February 2, 2023

Last year, over 100 threat actors carried out ransomware attacks, and the number of active ransomware families used in attacks surpassed 50, with Microsoft security teams tracking each and every one of them.

Microsoft claims that while threat actors continue to rely on phishing for initial access, they have become more reliant on other techniques. The use of malvertising to surface links leading to various first-stage malware that eventually deliver ransomware or other payloads is one of the most common.

In 2022, the most popular ransomware payloads were LockBit Black, BlackCat/ALPHV, Vice Society, Black Basta, Play, and Royal, says Microsoft. It goes on to say that the threat actor DEV-0569, uses malicious ads to distribute Batloader, which then delivers post-exploitation tooling associated with DEV-0846, resulting in the deployment of Royal ransomware.

However, Microsoft stated that defense strategies should prioritize activity chains prior to deployment rather than payloads themselves, in light of the persistent targeting of unpatched servers and devices to facilitate attacks.

Such a technique was observed in the exploitation of Exchange Servers vulnerable to recently patched flaws by DEV-0671 and DEV-0882 in order to enable the deployment of the Cuba and Play ransomware. It used newly patched vulnerabilities, including those in Exchange Server, to deploy the Play and Cuba ransomware, highlighting the importance of applying security patches as soon as possible.

In conclusion, Microsoft says; “Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed. Get insights and guidance for defending against ransomware attacks.”

The sources for this piece include an article in BleepingComputer.