Microsoft: RaaS attacks continue to evolve and expand

Microsoft has been tracking over 100 threat actors using 50 unique active ransomware families in attacks around the globe.

According to new analysis and tweet by the Microsoft Security Intelligence team, the “ransomware as a service (RaaS) continues to evolve and expand with numerous players bringing varying techniques, goals, and skillsets.”

The ransomware as a service (RaaS) ecosystem continues to evolve and expand with numerous players bringing varying techniques, goals, and skillsets. As of end of 2022, Microsoft tracks >50 unique active ransomware families and >100 threat actors using ransomware in attacks. 🧵
— Microsoft Threat Intelligence (@MsftSecIntel) January 31, 2023

Some of the threat actors involved in past campaigns are further described by Microsoft:

DEV-0569: uses malicious ads to distribute Batloader, which then delivers post-exploitation tooling associated with DEV-0846, ultimately leading to the deployment of Royal ransomware.
DEV-0882: exploits newly patched vulnerabilities, including those in Exchange Server, to deploy Play ransomware
DEV-0671: exploits newly patched vulnerabilities, including those in Exchange Server, to deploy Cuba ransomware.
DEV-0243: uses Blister to load embedded Cobalt Strike Beacon payloads (as result of the use of FakeUpdates leading to post-compromise activity).

Moreover, Microsoft said some of the more prominent and recent campaigns include the following ransomware payloads: Lockbit Black, BlackCat (aka ALPHV), Play, Vice Society, Black Basta, and Royal.

“Even as they evolve, ransomware attacks continue to rely on common security weaknesses that allow them to succeed,” Microsoft added.

The software giant also provided guidance to help protect against ransomware attacks.

Related Articles