Cisco Talos Report: New Trends in Ransomware, Network Facilities Attacks, Product Loader Malware


The Cisco Talos Year in Review report launched Tuesday highlights brand-new patterns in the cybersecurity risk landscape. We’ll focus on 3 subjects covered: the ransomware cybercriminal ecosystem, network infrastructure attacks and product loader malware.

More ransomware stars changed to extortion rather than file encryption, while commodity loaders progressed to be stealthier and highly effective, although new major security enhancements have seen the day in 2023, such as Microsoft Office disabling macros by default. Network gadgets are significantly impacted by cybercriminals and state-sponsored threat stars.

Dive to:

The ransomware cybercriminal ecosystem altered

Most targeted vertical

In terms of ransomware, the most targeted vertical, as observed by Cisco Talos in 2023, was the health care and public health sector, which is not surprising because the companies in that sector frequently struggle with underfunded budgets for cybersecurity and low downtime tolerance (Figure A). In addition, those companies are fascinating targets since they have safeguarded health details.

Figure A

Chart showing ransomware/pre-ransomware incidents per sector, as observed by Cisco Talos. Ransomware/pre-ransomware occurrences per sector, as observed by Cisco Talos. Image: Cisco

Talos Some ransomware groups have actually been changing The most active ransomware group for the 2nd year in a row was LockBit(25.3% of the overall number of posts made to data leak websites), followed by ALPHV (10.7%) and Clop (8.2%).

Yet some ransomware groups kept changing in 2023; those structures often combined or rebranded in an attempt to puzzle police and researchers tracking them. The cybercriminals active in the field typically work for a number of ransomware-as-a-service services at the exact same time.

Several leaks of ransomware source code and home builders also affected the ransomware danger landscape due to the fact that these permitted more people (even those with little technical knowledge) to start their own operations.

Zero-days exploited at an unprecedented speed

Extremely technical stars have actually been making use of zero-day vulnerabilities at an unmatched pace. The Clop ransomware group in specific has actually had the ability to exploit multiple zero-day vulnerabilities, including vulnerabilities in the GoAnywhere MFT platform, MOVEit and PaperCut.

Must-read security coverage

Cisco Talos specifies that “Clop’s repeated efforts to make use of zero-day vulnerabilities is highly uncommon for a ransomware group given the resources required to develop such capabilities,” yet it is still unsure that they do develop exploits by themselves. When questioned about it in an e-mail interview, a Cisco representative informed TechRepublic, “Due to the fact that of the murkiness in the relationships that make up the ransomware environment, it can be hard to accurately parse out which personnel/organizations are responsible for which actions. Because of this, we do not have direct insight into how Cl0p obtained the 0days and have not observed any indications that they purchased them. Despite whether they established them themselves or purchased them, the usage suggests Cl0p is well-resourced, either in engineering talent or in financial resources and connections that would allow them to get from a 3rd party.”

More affiliates are using an information theft extortion design

Another remarkable shift in the ransomware hazard landscape is that more affiliates are now switching to a data theft extortion design instead of the normal encryption design. In these attacks, cybercriminals do not release ransomware; rather, they take organizations’ sensitive info before requesting for a ransom.

The enhancements in ransomware detection capabilities from Endpoint Detection and Response and Extended Detection and Action software application may be one reason for switching strategies and stopping deploying ransomware on the targeted systems. Cisco Talos likewise presumes the aggressive pursuits from U.S. and worldwide law enforcement versus ransomware stars might be another reason for that change.

Network facilities attacks increased

Cisco Talos observed an increase in attacks on networking gadgets in 2023, particularly attacks operated by China- and Russia-based groups looking to advance espionage objectives and assist in stealthy operations against secondary targets. The researchers observed such activity from other cybercriminals, consisting of preliminary access brokers and ransomware risk actors.

Weak security on network gadgets

Networking devices, although being crucial elements to any organization’s IT infrastructure, are seldom analyzed from a security perspective and are frequently badly covered, making them a fascinating target for cybercriminals. Yet those devices typically operate on non-standard os, rendering their exploitation harder by cybercriminals but likewise unmonitored by basic security options.

