As a threat, ransomware is expanding and diversifying, making defending against it a much more difficult and tedious task, new research shows.
Elastic’s second Global Threat Report analyzed more than a billion data points collected over the past twelve months to gain a better overview of the ransomware threat landscape, and found that more than half of all observed malware infections targeted Linux systems.
Furthermore, almost every attack on cloud infrastructure starts with credential theft.
“Very common” ransomware
That said, the majority of malware observed consists of a number of “common” ransomware families, combined with off-the-shelf tools. BlackCat, Conti, Hive, Sodinokibi and Stop have risen to the top of the list as the most common ransomware families, accounting for more than four-fifths (81%) of all ransomware activity.
When it comes to off-the-shelf tools, most threat actors choose Metasploit and Cobalt Strike (5.7% of all signature events). On Windows, these families make up more than two-thirds (68%) of all infection attempts.
About 91% of malware signature events were recorded on Linux endpoints, with Windows accounting for about 6%. To stay out of sight, most threat actors stick to edge devices, devices, and other platforms with very low visibility.
Cloud problems
Focusing on cloud-based solutions is a whole different story, as Elastic has discovered. Enterprises are migrating from on-premise solutions at an increasing rate, but they are sloppy, resulting in various misconfigurations, lax access controls, unsecured credentials, and no functional principle of least privilege models. All of this is abused by threat actors to compromise environments and deploy malware.
For Amazon Web Services, Elastic found defense evasion (38%), credential access (37%), and execution (21%) as the most common tactics associated with threat detection signals. More than half (53%) of all credential access events involved compromised legitimate Microsoft Azure accounts.
“Today’s threat landscape is truly limitless as adversaries turn into criminal enterprises focused on monetizing their attack strategies,” said Jake King, chief security intelligence and technical director at Elastic.
“Open source, commodity malware and the use of AI have lowered the barrier to entry for attackers, but we are also seeing the rise of automated detection and response systems that allow all engineers to better defend their infrastructure. It is a game of cat and mouse and our strongest weapons are vigilance and continued investment in new defense technologies and strategies.”