Ransomware is threatening more businesses than ever before

News
By Sead Fadilpašić
published

Hackers are exploiting sloppy migration from on-prem to the cloud

security
(Image credit: Shutterstock / binarydesign)

As a threat, ransomware is expanding and diversifying, making defending against it a much harder, tedious task, new research has claimed.

Elastic’s second Global Threat Report analyzed more than a billion data points collected over the last 12 months to get a better overview of the ransomware threat landscape, and found that more than half of all observed malware infections targeted Linux systems.

What’s more, almost every attack on cloud infrastructure starts with credential theft. 

“Highly prevalent” ransomware

That being said, the majority of malware observed is made up of a couple of “highly prevalent” ransomware families, paired with off-the-shelf tools. BlackCat, Conti, Hive, Sodinokibi, and Stop have risen to the very top of the list as the most prevalent ransomware families, making up more than four-fifths (81%) of all ransomware activity.

When it comes to off-the-shelf tools, most threat actors opt for Metasploit and Cobalt Strike (5.7% of all signature events). On Windows, these families make up more than two-thirds (68%) of all infection attempts. 

Around 91% of malware signature events were recorded on Linux endpoints, with Windows making up some 6%. To remain out of sight, most threat actors linger in edge devices, appliances, and other platforms with super low visibility. 

Cloud woes

Targeting cloud-based solutions is an entirely different beast, Elastic has found. Businesses are migrating from on-prem solutions at an increasing pace, but they’re sloppy, which results in various misconfigurations, lax access controls, unsecured credentials, and no functional principle of least privilege models. All of this is being abused by threat actors to compromise the environments and deploy malware. 

For Amazon Web Services, Elastic observed defense evasion (38%), credential access (37%), and execution (21%) as the most common tactics mapped to threat detection signals. More than half (53%) of all credential access events revolved around compromised legitimate Microsoft Azure accounts.

“Today’s threat landscape is truly borderless, as adversaries morph into criminal enterprises focused on monetizing their attack strategies,” said Jake King, head of security intelligence and director of engineering at Elastic. 

“Open source, commodity malware, and the use of AI have lowered the barrier to entry for attackers, but we’re also seeing the rise of automated detection and response systems that enable all engineers to better defend their infrastructures. It’s a cat-and-mouse game, and our strongest weapons are vigilance and the continued investment in new defense technologies and strategies.”

More from TechRadar Pro

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.