With ransomware running rampant, pardon the cliché, it’s only a matter of time before many more organizations fall victim to this money-grubbing menace. Recently, Microsoft tweeted about the more than 100 threat actors using ransomware that its tracking in attacks across over 50 unique active ransomware families, including LockBit, BlackCat (ALPHV), and Play, to name a few. While phishing is still a threat actor fan favorite, it’s not the only technique in town. Multiple ransomware groups are increasingly adopting other initial access techniques, notably malvertising, vulnerability exploitation on devices left unpatched, and fake updates – including some that WaterISAC has been tracking and reporting on (see below for more).

There’s no argument that a comprehensive backup strategy is key to recovering from ransomware, but to proactively defend against this threat in the first place, protecting against the known chain of behaviors has a better chance of staving off an attack rather than looking for "indicators" which likely won't be detected until after-the-fact. For example, as many ransomware actors have been exploiting vulnerabilities against systems that remain unpatched – as in the recent Microsoft Exchange vulnerabilities – it’s important for network defenders to maintain awareness of the CVE’s that are being exploited and how they relate to your environment. WaterISAC encourages members to visit CISA’s StopRansomware.gov for a comprehensive repository of resources to tackle ransomware more effectively. For more, check out BleepingComputer.

Relevant Reporting from WaterISAC

• Threat Actors Currently Bypassing Previous ProxyNotShell Workaround for Microsoft Exchange
• Threat Actors Continue Infecting Victims Through Top Google Ads Search Results
• Check if your On-Prem or Hybrid Microsoft Exchange Server is Still Vulnerable to ProxyNotShell and/or OWASSRF Exploitation
• FBI PSA – Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users