Introduction
In recent years, ransomware groups have increasingly exploited weak credentials in virtual private networks (VPNs) and gateway accounts, particularly those lacking multifactor authentication (MFA) [1] [2] [4]. This trend has become a significant concern for organizations worldwide, as it represents a shift in tactics that has led to a rise in ransomware activity.
Description
Ransomware groups have increasingly targeted organizations by exploiting weak credentials associated with virtual private network (VPN) and gateway accounts that lack multifactor authentication (MFA) [4]. This shift in tactics began in the second half of 2023 and became widespread among ransomware operators and initial access brokers (IAB) throughout 2024 [1]. A leaked ransomware training playbook from an IAB emphasized the importance of seeking out default usernames [1], such as “admin” or “test,” and using common password combinations to identify weak credentials [1], rather than focusing on zero-day vulnerabilities. The effectiveness of this approach led to a significant increase in ransomware activity [2], particularly in the fourth quarter of 2024 [2].
Unlike 2023 [1], where mass ransomware exploits were often linked to vulnerabilities in software like MOVEit and GoAnywhere, 2024 saw no single vulnerability driving widespread attacks [1]. Basic attack techniques remain effective [1] [3] [4], allowing these groups to actively hunt for and compromise targets [4], including IT services and consulting firms [3], which are increasingly targeted due to their ability to amplify attacks through client connections. The construction sector [3], along with hospitals [3], healthcare organizations [2] [3] [4], and government administration [3], continues to face significant threats [3].
Experts stress that implementing robust security measures [1], including phishing-resistant MFA for all remote access and email [2], is essential to significantly complicate the efforts of malicious actors and mitigate risks, thereby protecting organizations from these evolving threats. The rise of new [3], smaller ransomware groups has also been noted [3], partly due to law enforcement actions against established Ransomware-as-a-Service platforms [3].
Conclusion
The shift in ransomware tactics towards exploiting weak credentials highlights the urgent need for organizations to strengthen their cybersecurity measures. Implementing robust security protocols, such as phishing-resistant MFA, is crucial in mitigating these threats. As ransomware groups continue to evolve, organizations must remain vigilant and proactive in their defense strategies to protect against future attacks. The emergence of smaller ransomware groups further underscores the dynamic nature of this threat landscape, necessitating ongoing adaptation and resilience in cybersecurity practices.
References
[1] https://www.infosecurity-magazine.com/news/ransomware-repeatable-access/
[2] https://www.corvusinsurance.com/blog/q4-2024-travelers-cyber-threat-report
[3] https://www.stocktitan.net/news/TRV/travelers-publishes-cyber-threat-report-highlighting-an-increase-in-19d3tze9a6j8.html
[4] https://www.corvusinsurance.com/pressroom/travelers-publishes-q4-2024-cyber-threat-report
