“Attackers focusing on extortion, data theft, and espionage tend to perform more actions, with pivoting, data harvesting, and exfiltrating being those extra activities,” the researchers wrote. “Attackers who rely on receiving ransomware payments for decryption tend to perform a lower number of actions as they’re basically smashing and grabbing.”
Shifting tactics
Ransomware represented almost 10% of all types of threats that Huntress detected or investigated, with the healthcare, technology, education, manufacturing, and government sectors seeing the highest rates of ransomware incidents. However, it’s worth noting that some of the other threats tracked separately, such as malware or scripts, are often delivery mechanisms for ransomware or are used by initial access brokers who then sell the access to ransomware groups.
For example, Huntress noted a significant spike in the abuse of remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn for both gaining and maintaining access to networks. Some ransomware groups have exploited zero-day vulnerabilities in RMM tools in the past.