The common compromise of those devices starts with risk stars exploiting unpatched vulnerabilities, weak or default credentials, or insecure gadget configuration.

A Cisco representative informed TechRepublic that “the continued frequency of default credentials may be partially described by the large variety of vendors and items integrated with the lack of uniform standards/best practices. The move far from default credentials need to definitely help improve the scenario. It is important to note that weak credentials can also be exploited if the star has the ability to brute-force or password-spray, and that gain access to brokers still accomplish success in getting qualifications and selling them on the dark web. This suggests that even if companies are not using default credentials, it’s important they produce distinct and complicated passwords, employ MFA where possible, and emphasize extra security measures such as segmentation and IR planning too.”

Targeted gadgets had a high severity score

Vulnerabilities affecting network devices in 2023 all had a high seriousness rating, suggesting those devices were quickly exploitable and had the prospective to cause significant functional effect, according to Cisco Talos.

When compromised, those devices allow assaulters to capture delicate network details, facilitating further access to the target’s networks. Enemies likewise may plant malware on the devices to establish a preliminary foothold in the target’s facilities without the requirement for any authentication, or to reroute network traffic to actor-controlled servers. Lastly, the gadgets are likewise often used by aggressors as anonymization proxies for conducting attacks on other targets.

Commodity loader malware developed

Commodity loader malware such as Qakbot, Ursnif, Emotet, Trickbot and IcedID have been around for years. They were initially banking trojans, looking for charge card info theft on infected computers.

In late 2023, new variations of IcedID and Ursnif appeared with a striking difference as compared to their older versions: Their banking trojan capabilities had actually been gotten rid of, and their dropper performances had actually been enhanced. The IcedID brand-new samples have been utilized by initial gain access to brokers known for commonly selling network accesses to ransomware groups. The latest Ursnif versions were used by the Royal ransomware group.

Qakbot also developed, releasing new features preferably suited to assist ransomware groups.

This development from banking trojan to loader is attractive for cybercriminals who wish to be stealthier; the banking trojan function elimination renders those malware less detectable.

The infecting vector for Qakbot, IcedID and Ursnif progressed, as Microsoft’s brand-new security procedures on Office items impacted the malware hazard landscape, forcing cybercriminals to discover brand-new methods to use macros unnoticed or prevent utilizing them completely (Figure B).

Figure B

Timeline showing changes in commodity loader tactics, techniques and procedures in response to changing security features. Changes in commodity loader methods, methods and procedures in action to altering security functions. Image: Cisco Talos Hazard actors used various methods compared to previous years for spreading their malware and infecting gadgets, such as utilizing JavaScript, PowerShell, OneNote documents, or HTA files, among others. They also used the Google Advertisements platform to release malware such as Ursnif, IcedID or Trickbot, completely avoiding macros.

Some other risk stars deploying Emotet, IcedID and Ursnif have been observed utilizing older approaches with macros, most likely due to the fact that the success rate on unpatched business legacy systems is still high.

How to secure your company from these cybersecurity risks

The risk landscape develops to match cybercriminals’ requirements, and your security team requires to ensure its mitigation methods are staying up to date with the patterns. Here are some ideas for securing your business from these cyberthreats. In addition, all operating systems and software must be up to date and covered to prevent being jeopardized by typical vulnerabilities.


Gain access to control systems need to be carefully evaluated in all business environments, and data division need to be looked for saving delicate data due to the fact that ransomware hazard stars are progressively trying to take sensitive data instead of secure it.

Network devices

Network devices need to depend on date and patched. Default passwords, if any, must be altered to strong passwords. All of the devices’ setup files should be carefully examined and tuned to avoid any malicious exploitation. When possible, multifactor authentication should be released on those gadgets. Likewise, inbound and outbound interactions from the devices need to be kept an eye on to detect malicious interaction.

Product loaders

The main families of commodity loaders have dropped their banking trojan capabilities to be lighter and stealthier, even without utilizing macros– typically to assist in ransomware operations. Organizations needs to inform their staff members to manage more file types with caution, such as PDF files or ZIP archives that might contain harmful files.

Disclosure: I work for Pattern Micro, but the views expressed in this article are mine.


Leave a Reply

Your email address will not be published. Required fields are marked *