A new report reveals that ransomware is being deployed within one day of initial access in more than 50% of engagements. Within 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has free fallen from 4.5 days to less than one day. In 10% of cases, ransomware was even deployed within five hours of initial access.
The annual State of the Threat report examines the cybersecurity landscape from June 2022 to July 2023.
Other key report highlights
- While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on “name and shame” leak sites.
- The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit, stolen credentials and commodity malware via phishing emails.
- Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period.
Most active ransomware groups
The same threat groups continued to dominate in 2023 as in 2022. GOLD MYSTIC’s LockBit remains the head of the pack, with nearly three times the number of victims as the next most active group, BlackCat, operated by GOLD BLAZER.
New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023. 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit. Analysis shows that some of the victims go back as far as mid-2022, although they were dumped at the same time. MalasLocker’s attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May.
The report also reveals that victim numbers per month from April-July 2023 were the most prolific since name and shame emerged in 2019. The highest number of monthly victims ever was posted to leak sites in May 2023 with 600 victims, three times as many as in May 2022.