By David Liebenberg and Caitlin Huey.
For the sixth quarter in a row, Cisco Talos Incident Response (CTIR) observed ransomware dominating the threat landscape. However, for the first quarter since we began compiling these reports, no engagements that were closed out involved the ransomware Ryuk (though there were engagements that were kicked off this quarter involving Ryuk, but have yet to close). The top ransomware families observed were Maze and Sodinokibi, though barely more than any others, continuing a trend of “democratization” for ransomware families observed in last quarter’s report, in which no one family was dominant. With Maze adversaries’ recent announcement of retirement, the possibility remains that more ransomware groups will step up to fill the void, accelerating this trend.
Besides the drop in Ryuk, we saw a continuing decline in commodity trojans such as Trickbot and Emotet, as ransomware adversaries rely more on open-source tools, the Cobalt Strike framework, and a combination of various living-off-the-land tools and utilities, or “LoLBins."
The lack of Ryuk is somewhat surprising given recent reports from the U.S. government that indicate adversaries are looking to target health care organizations with Ryuk. Part of this could be related to the timing of these incidents, which occurred toward the end of Q3 2020. We do note that there were several Ryuk cases opened toward the end of the quarter which ..
Support the originator by clicking the read the rest link below.
