Cisco Talos analyzes attack chains, network ransomware tactics

As ransomware continues to be the scourge of enterprise security teams, Cisco’s Talos security intelligence group recently analyzed ransomware groups to identify common techniques and offer recommendations to help security team better protect their businesses.

Cisco Talos reviewed 14 prominent ransomware groups between 2023 and 2024 and studied volume of attacks, impact on customers, and atypical threat actor behavior. Its research includes data from ransomware groups’ public leak sites, Cisco Talos Incident Response (Talos IR), Talos internal tracking efforts, and open-source reporting.

According to its research, “the most prolific ransomware actors prioritize gaining initial access to targeted networks, with valid accounts being the most common mechanism. Phishing for credentials often precedes these attacks, a trend observed across all incident response engagements,” wrote Cisco Talos analyst James Nutland in a blog about the research. “Over the past year, many groups have increasingly exploited known and zero-day vulnerabilities in public-facing applications, making this a prevalent initial access vector.”

Talos spotted some major shifts in the ransomware space over the past year, including “the emergence of multiple new ransomware groups, each exhibiting unique goals, operational structures and victimology. The diversification highlights a shift toward more boutique-targeted cybercriminal activities, as groups such as Hunters International, Cactus and Akira carve out specific niches, focusing on distinct operational goals and stylistic choices to differentiate themselves,” Nutland wrote.

“Key findings indicate that many of the most prominent groups in the ransomware space prioritize establishing initial access and evading defenses in their attack chains, highlighting these phases as strategic focal points. Within the past year, many groups have exploited critical vulnerabilities in public-facing applications, becoming a prevalent attack vector, which we addressed later, indicating an increased need for appropriate security controls and patch management.” 

Common techniques for ransomware players include the disablement and modification of security software such as anti-virus programs, endpoint detection solutions, or security features in the operating system to prevent the detection of the ransomware payload, Nutland wrote. 

To avoid detection, ransomware actors employ “defense evasion methods” such as disabling or modifying security software, including anti-virus programs and endpoint detection solutions. They also often try to disable security features in the operating system to prevent the detection of the ransomware payload,” Nutland wrote. “Adversaries will also often obfuscate malicious software by packing and compressing the code, eventually unpacking itself in memory when executed. They’ll also modify the system registry to disable security alerts, configure the software to execute at startup, or block certain recovery options for users.”

Talos noted a number of additional ransomware trends, including:

• MFA exploits: “Adversaries may send emails containing malicious attachments or URL links that will execute malicious code on the target system, deploying the actors’ tools and malware, and exploiting multi-factor authentication (MFA). There are many ways adversaries hope to bypass MFA, whether because of poor implementation or because they already have valid account credentials. Most notably, we have seen an increasing number of ransomware affiliates attempting to exploit vulnerabilities or misconfigurations in internet-facing systems, such as in legacy or unpatched software.”
• Seeking long-term access: “…actors will look to establish long-term access, ensuring that their operations will be successful even if their initial intrusion is discovered and remediated.  Attackers often use automated malware persistence mechanisms, such as AutoStart execution upon system boot, or modify registry entries. Remote access software tools and create local, domain and/or cloud accounts can also be deployed to establish secondary credentialed access.”
• Enumerating target environments: “Upon establishing persistent access, threat actors will then attempt to enumerate the target environment to understand the network’s structure, locate resources that can support the attack, and identify data of value that can be stolen in double extortion. Using various local utilities and legitimate services, they exploit weak access controls and elevate privileges to the administrator level to progress further along the attack chain.”
• Using network scanner utilities: “We have observed the popular use of many network scanner utilities in conjunction with local operating system tools and utilities (living-off-the-land binaries) like Certutil, Wevtutil, Net, Nltes and Netsh to blend in with typical operating system functions, exploit trusted applications and processes, and aid in malware delivery.”
• Double extortion: “In the shifting focus to a double extortion model, many adversaries collect sensitive or confidential information to send to an external adversary-controlled resource or over some C2 mechanism. File compression and encryption utilities WinRAR and 7-Zip have been used to conceal files for the unauthorized transfer of data, while adversaries often exfiltrate files using the previously mentioned legitimate RMM tools. Custom data exfiltration tools have been developed and used by the more mature RaaS operations, offering custom tooling such as Exbyte (BlackByte) and StealBit (LockBit) to facilitate data theft.”

Earlier this year Talos wrote that bad actors who are perpetrating advanced persistent threat (APT) attacks aren’t just looking to access your network. They want to sneak in and hang around to collect valuable data or lay plans for future attacks. Post-compromise threats are growing, and they’re aimed largely at aging network infrastructure and edge devices that are long past end-of-life stage and may have critical unpatched vulnerabilities.

Some of the things businesses can do to combat ransomware attacks include regularly and consistently applying patches and updates to all systems and software to address vulnerabilities promptly and reduce the risk of exploitation, according to Nutland. “Implement strong password policies that require complex, unique passwords for each account. Additionally, enforce multi-factor authentication (MFA) to add an extra layer of security,” Nutland stated.

Segmenting the network to isolate sensitive data and systems, preventing lateral movement in case of a breach. In addition to utilizing network access control mechanisms such as 802.1X to authenticate devices before granting network access, ensuring only authorized device connections, Nutland wrote.

“Implement a Security Information and Event Management (SIEM) system to continuously monitor and analyze security events, in addition to the deployment of EDR/XDR solutions on all clients and servers to provide advanced threat detection, investigation, and response capabilities,” Nutland wrote.