Microsoft has been tracking over 100 threat actors using 50 unique active ransomware families in attacks around the globe.
According to new analysis and tweet by the Microsoft Security Intelligence team, the “ransomware as a service (RaaS) continues to evolve and expand with numerous players bringing varying techniques, goals, and skillsets.”
Some of the threat actors involved in past campaigns are further described by Microsoft:
- DEV-0569: uses malicious ads to distribute Batloader, which then delivers post-exploitation tooling associated with DEV-0846, ultimately leading to the deployment of Royal ransomware.
- DEV-0882: exploits newly patched vulnerabilities, including those in Exchange Server, to deploy Play ransomware
- DEV-0671: exploits newly patched vulnerabilities, including those in Exchange Server, to deploy Cuba ransomware.
- DEV-0243: uses Blister to load embedded Cobalt Strike Beacon payloads (as result of the use of FakeUpdates leading to post-compromise activity).
Moreover, Microsoft said some of the more prominent and recent campaigns include the following ransomware payloads: Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.
“Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed,” Microsoft added.
The software giant also provided guidance to help protect against ransomware attacks.
- IT supplier of UK NHS impacted by LockBit 3.0 ransomware attack
- FBI: BlackCat ransomware has compromised 60 entities worldwide
- BlackByte Ransomware compromised multiple entities in US critical infrastructure sectors
- Vice Society ransomware gang targets manufacturing firms
- Report: Linux malware and cloud misconfigurations top cybersecurity threats