multilayered, AI-powered defences, which are key to detecting and remediating advanced attacks to contain and minimise the impact. This should be complemented by robust authentication and access policies, patching, and regular security awareness training for employees.

The promise of AI is on every biopharma’s radar, but the reality today is that much of the industry is grappling with how to convert the hype into...
IT teams urged to resolve ‘data delays’ as UK executives struggle to access and use relevant business data.

‘Playtime is over’ for GenAI

Posted 5 days ago by Phil Alsop
NTT DATA research shows organizations shifting from experiments to investments that drive performance.

GenAI not production-ready?

Posted 5 days ago by Phil Alsop
Architectural challenges are holding UK organisations back - with just 24% citing having sufficient governance to implement GenAI.

AI tops decision-makers' priorities

Posted 5 days ago by Phil Alsop
Skillsoft has released its 2024 IT Skills and Salary Report. Based on insights from more than 5,100 global IT decision-makers and professionals, the...

The state of cloud ransomware in 2024

Posted 5 days ago by Phil Alsop
Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security realm.
Talent and training partner, mthree, which supports major global tech, banking, and business clients to build job-ready teams, has revealed the...

AI innovation is powering the Net Zero transition

Posted 5 days ago by Phil Alsop
Whilst overall AI patent filings have slowed, green AI patent publications grew 35% in 2023.